Malware Analysis Report

2024-10-19 11:19

Sample ID 240806-m1enxaxdmk
Target ✪➳S͜͡eTuP✔!!・2025・!!P͜A@s$w0rD~KEY!#.zip
SHA256 782f860451d89f2905e601d2b9aa2cc18b101be6a16c1fa1d760754e4c2f0b4b
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

782f860451d89f2905e601d2b9aa2cc18b101be6a16c1fa1d760754e4c2f0b4b

Threat Level: Shows suspicious behavior

The file ✪➳S͜͡eTuP✔!!・2025・!!P͜A@s$w0rD~KEY!#.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Executes dropped EXE

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-06 10:55

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-06 10:55

Reported

2024-08-06 10:58

Platform

win11-20240802-en

Max time kernel

109s

Max time network

112s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Encounter.pif N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2608 set thread context of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 5012 set thread context of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\more.com N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Encounter.pif N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW\\StrCmp.exe" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2608 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
PID 2608 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
PID 2608 wrote to memory of 1096 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
PID 2608 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2608 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2608 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 2608 wrote to memory of 5012 N/A C:\Users\Admin\AppData\Local\Temp\Setup.exe C:\Windows\SysWOW64\more.com
PID 5012 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif
PID 5012 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif
PID 5012 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif
PID 5012 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif
PID 5012 wrote to memory of 2924 N/A C:\Windows\SysWOW64\more.com C:\Users\Admin\AppData\Local\Temp\Encounter.pif

Processes

C:\Users\Admin\AppData\Local\Temp\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\Setup.exe"

C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe

C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Users\Admin\AppData\Local\Temp\Encounter.pif

C:\Users\Admin\AppData\Local\Temp\Encounter.pif

Network

Country Destination Domain Proto
US 8.8.8.8:53 erdefendkzov.shop udp
US 172.67.190.90:443 erdefendkzov.shop tcp
RU 193.143.1.19:443 assumedtribsosp.shop tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
RU 193.143.1.19:443 assumedtribsosp.shop tcp
US 172.67.211.202:443 chippyfroggsyhz.shop tcp
RU 193.143.1.19:443 assumedtribsosp.shop tcp
DE 104.102.5.120:443 steamcommunity.com tcp
US 172.67.141.209:443 tenntysjuxmz.shop tcp
US 8.8.8.8:53 209.141.67.172.in-addr.arpa udp

Files

memory/2608-0-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp

memory/2608-6-0x00007FFB48D29000-0x00007FFB48D2A000-memory.dmp

memory/2608-5-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp

memory/2608-7-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp

C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe

MD5 916d7425a559aaa77f640710a65f9182
SHA1 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512 d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc

memory/2608-13-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d106f19a

MD5 e6632614501deb736e6daad6c59a8546
SHA1 ffd450c0c6194d3cf2831fd0db37a3779254b2ff
SHA256 ce9ae752abdbb0b27baa3c8b65e3ca332cb4652d96e62da2899c85efc9949183
SHA512 0fb6e72fdf433950acc587f44c2e5b0b859fbfc45c4165539b83bd21c368c9392e9c0e94e3d759a7688866fb158b0075826f5adf00a4bbf73a8049dd5276ef2a

memory/5012-19-0x00007FFB4E3A0000-0x00007FFB4E5A9000-memory.dmp

memory/5012-21-0x00000000757F0000-0x0000000075805000-memory.dmp

memory/5012-24-0x00000000757F0000-0x0000000075805000-memory.dmp

memory/5012-23-0x00000000757FE000-0x0000000075800000-memory.dmp

memory/2924-26-0x0000000075740000-0x0000000075748000-memory.dmp

memory/5012-27-0x00000000757F0000-0x0000000075805000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Encounter.pif

MD5 d0509de5ba78cdfb67f897b06d9d184d
SHA1 f3ea9fa41831739d38353167754c0bb5a9544001
SHA256 a5a7183977808efbaa1ca3e55776f09bcae8f30e2aa5b0520c9cd88cd0d4997d
SHA512 0cdfb02946e8450a057db69f3e4331adc2b1bffee2d6002ea2a1ba8b9964883dd71c6f5becd41c02a4a06fd84e20836348b56af3696ae21587a774ec75d9f2c5

memory/2924-30-0x00007FFB4E3A0000-0x00007FFB4E5A9000-memory.dmp

memory/2924-31-0x00000000009F0000-0x0000000000A5E000-memory.dmp

memory/2924-33-0x0000000075741000-0x0000000075748000-memory.dmp

memory/2924-34-0x00000000009F0000-0x0000000000A5E000-memory.dmp

memory/2924-35-0x0000000075740000-0x0000000075748000-memory.dmp

memory/5012-36-0x00000000757FE000-0x0000000075800000-memory.dmp

memory/2924-37-0x00000000009F0000-0x0000000000A5E000-memory.dmp