Overview
overview
10Static
static
3♡☞Satup#.rar
windows11-21h2-x64
10♡☞Satu...re.dll
windows11-21h2-x64
1♡☞Satu...rk.dll
windows11-21h2-x64
1♡☞Satu...up.exe
windows11-21h2-x64
10♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...40.dll
windows11-21h2-x64
1♡☞Satu..._1.dll
windows11-21h2-x64
1♡☞Satu...64.exe
windows11-21h2-x64
1♡☞Satup#/qqwggw
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...40.dll
windows11-21h2-x64
1♡☞Satu..._1.dll
windows11-21h2-x64
1♡☞Satup#/wabxvfx
windows11-21h2-x64
1♡☞Satu...64.dll
windows11-21h2-x64
1♡☞Satu...ts.dll
windows11-21h2-x64
1Analysis
-
max time kernel
52s -
max time network
54s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
21/10/2024, 08:17
Static task
static1
Behavioral task
behavioral1
Sample
♡☞Satup#.rar
Resource
win11-20241007-en
Behavioral task
behavioral2
Sample
♡☞Satup#/Qt5Core.dll
Resource
win11-20241007-en
Behavioral task
behavioral3
Sample
♡☞Satup#/Qt5Network.dll
Resource
win11-20241007-en
Behavioral task
behavioral4
Sample
♡☞Satup#/Setup.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
♡☞Satup#/libcrypto-1_1-x64.dll
Resource
win11-20241007-en
Behavioral task
behavioral6
Sample
♡☞Satup#/libssl-1_1-x64.dll
Resource
win11-20240802-en
Behavioral task
behavioral7
Sample
♡☞Satup#/msvcp140.dll
Resource
win11-20241007-en
Behavioral task
behavioral8
Sample
♡☞Satup#/msvcp140_1.dll
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
♡☞Satup#/opengl64.exe
Resource
win11-20241007-en
Behavioral task
behavioral10
Sample
♡☞Satup#/qqwggw
Resource
win11-20241007-en
Behavioral task
behavioral11
Sample
♡☞Satup#/steam_api64.dll
Resource
win11-20241007-en
Behavioral task
behavioral12
Sample
♡☞Satup#/vcruntime140.dll
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
♡☞Satup#/vcruntime140_1.dll
Resource
win11-20241007-en
Behavioral task
behavioral14
Sample
♡☞Satup#/wabxvfx
Resource
win11-20241007-en
Behavioral task
behavioral15
Sample
♡☞Satup#/x64/trading_api64.dll
Resource
win11-20240802-en
Behavioral task
behavioral16
Sample
♡☞Satup#/x64/tradingnetworkingsockets.dll
Resource
win11-20241007-en
General
-
Target
♡☞Satup#.rar
-
Size
13.9MB
-
MD5
5689633947ce68a9441cfa84d6eb5532
-
SHA1
0c709b7cf753a35d34ab78271d681488ab977ce4
-
SHA256
ebb0f6f813ac2adbae62bb646656a190523504505fe1f18acee25593300e38b9
-
SHA512
2d439c6be3c96d0a64ec77e20601736620bf17aa00b58cc0d885274cc716f6650fba1fe958a298cfc34d93d20f8ff0408aa227a46949d51c284ac6eda1765832
-
SSDEEP
393216:zyN6rForKUzpotvj2rTbcXHt+a0OhE2sp0xvxUBqlTU83:emqzOb2rTkt+D2sOUBs4E
Malware Config
Extracted
lumma
https://snailyeductyi.sbs
https://ferrycheatyk.sbs
https://deepymouthi.sbs
https://wrigglesight.sbs
https://captaitwik.sbs
https://sidercotay.sbs
https://heroicmint.sbs
https://monstourtu.sbs
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 5164 Setup.exe 4000 StrCmp.exe 4664 Setup.exe 2020 StrCmp.exe -
Loads dropped DLL 20 IoCs
pid Process 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 5164 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 4664 Setup.exe 3132 AutoIt3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 5164 set thread context of 5528 5164 Setup.exe 83 PID 4664 set thread context of 2480 4664 Setup.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StrCmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language StrCmp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language more.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AutoIt3.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\DNUAIYTCNWRBMBPE\\StrCmp.exe" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\DNUAIYTCNWRBMBPE\\StrCmp.exe" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib StrCmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 StrCmp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" StrCmp.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
pid Process 5164 Setup.exe 5164 Setup.exe 5528 more.com 5528 more.com 4664 Setup.exe 4664 Setup.exe 3132 AutoIt3.exe 3132 AutoIt3.exe 3132 AutoIt3.exe 3132 AutoIt3.exe 2480 more.com 2480 more.com -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5728 7zFM.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 5164 Setup.exe 5528 more.com 4664 Setup.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 5728 7zFM.exe Token: 35 5728 7zFM.exe Token: SeSecurityPrivilege 5728 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 5728 7zFM.exe 5728 7zFM.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 4000 StrCmp.exe 2020 StrCmp.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 5164 wrote to memory of 4000 5164 Setup.exe 82 PID 5164 wrote to memory of 4000 5164 Setup.exe 82 PID 5164 wrote to memory of 4000 5164 Setup.exe 82 PID 5164 wrote to memory of 5528 5164 Setup.exe 83 PID 5164 wrote to memory of 5528 5164 Setup.exe 83 PID 5164 wrote to memory of 5528 5164 Setup.exe 83 PID 5164 wrote to memory of 5528 5164 Setup.exe 83 PID 4664 wrote to memory of 2020 4664 Setup.exe 86 PID 4664 wrote to memory of 2020 4664 Setup.exe 86 PID 4664 wrote to memory of 2020 4664 Setup.exe 86 PID 5528 wrote to memory of 3132 5528 more.com 87 PID 5528 wrote to memory of 3132 5528 more.com 87 PID 5528 wrote to memory of 3132 5528 more.com 87 PID 5528 wrote to memory of 3132 5528 more.com 87 PID 5528 wrote to memory of 3132 5528 more.com 87 PID 4664 wrote to memory of 2480 4664 Setup.exe 88 PID 4664 wrote to memory of 2480 4664 Setup.exe 88 PID 4664 wrote to memory of 2480 4664 Setup.exe 88 PID 4664 wrote to memory of 2480 4664 Setup.exe 88
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\♡☞Satup#.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5728
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:984
-
C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5164 -
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exeC:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4000
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:5528 -
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exeC:\Users\Admin\AppData\Local\Temp\AutoIt3.exe3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3132
-
-
-
C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exeC:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2020
-
-
C:\Windows\SysWOW64\more.comC:\Windows\SysWOW64\more.com2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2480
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD548f1eb682629c9954bb6f46dbd85630c
SHA1c367c08f734043d33f57b391c88f75f48e8544bf
SHA25649132644cd6a9ca3ca35cce72a2b0361500c7abbf414b47d26d6e0101feb319e
SHA512d3bb72c65ea2746bc9ed67658a12acc30a7fa102dce7d647d112f1d990ad4100a086e703aa534fe2ebf9769eca337ca6269e71e204f5a1472da6ac91360bbf4e
-
Filesize
921KB
MD53f58a517f1f4796225137e7659ad2adb
SHA1e264ba0e9987b0ad0812e5dd4dd3075531cfe269
SHA2561da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48
SHA512acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634
-
Filesize
2.1MB
MD5c62f38475921f284a36e3e855b10aaea
SHA1f1d14fc22d1578cc3f18d10e44163d93240c52e6
SHA2560ba748580ce1ca08d38634c6d5e5900400d4e70ff61362a9f0894816675c3766
SHA512e844eea1192e831a341b0832499de7956ad30a06799a439b8fdda28c141db2fe6ab5d32fb307baed3de942f16fd081ad42614d4fecf934fb24a55bb8dd44826a
-
Filesize
47KB
MD5916d7425a559aaa77f640710a65f9182
SHA123d25052aef9ba71ddeef7cfa86ee43d5ba1ea13
SHA256118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35
SHA512d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc
-
Filesize
6.0MB
MD568e600cb754e04557ef716b9ebc93fe4
SHA18302ab611e787c312b971ce05935ff6e956faede
SHA2568f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42
SHA5128bbd7d14b59f01eba7c46a6e8592c037cab73bed1eb0762fc278cf7b81082784e88d777a32f71bc2de128c0186321004bfa4ca68d1bcaa5660694c007219e98e
-
Filesize
1.3MB
MD5375f1024c7b1d57a549ae13ee43f0251
SHA1870f80500d067de505cda1496bb1cb4707f7ca6b
SHA25642be1410c01d758949fef6ee9bfc2fa25d0720cf6613c4ef953ad339601c215f
SHA51249f6a9d21c38784690aae673708d9eddfec7de383ae659ba7ec1261dd426d4c18e26803ff801fafc5568131b93cf56deade25575b498422bbb02d270313e5da0
-
Filesize
5.4MB
MD5ad2735f096925010a53450cb4178c89e
SHA1c6d65163c6315a642664f4eaec0fae9528549bfe
SHA2564e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e
SHA5121868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9
-
Filesize
48KB
MD5cf0a1c4776ffe23ada5e570fc36e39fe
SHA12050fadecc11550ad9bde0b542bcf87e19d37f1a
SHA2566fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47
SHA512d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168
-
Filesize
2.7MB
MD528dea3e780552eb5c53b3b9b1f556628
SHA155dccd5b30ce0363e8ebdfeb1cca38d1289748b8
SHA25652415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8
SHA51219dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112
-
Filesize
669KB
MD54ad03043a32e9a1ef64115fc1ace5787
SHA1352e0e3a628c8626cff7eed348221e889f6a25c4
SHA256a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1
SHA512edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6
-
Filesize
564KB
MD51ba6d1cf0508775096f9e121a24e5863
SHA1df552810d779476610da3c8b956cc921ed6c91ae
SHA25674892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823
SHA5129887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af
-
Filesize
34KB
MD569d96e09a54fbc5cf92a0e084ab33856
SHA1b4629d51b5c4d8d78ccb3370b40a850f735b8949
SHA256a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee
SHA5122087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf
-
Filesize
1.5MB
MD56cd79a6896d40ef0bb4169739095ad1b
SHA1a0c07b0fce662754caf1db5182ea367e4e486131
SHA256f3a88572035d1b6e6da481faf2c5b52eaa123e85ac0b010f34a8e6e13a29b6ea
SHA5122a81fbff07d4cf5de19aacfe6ba5d2b4f724c9bbc153fcfda9978558073d7c83ad82154b4e0f0f1c0cc6a21b4375058c03762e52d07194b98c8a88d1ec4fdb59
-
Filesize
291KB
MD56b4ab6e60364c55f18a56a39021b74a6
SHA139cac2889d8ca497ee0d8434fc9f6966f18fa336
SHA2561db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3
SHA512c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21
-
Filesize
106KB
MD549c96cecda5c6c660a107d378fdfc3d4
SHA100149b7a66723e3f0310f139489fe172f818ca8e
SHA25669320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc
SHA512e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d
-
Filesize
67KB
MD54ccb9be6fad56a7da6f2f4e6afa4d238
SHA1825723472886eaa0d0b20a2e8a931c9dfe9505e7
SHA256f5e2f2e47d8e63be081054aaf5088030924d91d892f4397295c5de9240967c6d
SHA51221e429e346c58d462b41149d8d3f679724646638bdc19e2eae6bb91d02f9a836cc96dc1970c6e3105ba707224a12fb03fdfcfafaa88d24efd6fa2d5afa23509c