Analysis Overview
SHA256
782f860451d89f2905e601d2b9aa2cc18b101be6a16c1fa1d760754e4c2f0b4b
Threat Level: Shows suspicious behavior
The file ✪➳S͜͡eTuP✔!!・2025・!!P͜A@s$w0rD~KEY!#.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Executes dropped EXE
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-06 10:55
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-06 10:55
Reported
2024-08-06 10:58
Platform
win11-20240802-en
Max time kernel
109s
Max time network
112s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Encounter.pif | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2608 set thread context of 5012 | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 5012 set thread context of 2924 | N/A | C:\Windows\SysWOW64\more.com | C:\Users\Admin\AppData\Local\Temp\Encounter.pif |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Encounter.pif | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Httpta\\JFRSJPMPUYHQWSNW" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\Setup.exe"
C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\Encounter.pif
C:\Users\Admin\AppData\Local\Temp\Encounter.pif
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | erdefendkzov.shop | udp |
| US | 172.67.190.90:443 | erdefendkzov.shop | tcp |
| RU | 193.143.1.19:443 | assumedtribsosp.shop | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| RU | 193.143.1.19:443 | assumedtribsosp.shop | tcp |
| US | 172.67.211.202:443 | chippyfroggsyhz.shop | tcp |
| RU | 193.143.1.19:443 | assumedtribsosp.shop | tcp |
| DE | 104.102.5.120:443 | steamcommunity.com | tcp |
| US | 172.67.141.209:443 | tenntysjuxmz.shop | tcp |
| US | 8.8.8.8:53 | 209.141.67.172.in-addr.arpa | udp |
Files
memory/2608-0-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp
memory/2608-6-0x00007FFB48D29000-0x00007FFB48D2A000-memory.dmp
memory/2608-5-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp
memory/2608-7-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp
C:\Users\Admin\AppData\Roaming\Httpta\JFRSJPMPUYHQWSNW\StrCmp.exe
| MD5 | 916d7425a559aaa77f640710a65f9182 |
| SHA1 | 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13 |
| SHA256 | 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35 |
| SHA512 | d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc |
memory/2608-13-0x00007FFB48D10000-0x00007FFB48D2C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\d106f19a
| MD5 | e6632614501deb736e6daad6c59a8546 |
| SHA1 | ffd450c0c6194d3cf2831fd0db37a3779254b2ff |
| SHA256 | ce9ae752abdbb0b27baa3c8b65e3ca332cb4652d96e62da2899c85efc9949183 |
| SHA512 | 0fb6e72fdf433950acc587f44c2e5b0b859fbfc45c4165539b83bd21c368c9392e9c0e94e3d759a7688866fb158b0075826f5adf00a4bbf73a8049dd5276ef2a |
memory/5012-19-0x00007FFB4E3A0000-0x00007FFB4E5A9000-memory.dmp
memory/5012-21-0x00000000757F0000-0x0000000075805000-memory.dmp
memory/5012-24-0x00000000757F0000-0x0000000075805000-memory.dmp
memory/5012-23-0x00000000757FE000-0x0000000075800000-memory.dmp
memory/2924-26-0x0000000075740000-0x0000000075748000-memory.dmp
memory/5012-27-0x00000000757F0000-0x0000000075805000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Encounter.pif
| MD5 | d0509de5ba78cdfb67f897b06d9d184d |
| SHA1 | f3ea9fa41831739d38353167754c0bb5a9544001 |
| SHA256 | a5a7183977808efbaa1ca3e55776f09bcae8f30e2aa5b0520c9cd88cd0d4997d |
| SHA512 | 0cdfb02946e8450a057db69f3e4331adc2b1bffee2d6002ea2a1ba8b9964883dd71c6f5becd41c02a4a06fd84e20836348b56af3696ae21587a774ec75d9f2c5 |
memory/2924-30-0x00007FFB4E3A0000-0x00007FFB4E5A9000-memory.dmp
memory/2924-31-0x00000000009F0000-0x0000000000A5E000-memory.dmp
memory/2924-33-0x0000000075741000-0x0000000075748000-memory.dmp
memory/2924-34-0x00000000009F0000-0x0000000000A5E000-memory.dmp
memory/2924-35-0x0000000075740000-0x0000000075748000-memory.dmp
memory/5012-36-0x00000000757FE000-0x0000000075800000-memory.dmp
memory/2924-37-0x00000000009F0000-0x0000000000A5E000-memory.dmp