Analysis Overview
SHA256
ebb0f6f813ac2adbae62bb646656a190523504505fe1f18acee25593300e38b9
Threat Level: Known bad
The file ♡☞Satup#.rar was found to be: Known bad.
Malicious Activity Summary
Amadey
Lumma Stealer, LummaC
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
System Location Discovery: System Language Discovery
Browser Information Discovery
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-21 08:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
89s
Max time network
203s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Qt5Network.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
92s
Max time network
203s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\vcruntime140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
212s
Max time network
280s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\wabxvfx
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
92s
Max time network
204s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\steam_api64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
146s
Max time network
278s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Qt5Core.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
210s
Max time network
277s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\msvcp140.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
90s
Max time network
205s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\msvcp140_1.dll,#1
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
92s
Max time network
205s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\opengl64.exe
"C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\opengl64.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
91s
Max time network
205s
Command Line
Signatures
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\qqwggw
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20240802-en
Max time kernel
197s
Max time network
263s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\x64\trading_api64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 106.246.116.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:19
Platform
win11-20241007-en
Max time kernel
52s
Max time network
54s
Command Line
Signatures
Lumma Stealer, LummaC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 5164 set thread context of 5528 | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4664 set thread context of 2480 | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | C:\Windows\SysWOW64\more.com |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\DNUAIYTCNWRBMBPE\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\DNUAIYTCNWRBMBPE\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\♡☞Satup#.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe
"C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe
"C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe"
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | legislatiu.cfd | udp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 104.21.89.45:443 | legislatiu.cfd | tcp |
| US | 172.67.212.250:443 | cdn4.creative-habitat.shop | tcp |
Files
C:\Users\Admin\Desktop\♡☞Satup#\Qt5Core.dll
| MD5 | 68e600cb754e04557ef716b9ebc93fe4 |
| SHA1 | 8302ab611e787c312b971ce05935ff6e956faede |
| SHA256 | 8f4c72e3c7de1ab5d894ec7813f65c5298ecafc183f31924b44a427433ffca42 |
| SHA512 | 8bbd7d14b59f01eba7c46a6e8592c037cab73bed1eb0762fc278cf7b81082784e88d777a32f71bc2de128c0186321004bfa4ca68d1bcaa5660694c007219e98e |
C:\Users\Admin\Desktop\♡☞Satup#\steam_api64.dll
| MD5 | 6b4ab6e60364c55f18a56a39021b74a6 |
| SHA1 | 39cac2889d8ca497ee0d8434fc9f6966f18fa336 |
| SHA256 | 1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3 |
| SHA512 | c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21 |
C:\Users\Admin\Desktop\♡☞Satup#\msvcp140.dll
| MD5 | 1ba6d1cf0508775096f9e121a24e5863 |
| SHA1 | df552810d779476610da3c8b956cc921ed6c91ae |
| SHA256 | 74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823 |
| SHA512 | 9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af |
C:\Users\Admin\Desktop\♡☞Satup#\VCRUNTIME140_1.dll
| MD5 | cf0a1c4776ffe23ada5e570fc36e39fe |
| SHA1 | 2050fadecc11550ad9bde0b542bcf87e19d37f1a |
| SHA256 | 6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47 |
| SHA512 | d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168 |
C:\Users\Admin\Desktop\♡☞Satup#\wabxvfx
| MD5 | 4ccb9be6fad56a7da6f2f4e6afa4d238 |
| SHA1 | 825723472886eaa0d0b20a2e8a931c9dfe9505e7 |
| SHA256 | f5e2f2e47d8e63be081054aaf5088030924d91d892f4397295c5de9240967c6d |
| SHA512 | 21e429e346c58d462b41149d8d3f679724646638bdc19e2eae6bb91d02f9a836cc96dc1970c6e3105ba707224a12fb03fdfcfafaa88d24efd6fa2d5afa23509c |
C:\Users\Admin\Desktop\♡☞Satup#\Qt5Network.dll
| MD5 | 375f1024c7b1d57a549ae13ee43f0251 |
| SHA1 | 870f80500d067de505cda1496bb1cb4707f7ca6b |
| SHA256 | 42be1410c01d758949fef6ee9bfc2fa25d0720cf6613c4ef953ad339601c215f |
| SHA512 | 49f6a9d21c38784690aae673708d9eddfec7de383ae659ba7ec1261dd426d4c18e26803ff801fafc5568131b93cf56deade25575b498422bbb02d270313e5da0 |
C:\Users\Admin\Desktop\♡☞Satup#\msvcp140_1.dll
| MD5 | 69d96e09a54fbc5cf92a0e084ab33856 |
| SHA1 | b4629d51b5c4d8d78ccb3370b40a850f735b8949 |
| SHA256 | a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee |
| SHA512 | 2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf |
C:\Users\Admin\Desktop\♡☞Satup#\vcruntime140.dll
| MD5 | 49c96cecda5c6c660a107d378fdfc3d4 |
| SHA1 | 00149b7a66723e3f0310f139489fe172f818ca8e |
| SHA256 | 69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc |
| SHA512 | e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d |
C:\Users\Admin\Desktop\♡☞Satup#\libssl-1_1-x64.dll
| MD5 | 4ad03043a32e9a1ef64115fc1ace5787 |
| SHA1 | 352e0e3a628c8626cff7eed348221e889f6a25c4 |
| SHA256 | a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1 |
| SHA512 | edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6 |
C:\Users\Admin\Desktop\♡☞Satup#\libcrypto-1_1-x64.dll
| MD5 | 28dea3e780552eb5c53b3b9b1f556628 |
| SHA1 | 55dccd5b30ce0363e8ebdfeb1cca38d1289748b8 |
| SHA256 | 52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8 |
| SHA512 | 19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112 |
C:\Users\Admin\Desktop\♡☞Satup#\Setup.exe
| MD5 | ad2735f096925010a53450cb4178c89e |
| SHA1 | c6d65163c6315a642664f4eaec0fae9528549bfe |
| SHA256 | 4e775b5fafb4e6d89a4694f8694d2b8b540534bd4a52ff42f70095f1c929160e |
| SHA512 | 1868b22a7c5cba89545b06f010c09c5418b3d86039099d681eee9567c47208fdba3b89c6251cf03c964c58c805280d45ba9c3533125f6bd3e0bc067477e03ab9 |
C:\Users\Admin\Desktop\♡☞Satup#\qqwggw
| MD5 | 6cd79a6896d40ef0bb4169739095ad1b |
| SHA1 | a0c07b0fce662754caf1db5182ea367e4e486131 |
| SHA256 | f3a88572035d1b6e6da481faf2c5b52eaa123e85ac0b010f34a8e6e13a29b6ea |
| SHA512 | 2a81fbff07d4cf5de19aacfe6ba5d2b4f724c9bbc153fcfda9978558073d7c83ad82154b4e0f0f1c0cc6a21b4375058c03762e52d07194b98c8a88d1ec4fdb59 |
memory/5164-53-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
memory/5164-67-0x00007FFACC0F9000-0x00007FFACC0FA000-memory.dmp
memory/5164-66-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ebx\DNUAIYTCNWRBMBPE\StrCmp.exe
| MD5 | 916d7425a559aaa77f640710a65f9182 |
| SHA1 | 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13 |
| SHA256 | 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35 |
| SHA512 | d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc |
memory/5164-71-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
memory/5164-74-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
memory/5164-75-0x00007FFACC0F9000-0x00007FFACC0FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\272fafb1
| MD5 | 48f1eb682629c9954bb6f46dbd85630c |
| SHA1 | c367c08f734043d33f57b391c88f75f48e8544bf |
| SHA256 | 49132644cd6a9ca3ca35cce72a2b0361500c7abbf414b47d26d6e0101feb319e |
| SHA512 | d3bb72c65ea2746bc9ed67658a12acc30a7fa102dce7d647d112f1d990ad4100a086e703aa534fe2ebf9769eca337ca6269e71e204f5a1472da6ac91360bbf4e |
memory/5528-79-0x00007FFACCE00000-0x00007FFACD009000-memory.dmp
memory/4664-90-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
memory/4664-114-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
memory/5528-120-0x0000000077380000-0x0000000077982000-memory.dmp
memory/4664-125-0x00007FFACC0E0000-0x00007FFACC88E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
memory/3132-127-0x00007FFACCE00000-0x00007FFACD009000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bf748a4f
| MD5 | c62f38475921f284a36e3e855b10aaea |
| SHA1 | f1d14fc22d1578cc3f18d10e44163d93240c52e6 |
| SHA256 | 0ba748580ce1ca08d38634c6d5e5900400d4e70ff61362a9f0894816675c3766 |
| SHA512 | e844eea1192e831a341b0832499de7956ad30a06799a439b8fdda28c141db2fe6ab5d32fb307baed3de942f16fd081ad42614d4fecf934fb24a55bb8dd44826a |
memory/3132-132-0x0000000000F00000-0x0000000000F78000-memory.dmp
memory/2480-133-0x00007FFACCE00000-0x00007FFACD009000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
212s
Max time network
282s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\vcruntime140_1.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
299s
Max time network
279s
Command Line
Signatures
Amadey
Lumma Stealer, LummaC
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2072 set thread context of 2724 | N/A | C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4104 set thread context of 3676 | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | C:\Windows\SysWOW64\more.com |
| PID 4048 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | C:\Windows\SysWOW64\more.com |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Acronis Scheduler Service.job | C:\Windows\SysWOW64\more.com | N/A |
| File created | C:\Windows\Tasks\Window Manager.job | C:\Windows\SysWOW64\more.com | N/A |
Browser Information Discovery
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\more.com | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\explorer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Programmable | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\ = "BtDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\HELPDIR | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\LocalServer32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward\ = "{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\Forward\ = "{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\Forward | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\Implemented Categories\{40FC6ED5-2438-11CF-A3DB-080036F12502} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\FLAGS\ = "0" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "__cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F477A542-C370-42A1-A166-F9CDAF2AF8C6}\2.1\0\win32\ = "C:\\Users\\Admin\\AppData\\Roaming\\Ebx\\VSBXXPUYIRU\\StrCmp.exe" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\BtDaemon.cBluetoothDaemon\Clsid\ = "{4F7FA487-8CC1-493E-AF0A-E7A294474F25}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\Version = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\VERSION\ = "2.1" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{10E6A3D4-CABA-4E61-BD8B-83BA76283791}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ProxyStubClsid | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC} | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\TypeLib\ = "{F477A542-C370-42A1-A166-F9CDAF2AF8C6}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "_cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\ProgID\ = "BtDaemon.cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F5965C4C-9CC3-4EA3-8079-0B9AA9389A1F}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F7FA487-8CC1-493E-AF0A-E7A294474F25}\TypeLib | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{8A84C003-E3A6-4E71-8E33-5B929D40B81D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ = "cBluetoothDaemon" | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{65B9560F-CEC2-4DFC-A04D-BEA488DA4DCC}\ProxyStubClsid32 | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\Setup.exe"
C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe
C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe
"C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe"
C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe
"C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | legislatiu.cfd | udp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 8.8.8.8:53 | 114.156.67.172.in-addr.arpa | udp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 172.67.156.114:443 | legislatiu.cfd | tcp |
| US | 172.67.212.250:443 | cdn4.creative-habitat.shop | tcp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| DE | 185.106.92.10:1466 | tcp | |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sportszone-financefocus3.com | udp |
| US | 8.8.8.8:53 | sportszone-financefocus.com | udp |
| US | 104.21.31.162:80 | sportszone-financefocus.com | tcp |
| DE | 185.106.92.10:1466 | tcp | |
| DE | 185.106.92.10:1466 | tcp |
Files
memory/2072-0-0x00007FFB2AAE0000-0x00007FFB2B28E000-memory.dmp
memory/2072-12-0x00007FFB2AAF9000-0x00007FFB2AAFA000-memory.dmp
memory/2072-16-0x00007FFB2AAE0000-0x00007FFB2B28E000-memory.dmp
C:\Users\Admin\AppData\Roaming\Ebx\VSBXXPUYIRU\StrCmp.exe
| MD5 | 916d7425a559aaa77f640710a65f9182 |
| SHA1 | 23d25052aef9ba71ddeef7cfa86ee43d5ba1ea13 |
| SHA256 | 118de01fb498e81eab4ade980a621af43b52265a9fcbae5dedc492cdf8889f35 |
| SHA512 | d0c260a0347441b4e263da52feb43412df217c207eba594d59c10ee36e47e1a098b82ce633851c16096b22f4a4a6f8282bdd23d149e337439fe63a77ec7343bc |
memory/2072-20-0x00007FFB2AAE0000-0x00007FFB2B28E000-memory.dmp
memory/2072-22-0x00007FFB2AAE0000-0x00007FFB2B28E000-memory.dmp
memory/2072-23-0x00007FFB2AAF9000-0x00007FFB2AAFA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1bd3933a
| MD5 | 68cf885c86d64d0fb592b91ab5486718 |
| SHA1 | 66215ee186427dce5b468ad87f81afba210bffde |
| SHA256 | d1554cea4d5d2a1bbc9a87f36e6700ee0335c0710fd42da30257e65d35bc6d44 |
| SHA512 | 7934582b26972bd02e9658d7a4845eb9c6285133fa8f76e93e74a5664d5114990bd5ea53fadb78a485a1dbf4ec1405492a3aba83b9c7054105eef6783371ebdc |
memory/2724-27-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/2724-30-0x000000007658E000-0x0000000076590000-memory.dmp
memory/2724-29-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/2724-32-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/2724-36-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/2724-37-0x000000007658E000-0x0000000076590000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AutoIt3.exe
| MD5 | 3f58a517f1f4796225137e7659ad2adb |
| SHA1 | e264ba0e9987b0ad0812e5dd4dd3075531cfe269 |
| SHA256 | 1da298cab4d537b0b7b5dabf09bff6a212b9e45731e0cc772f99026005fb9e48 |
| SHA512 | acf740aafce390d06c6a76c84e7ae7c0f721731973aadbe3e57f2eb63241a01303cc6bf11a3f9a88f8be0237998b5772bdaf569137d63ba3d0f877e7d27fc634 |
memory/3804-39-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/3804-41-0x00000000009A0000-0x0000000000A18000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\3BCDWZ09PWCVSL2WTGLG4ASPLE38WDI.exe
| MD5 | c13aa2a232a5023b77dfaa4772409b0f |
| SHA1 | f00b458bf0899de09f688c04c21fbff8a5fc147c |
| SHA256 | 190ecfadbb3b3bb9400f9f27f2db55c0978cb51ef9569f1cd6636e5523acb4ae |
| SHA512 | 67605e2b6ff63a33d1133e1972a93dcae1303f1afaf704c14d73ec9a5b58525cb860ce55de9f3995cfbd58be7fcbb7adf7eca45678c11f80768666e88a2368a7 |
memory/4104-46-0x0000000000400000-0x0000000001163000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\153280d0
| MD5 | f1490558dbea9dc33d06d9e1398e9972 |
| SHA1 | abf0043310f4d0ff5d01f9b7006d386fb3600ab5 |
| SHA256 | ab955a896dd88530e200c6af4978c8e259e6b47abe43ae3cd8b725a816cd55ee |
| SHA512 | 0f40e13b901961881bf3f2aad4ab1048b779074277dc6714d5985fd5a817f2be6bb63aa4ad6e88148ea98c62c2dd25215a9e4712d7f61e095c621448d4068fae |
memory/4104-53-0x0000000076580000-0x0000000076B82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\GGCE7NQWOCYIWLMS1RVVUC4Z0TNB.exe
| MD5 | de559fd217e239c23c2c6da8a73ba3de |
| SHA1 | e499ff1ae6da50e17723bcd0d90b2f8fc663a709 |
| SHA256 | 102dc63d733c2b78c2a4a72c6709675bd62121cfd38460be6805bca60b5eaa69 |
| SHA512 | 1824012ca5e17765256a4834ac229a04eda74f1d954ecbc89ae4d1fe2ab79d2d3d7d0328030734a5f703c51b14e51e710d4804300f42c5dfb8caf02d4b99def7 |
memory/3804-56-0x00000000009A0000-0x0000000000A18000-memory.dmp
memory/4104-57-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/4048-58-0x0000000000ED0000-0x0000000001976000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22cb35a8
| MD5 | 23bb6aa658769a7acfd8b299cf9a4267 |
| SHA1 | 0003390b4c0e16d2585716eb556dca51337e74b9 |
| SHA256 | afd46becb1249c696a4ef7657389fc19c2e32e2972daef8dd4a57313178a790c |
| SHA512 | cbdd8f6269a07c5516935566493cb9ab816a30f1ad95632911c98d7dad638af74f73ca70d2648c541a7907d6a6ec519c3453a543bd3263b47779a273bb1a50f8 |
memory/4048-65-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/4048-66-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/4104-74-0x0000000076580000-0x0000000076B82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\22150bc5
| MD5 | 0a16f7b2376eb7f30db869d416d170a0 |
| SHA1 | 9086aa5d7e6d5a90f86c10c2c2f99706838efc13 |
| SHA256 | bfec0f9a55ee2532c8c94c54a4f544be68d02be3c13a08eec279404f4352877c |
| SHA512 | ce7d52365b262cca62b2c8f635dfbb923459c997e7226c0d4726cc8dde7a32cd8f2100625ebf0f4d91b5f96a7b9a7d9ffd9aa0e98b0514f81c3cfd1af1cd4f57 |
memory/4048-79-0x0000000076580000-0x0000000076B82000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\295dc575
| MD5 | d9cdee993821347477038d87c0d0e976 |
| SHA1 | 420bde3ec149bc06fb2b8ed07a24cca7cd0629a2 |
| SHA256 | eecaaa565cc0495e223b31caafd211e08d68997c025d71f9bde98bf4a88bdc08 |
| SHA512 | 30a9abe407fde348ea9bf3ef59f24dd845072dcb718867a60b8bb65bd04ded9138448d7e9f807a19aa3eeed222bbbe42c043befb729507dce06dde53b43b8876 |
memory/3676-83-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/2720-84-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/2720-87-0x0000000003D50000-0x0000000004352000-memory.dmp
memory/2720-88-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/3676-94-0x0000000076580000-0x0000000076B82000-memory.dmp
memory/3676-95-0x0000000003760000-0x0000000003D62000-memory.dmp
memory/2720-96-0x0000000003D50000-0x0000000004352000-memory.dmp
memory/3676-100-0x0000000003760000-0x0000000003D62000-memory.dmp
memory/4100-101-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/2720-102-0x0000000003D50000-0x0000000004352000-memory.dmp
memory/4100-103-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/2984-104-0x00007FFB2B6C0000-0x00007FFB2B8C9000-memory.dmp
memory/2984-105-0x0000000000350000-0x00000000003C3000-memory.dmp
memory/4100-109-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/2984-111-0x0000000000350000-0x00000000003C3000-memory.dmp
memory/4100-112-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/4100-114-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/4100-116-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/4100-118-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/4100-120-0x00000000012B0000-0x0000000001884000-memory.dmp
memory/4100-122-0x00000000012B0000-0x0000000001884000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
90s
Max time network
203s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\libcrypto-1_1-x64.dll,#1
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20240802-en
Max time kernel
223s
Max time network
289s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\libssl-1_1-x64.dll,#1
Network
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-21 08:17
Reported
2024-10-21 08:23
Platform
win11-20241007-en
Max time kernel
90s
Max time network
205s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\♡☞Satup#\x64\tradingnetworkingsockets.dll,#1