Malware Analysis Report

2024-11-13 16:14

Sample ID 240413-v91azafb94
Target kayflock-beta.rar
SHA256 9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504
Tags
persistence agilenet agenttesla
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9ecbf28720a944bdd3f3c20cdb3f4da7f40da903b651be520348e01a8efa2504

Threat Level: Known bad

The file kayflock-beta.rar was found to be: Known bad.

Malicious Activity Summary

persistence agilenet agenttesla

AgentTesla payload

Agenttesla family

Sets service image path in registry

Obfuscated with Agile.Net obfuscator

Checks computer location settings

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Suspicious behavior: LoadsDriver

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-13 17:42

Signatures

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Agenttesla family

agenttesla

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\splwow64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
BE 88.221.83.211:443 www.bing.com tcp
US 8.8.8.8:53 211.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 228 wrote to memory of 4164 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\twain_32.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

120s

Max time network

141s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000b9c9e27feba88e35e2bc080a99d621f34b078b236b86fdea88b0591f58945e6b000000000e8000000002000020000000f24cf17a75c39d57eaf169a99da695cee01bd831f318256989bffbda0b4adc7d2000000020975cdbfe5cd3942a18f91505d87734ec804f814d7a7bb381f7fd0d5684ef17400000004a91c62c94d964a066220a9e512cf74227fe710594a748ef800805c27feb969d68e5e380ec4bd3a0e02951ff2c7fbc81457a5930ea0ed88c868538fcb50c77f8 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30ac7321ca8dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000112dd71d930ff24b8b2b71a2c228122b00000000020000000000106600000001000020000000604e073ef00ca64e49ae261923361c02f65584a5f29f1a324b02270db75bf893000000000e80000000020000200000003ee79b1fb6fac75ebe4336d25baf7ef8746efd2eb5876fcdf4230068c59fb17f90000000eef467ea912371444ac6bd660abd246db14081ee1f27377a93f509d0feb4927b75b5753f3b521a8cd28afb90f45a99608cdef7a7164439f90e4878e85aec6df63c374b055fd3a0e915d456f5f604d1f413a5d33b002814cbf29af8d34c5157f0842d2cb5b671d0584e9b7411a3739a27ca4e01ee7bdd9160bb5d17f4e961fbdc739e595d738fdec9a8938730eb1646d540000000cbaea227fb0e8d30ad5dff006b23a21553c70b269f5af96d8731bc3b4464f1431d389974f1da47073f2f2c6bfcbb78107fb9a7c4ccd9314ed2bde8d8f60a5619 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{45EB0771-F9BD-11EE-A6D5-5A791E92BC44} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419192050" C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=x64&rid=win7-x64&apphost_version=6.0.28&gui=true

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2204 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 aka.ms udp
GB 2.16.234.57:443 aka.ms tcp
GB 2.16.234.57:443 aka.ms tcp
GB 2.16.234.57:443 aka.ms tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\CabDF1B.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\TarE163.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7285fc48ae15a4f7e0f1a61a0285aa4a
SHA1 501af22fa78460cb4912d02c40fbabb3816efc0a
SHA256 6215742e6a6e41567a80e45cb414086f73266c2c8d3906d8661004368e442ce5
SHA512 63a81d1cac281fe48919cf8cc2ac900702351718cd2471702bb1bb73c2729db9a3bf95af21975ba59471b78fb56142c6c54e651ac353cb830ebdca5e73e96d2c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b43b74ffdb9a22838de86e77152ac7e4
SHA1 41f1d6e976e0417b2cfe05815c1687e6358fd44f
SHA256 ac27c557360a5ed18ad3207af1c0d4048b12ac9707873b7fc761f10de63d06c5
SHA512 b3aca66cab2ced9cd730531bbe7fb882bdf8ebea3ac68d0bd6f50d962dd9848b5b5fec46e5be44a53bb62cb72b5224b9b095a034f619f47668c0bd1a277c3a15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 14a09b6cc39621752a6c68f03825c04f
SHA1 3f63675f9db54ed2b834edaaddd9de25d11438f0
SHA256 9a119356bbe1e1cc8cdf5332c185dedb540d0b0b8a5d2f6fbdc74a14a86e4600
SHA512 8981e0b295814c99dfdafcce7c3ab781d554ea551a5f5fc0db5c2b1cf88e13cfa5ef9a7e997d8d8d0918171e130086b3e8b7b88c98438be49988017c44f587d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77eb2c8fb76c19624f949237ff4eabd0
SHA1 54ee1729bc9251fd0919d2e5b521fe2d4dc96a56
SHA256 ff685c601a4de34b8f9006be7d392335cc8307b8a3adb99a249198d26b08bdc4
SHA512 5ef91b537e1eba860122f7f52945e4561b8928609c7b683d25d34b57fff90e15459d1595479ef7d5d7b6d8edc192ad1b2be29778e445f87dc56a84d3ec2cf275

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77534cff368d63ef1592204a5cb739a8
SHA1 878aeb0e0f0301a38a7f8662c3670a07cd57455b
SHA256 32b57a971875b25e9757c8641c5e71b2519e5dda4d2ae2fa36972ad52b4a9937
SHA512 4d8851237d6ae0c2e110f0d44cf85b64dfe23666b13fdb02cbea378891bbc9fa6069ef03f39ec6fb7e2bb1fb35679c5e1d345a4ce1555b7e15957132c20083b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b2f798e95fbcc52c9176f3d98e79a0aa
SHA1 1533e279993303f8de9d6ebc39ed3fa3104373a9
SHA256 96c56289d7a012d683b2a0e53c500c897828691309015692722f55d45bcd7d7a
SHA512 c9396ea16d8ec997c58dd33a5d3eca927ea3061313ca1f3242a9f310ee95577876f3fc4ec33440c85608c420516572d476929fffc09f3702c223a40d9c109932

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 521ee67904128e7a242b84f4605c4927
SHA1 d7657c6e37bdc15a4f40899e84f4ff2e9fd6d373
SHA256 e2b22e092ab10d1c33c83cdf12111d81063a79954c684426f8b92b924c993cde
SHA512 aad34c7c6163381760e4a85d1818636ee57b6bf925439ec510032ab55a39736a86ecc542f89b38fd2594deb6d567e431c77728f72950e1329c1b70c2bf1ea3a6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e3d57c28c5002d5b598cefd448156dc9
SHA1 51d8ca74c4f78e589129314cef75bc230a8c2916
SHA256 a9e015781d496c5979f7819a139ec491b2cca928a56ffbf0a91778f72e732a6b
SHA512 5489a6a459d5948528ef53c1260ad3edfad1452335194fc317b2eeea257f081548be786928007a61e88b9beb3b95e00acd7b9b331b335455b57882ae62cc76b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 685b922882b367781be76a326dac7054
SHA1 39f4a099d5f5c60ed2271eb5aa95581e22b8cc66
SHA256 1e266bce2939dee6f48fec9ac408bd53a95a00637be0563e4606e7464fcc4ef1
SHA512 ec50f0dde222cab88473fde8297a737a2296083f1f1ca3de3e53827b24bbc0f71648f538aa356301a492a6f367c9a00d1d06186f3a02fec788c4eb508a9e0f77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acefd083412e0ba1deaf8f6617129f73
SHA1 e205baf7ab77b651cde8c7d620c4143815dfb1b2
SHA256 dcd6169e57f97b2a7f60a1c1b6331ab24994ed66a5e6ba78a7ff2d8d2293758e
SHA512 1cae72c5bdd775da262628d1d7de18e0a70dac7986b389a90f613257de40cd65b1194f05896f448b688f5475013507b2e1d810fb9b5054d43505d6b414913ec3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5a1d640b1b7c581c95e4ab7501c851b9
SHA1 5ca4f22ca9806ba4b06b30bb8a985bd772c91c97
SHA256 da95abf630eb130fdd1aee19c29946b09499a123113cbf0c7d34968431dbe70b
SHA512 ae353fa3fd1a21370125781580a9386010b069a242960d02a90a78338647f5e17f0db8547e563edd8f26ab6b39acb2a94014c9312ff9fe4410d3a8cc934b52f6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 704e423d92c7308cb5b11376b2c1d10e
SHA1 cc09a5afb64a686f56abf4e9c68aadca363361e8
SHA256 0eb104bd3a2366c985b0b61aec0016df0d578bded30416c74c44bad9d26ffdb3
SHA512 14a19778ec5e1be50433ac84bb54dd86cc1ce3f352b93f63f178d877f37f9bd24eb9912e0d8d1ae9a9e2b5bd959beb7bef1c7671ad0bd69e336c24a0b5d903e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 583b4f29f8c78d7c65ec3eab7b3e13bb
SHA1 2a60e72b8d410a4116686a0ec4c01a63a43b9bf6
SHA256 3c2f35aec305e6fb7d8f9491e5a8b6d5d834d65042447c51070c1b3190290a5e
SHA512 5963389c8cbd5d76db5b0122d6514bcfb7f1ac7483318720f0cfe8b9bc7b063cfab5d99b3e0ca8e64d91d6b1529484ac0a07106eff9540e75667e7a41b250c5a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15939efb7307f95f423091cfafc1285a
SHA1 346c76cd70233a1bfa88fbf70fbe884f06808262
SHA256 82990ea4cdd470db7d8323a92dbea43c693e3f2178e8277114cec453a9db2994
SHA512 850fe89bf455627961ad34275818960e5501aa072f4a3419f84cea3b4596e2cc58352948ccb1dca4f05859a3106e817fde5ef614f8faaf60d3f93f48b055f01a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 733209b81571d102e78ed4a4793ee26f
SHA1 c99a4af7a14cbbe56bbe50779f4bda300f4a70ca
SHA256 1de633113d924c9e373ad6398af6c0950e5ca2ca9b2814ef6a57cb9e3b024183
SHA512 86f0452a66cbf4db4c87257e2b182fb5082562952720e4560bb9ef0f94b94c05e2715c7429f9219e0b560683a20f1db1c6ac8b21d807a36b4aada11b0e4c2f20

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 18b7ed90594076613d6caef0db7e34a3
SHA1 edabd168a401ecee5d589bdba0246ecc56a00313
SHA256 85af84b648f9e5c0ae4754852513de01e347bb004027fa4a84f2800322218454
SHA512 32811882076548185b4e5cc44f14128727b2c36368cb5bd3dd31ebc90e4a4261039e33141af955cd6a2e9d47b7b5a05be1df2000d4ad2df87653aeb2a7a79b22

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 008ae01a0151cd256c6dc2315d4c3baa
SHA1 5b7603cca635adf8254c6575a7638d624a3439bc
SHA256 77167ebae8f406ce31eaf45e30f57f866cd84798dee1af81809b2a49b28dfd84
SHA512 aadb70e771cde1c3c5c12be5a483da64219b987d39ff0caba74edb1dd15ba92f55ace302442bfbfd2a72b62e6c4d61e4ee5f5bb89ee2afb7d854affd52de9b4e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20ef39d2266a4febc77ae102e22929a9
SHA1 72e24be0da9a62c8732709c52c8b53edcdf0e1be
SHA256 f10fe832fbb3b1eaa07ffd0eeeea27c3ceba8c12e6b3b0f94e61f65dab502be3
SHA512 3b76fda46f70c626d0de90dc3e625f6438e3b39596dd94cb5371a81b5778fc6dc170cea9b0af5302987bae12a4fc596d049fcf71e6a1dafd8eca45aab875902a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8de593bac367080bebf2777aefc6d0a8
SHA1 b470b93965f0777e9e7b8d6e93edf9b65676e22a
SHA256 5be9410bd20ef49d244af2de4ff58ceae1a0e1cc4515c446f169f447d47e354c
SHA512 aa18c8b78dd7a235b49b938f09bd8f4128dd41dc22086763623b57e5858a85909ef551cfb26a825c83f62a2099335f8dc9711f0de8b5cb448e0233ba4c9110f7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab3a85ddfd7c9ff602b4544571656695
SHA1 e777fa648b272e13adb3a3b3544843b40ba86fea
SHA256 cccf19f2bfb1b25b5bade5d524e58cbcfa2a6d5dc56eb0c68251ca44638e77ff
SHA512 576e3eda9b182502de46c5ab76247f70bbe4f5ee1e9a25cbdb8f7fe0b8af8684131616e28bceabfca395e66ca2205b651976a5d1efa4eb2c762257fdfa1a3c62

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3261a16e1dfe43ac6bb4656bf5315e56
SHA1 fdf009478237b6a538fb21f3f402f5d569cfb169
SHA256 0671557ade32493fdd63840e0da75f96115d0095431cb4631552c0fb8eae40f7
SHA512 e5ad5a32e0ad5174fe50455b371d0ec2b149cdfbf184a66016785cfe9c3b26924a34a84c0b9d3da80f80f56005057fccc9eba1fddcc5f3f43abe3ceef1af835a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8db15366aca761143d25383c67ae4f06
SHA1 64cefba62f75a51baaaa74876c646220180ffc7d
SHA256 34e5912200b9d3c0bfd65b19c77de88cdc8ee7c4983fc32f1d4f706f498c2c80
SHA512 808d4a33b1b3376a9200b0c19cc53b7d4aeb4ec247300eec4d3eab72daa1f6d628afe301b8a5ffd0f4ecb654148e74a9a110f342f095d6689a453ed0c6509bd9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97a1f2ac2aedf7feddc9179bfcbabed6
SHA1 734181ba49a969e10f1a23a79a1d7759dae4493c
SHA256 4ed6ce5dc0112e1a55d354b4041fe69286436148e7cb5899df20a834b0758910
SHA512 e31061c4342e84e81d16ae5f0d644a43bb2e7fa96a0bcfc94ec36903bb3cae13ce1849ec593c6e9aa5e3152c4c777ea8bbde475346365a1d2438d4d381137837

Analysis: behavioral8

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\kayflock.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1316 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 i.pinimg.com udp
GB 199.232.56.84:443 i.pinimg.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 84.56.232.199.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

memory/4296-0-0x00007FFE6E460000-0x00007FFE6E95E000-memory.dmp

memory/4296-1-0x00007FFE6E460000-0x00007FFE6E95E000-memory.dmp

Analysis: behavioral11

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\HelpPane.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 16.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
N/A 127.0.0.1:60451 tcp
N/A 127.0.0.1:60453 tcp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

116s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\hh.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\write.exe"

C:\Program Files\Windows NT\Accessories\wordpad.exe

"C:\Program Files\Windows NT\Accessories\wordpad.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

117s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

119s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

94s

Max time network

100s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

84s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\notepad.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 24.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

Signatures

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\helppane.exe N/A
N/A N/A C:\Windows\helppane.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4616 wrote to memory of 1176 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4616 wrote to memory of 1176 N/A C:\Windows\helppane.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 4092 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 3644 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 4508 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1176 wrote to memory of 1836 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\winhlp32.exe"

C:\Windows\helppane.exe

C:\Windows\helppane.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/?LinkId=528881

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf7ca46f8,0x7ffcf7ca4708,0x7ffcf7ca4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5976 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12944880455301972509,8004412700661455146,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2792 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 support.microsoft.com udp
BE 2.21.16.124:443 support.microsoft.com tcp
BE 2.21.16.124:443 support.microsoft.com tcp
US 8.8.8.8:53 124.16.21.2.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 browser.events.data.microsoft.com udp
US 8.8.8.8:53 js.monitor.azure.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 104.208.16.90:443 browser.events.data.microsoft.com tcp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 mem.gfx.ms udp
US 23.53.113.225:443 c.s-microsoft.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
US 13.107.246.64:443 mem.gfx.ms tcp
NL 40.126.32.72:443 login.microsoftonline.com tcp
US 13.107.246.64:443 mem.gfx.ms tcp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 8.8.8.8:53 225.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 90.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 aadcdn.msftauth.net udp
US 8.8.8.8:53 aadcdn.msauth.net udp
US 152.199.23.37:443 aadcdn.msftauth.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 37.23.199.152.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 104.208.16.90:443 browser.events.data.microsoft.com tcp
US 104.208.16.90:443 browser.events.data.microsoft.com tcp
US 8.8.8.8:53 logincdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msftauth.net udp
US 8.8.8.8:53 acctcdn.msauth.net udp
US 192.229.221.185:443 logincdn.msftauth.net tcp
US 152.199.21.175:443 acctcdn.msftauth.net tcp
US 8.8.8.8:53 acctcdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 support.content.office.net udp
NL 23.38.21.64:443 support.content.office.net tcp
US 8.8.8.8:53 185.221.229.192.in-addr.arpa udp
NL 23.38.21.64:443 support.content.office.net tcp
US 13.107.246.64:443 acctcdnmsftuswe2.azureedge.net tcp
US 8.8.8.8:53 acctcdnvzeuno.azureedge.net udp
US 8.8.8.8:53 lgincdnmsftuswe2.azureedge.net udp
US 8.8.8.8:53 lgincdnvzeuno.azureedge.net udp
US 8.8.8.8:53 64.21.38.23.in-addr.arpa udp
US 8.8.8.8:53 175.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 7e0880992c640aca08737893588a0010
SHA1 6ceec5cb125a52751de8aeda4bab7112f68ae0fe
SHA256 8649a39877c190ec740a5422284ec5f9ff509b30b2d7896635476873dd8824e2
SHA512 52bd0a38ca7f43b26731966035045b1cbd8b60b2d81bdf9aad791cf444da8af8b722ebf3cb364a6e660bebdf23084eb0e30bc23562575b704801669817549f8a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e2f0fe48e7ee1aad1c24db5c01c354a
SHA1 5bfeb862e107dd290d87385dc9369bd7a1006b36
SHA256 f13b3ebe8d71bd0086d5bb82364c35f59a95d32b39753af251e8639360e291a9
SHA512 140d026437fd5e8a874cd00b03950c8f010e1a0732a0a1cc5bdde477e7f8315ccb95790bb4c15b8dbaab9468ad532eb885b6c429300a64e39412d976d079324e

\??\pipe\LOCAL\crashpad_1176_MTKIYVBCXZZKKMRI

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 aedc34674d5175be51dd94bd97f5d1bd
SHA1 b4422deadd2752ff0ffbbe2f738330c5c899eab5
SHA256 3ad4ac21f84d44e097c005ce255bc3fcdab3b753dafa3f6f5f9048bd2cb5a839
SHA512 ca9456d8b4c9bf19e211eee03c641045aca1aa4919c9a730b2a05423bd90a5e1ada7e0b22c2bcb3f6aae22bdc4108bf0172ec82fb836197ab9121e39026f204b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 e0db185c25d057f216ecb2b7f678108b
SHA1 80f2ff0c75419e138db0be3728444f1f73d4bbc6
SHA256 f36d38e3fc2fd4770dee720fa8875b076b5ae6ad3ec476a0e0da938fe2192024
SHA512 a20414b5742bdc7dbe4b8241276906d68913d7fb86802a0fed1262dc37bd8d13ce846c5bf1d99420b2130f799e5f5886e2a1522fead436b50578a5dc7606cf07

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 19e84a639e733d51cb0e3eaca16207e7
SHA1 149ae87be5b487bda57f2d4c166c9c5de59d6833
SHA256 29c30d52b3df568c43dd8216b1bd642183cf9f6b06066fb329d6f6098cc15412
SHA512 fa5e7938720d4e238937527656b653f26fa40dc91bdccbefa3509b8b3270e64a503049b02aa2bd7f4744493a4a34b6f2a3bd36c997f59d413c5bd1d55e020cb6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ac6c.TMP

MD5 e763852bcb8ec3d564bbcf536398eed8
SHA1 30b2a426456f785c147f7984095865737fbb230d
SHA256 a5132412bee3567aef267dbf3641468dd19aa02a2aac2697bebc955a6be0a4b9
SHA512 db523c272f011299ea37c0e876c56c793dbcc382564b6245aff2b162a2a03deee7192722ad0a52e66dbd2a4db531a26fd31439d7462cb15eaebffe13384f71ba

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 9be1cf0b6d25b24e44c19ed271b08707
SHA1 c8a7a6337ba6c6dc84a04974cac0e6174718e6b6
SHA256 0d2246e16aabed9ca321116fd25165c82754305e119a5a9f9eed439650c1e5da
SHA512 21d2535a4bd8521cb89a8fae32ad293f94451cfc81d3400b862bb60f21495d4c7dca86d4b14b41012ff210636806359ba5407218db73948e7c5ea2cd97c1938c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 1143edd15d29b7da0a53f5006df2e8cd
SHA1 e998f4d267e46537a960a196d77665c9784a41e0
SHA256 b5ae3103ef9f4a8b895ed9aaa8ad389221337d1208c29c4abcabbe5e13abab7c
SHA512 5df6608488fcc07130ee8815d6de130f95c7109cbf6147c39010d039189d1cfaf3e69b98684d9d172491083d408e4cb67621cc1d05358266902c4bf3f467c616

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 7ccf93b43b5eaffe2a17b66d3b72bb90
SHA1 2880a3f0a2186e68bd9071aa18149fcda7ef32a7
SHA256 e002ec4d63ad2adaaadd426d936961ce3a7d6437d973bea2c33da1663d3b7c0a
SHA512 b53c821a318e61a68ac13724aba38af884361f90e690cf581bd69458ba0c655edfbf77ebbf68e63dbc936b30b8f44604da7ae5f85215cf33dbc45b8df74728a4

Analysis: behavioral23

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

145s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\runtimes\win\lib\net6.0\System.Management.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

146s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\Guna.UI2.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 200.64.52.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\System.Management.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2364 -s 500

Network

N/A

Files

memory/2364-0-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

memory/2364-1-0x0000000000830000-0x000000000174E000-memory.dmp

memory/2364-2-0x000007FEF5820000-0x000007FEF620C000-memory.dmp

Analysis: behavioral10

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

91s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.203:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 203.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

92s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\bfsvc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

118s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\frAQBc8Wsa1xVPfv\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\frAQBc8Wsa1xVPfv" C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1800 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 1800 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\cmd.exe
PID 1792 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1792 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1792 wrote to memory of 1300 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 1792 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1792 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1792 wrote to memory of 1680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1792 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1792 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1792 wrote to memory of 2396 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 1800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe
PID 1800 wrote to memory of 2572 N/A C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "C:\Users\Admin\AppData\Local\Temp\kayflock-beta\packages\ranks\fullstack-magic.exe" MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1800 -s 1240

Network

Country Destination Domain Proto
N/A 127.0.0.1:49206 tcp
N/A 127.0.0.1:49208 tcp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
BE 23.14.90.91:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp

Files

memory/1800-1-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win10v2004-20240412-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe

"C:\Users\Admin\AppData\Local\Temp\kayflock-beta\byfron.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 101.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp

Files

memory/3832-1-0x00007FFF7EC70000-0x00007FFF7F731000-memory.dmp

memory/3832-0-0x0000019770B80000-0x0000019771A9E000-memory.dmp

memory/3832-2-0x00007FFF7EC70000-0x00007FFF7F731000-memory.dmp

Analysis: behavioral9

Detonation Overview

Submitted

2024-04-13 17:42

Reported

2024-04-13 17:45

Platform

win7-20240221-en

Max time kernel

121s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\kayflock-beta\nexus.dll,#1

Network

N/A

Files

N/A