Malware Analysis Report

2024-10-19 11:02

Sample ID 240525-bpenzshd9w
Target 70691e8216cfaf86141dc2e4bc1827a7_JaffaCakes118
SHA256 f14df288e8d2bfe8240dbcdf34895400beaa04d569bffa8de208a3a54ccdb445
Tags
persistence evasion trojan adware discovery stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

f14df288e8d2bfe8240dbcdf34895400beaa04d569bffa8de208a3a54ccdb445

Threat Level: Likely malicious

The file 70691e8216cfaf86141dc2e4bc1827a7_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

persistence evasion trojan adware discovery stealer

Sets service image path in registry

Executes dropped EXE

Registers COM server for autorun

Checks computer location settings

Loads dropped DLL

Drops desktop.ini file(s)

Checks whether UAC is enabled

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: LoadsDriver

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 01:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20231129-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\UnlockerDriver5\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerDriver5.sys" C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Unlocker.exe

"C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe

"C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/4876-0-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

memory/4876-1-0x0000000000B00000-0x0000000000B56000-memory.dmp

memory/4876-2-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4876-3-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4876-4-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

memory/4876-5-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

memory/4876-6-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

133s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4388 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4388 wrote to memory of 4744 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4744 -ip 4744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

107s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2124 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

130s

Max time network

103s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\ngenlock.dat C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\30ROE94Y\Update.exe C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\ZJ7UBF2L\Interop.SHDocVw.dll C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\GACLock.dat C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\5ZY4HSUI\QuickStoresToolbar.dll C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\MenuText = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Assembly = "QuickStoresToolbar, Version=1.1.0.0, Culture=neutral, PublicKeyToken=318d21d4b0463a3b" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\HelpText = "This is a free QuickStores-Toolbar." C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Class = "QuickStoresToolbar.QuickStoresToolbar" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\ = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp" /SL5="$501E2,166493,54272,C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
IE 52.111.236.23:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4740-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4740-3-0x0000000000401000-0x000000000040B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MFKGH.tmp\QuickStores_Unlocker.tmp

MD5 ce4e0ff83ac2a3256fd5c220562294a1
SHA1 72429c43cc4ed0a184a9c7b208902005489ff49a
SHA256 130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b
SHA512 b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

memory/2936-18-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4ATC1.tmp\isxdl.dll

MD5 792620390aae5305220283f2ce33ca68
SHA1 d9fee4cb3e2fa5e7d88b45662fd58b30aa9979f0
SHA256 21bc620515ebbdeb125d273c2d8db45577d05408ef624464af26afcfecfd201a
SHA512 470914116f40e4f7216c840ccbc706eb7953c10e62195c9b4d15e73f422625096df6c68edb33c25e2eec3305b4a1b159054f812c4a2307aeb3e49d35ae5f575c

C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\QuickStoresToolbar.dll

MD5 5494d46cbe14a5e0644cb219c9ac2fea
SHA1 d90389af5872217a258e4c5c07b7d064f50deea8
SHA256 fd3c814cd7a101ae6d82e044e9bdfc3bccd0f8b402d8f028aca53dbddc00976d
SHA512 0e3d40af922e8a2a1ed8f3a92080ff937dc6c700f1c28f34505c9710e55db0ff6f30f20ec4d36f9640fc344d799b97064a6f6b63d8da86851000c7c67e3e324f

memory/2936-30-0x0000000000400000-0x00000000004BA000-memory.dmp

C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\Update.exe

MD5 723130df7bbca7fc4bfb1f829abd13b3
SHA1 b0b2c0a3e9915ef419d5fa4f7d8c662445d78c99
SHA256 0e7bcd39f8255eaa3c9dc017586fc52f6912c0c34fabea3143beef7b211ec4a6
SHA512 037ecae3012c8e7ce6ced6f9faf10c2ebd46a517b0be4f59696f1758502741b43e7600a675c9260efee29210ab9e47b58e663ac54a434ce271c5082bed77d77c

C:\Users\Admin\AppData\Roaming\QuickStoresToolbar\Interop.SHDocVw.dll

MD5 2613734670b491be45410d496cef7fa8
SHA1 5b9ae74a23e76863c025fdede54c4ee3316074fb
SHA256 d84e2fcb321bb969eebca48d44787fffc8016f70660c4a58e46589dd22906bda
SHA512 69dc8ad210361bce4c28b15ad31cfccb916557fd60d366642a90a37e046ba4b023c1d41833a15534ab9413f046a5af350403e44c7e80fc40eba58724c3d14c04

memory/2936-67-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/4740-68-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral24

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

129s

Max time network

99s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe

"C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

Signatures

N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

C:\Users\Admin\AppData\Local\Temp\UnlockerDriver5.sys

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

148s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe

"C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse2B47.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

C:\Users\Admin\AppData\Local\Temp\nse2B47.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nse2B47.tmp\ioSpecial.ini

MD5 7e16b04833a85a16238d664bc9d9086d
SHA1 32952c4fd1b0775ea4ab8c6fdc9380a6a295cd55
SHA256 56d0de68cdcaed4456109c978c382e7469cb5ad6f3108d91d981585a1028a0a6
SHA512 66e371f7edfe9fa2cf13add225c0b2cccfb26139238e5c6aa0d7f03b9a84eb8a65d811cf97c7fd59934f80d14a0d1362c609d6d4c8dae23b0e073f63977694f7

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240221-en

Max time kernel

119s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

134s

Max time network

148s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 816 wrote to memory of 340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 816 wrote to memory of 340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 816 wrote to memory of 340 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 340 -ip 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 340 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UnlockerCOM.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UnlockerCOM.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 40.173.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240419-en

Max time kernel

120s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe N/A

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe

"C:\Users\Admin\AppData\Local\Temp\unlocker1.9.0-x64.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\LangDLL.dll

MD5 9384f4007c492d4fa040924f31c00166
SHA1 aba37faef30d7c445584c688a0b5638f5db31c7b
SHA256 60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
SHA512 68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsd22AE.tmp\ioSpecial.ini

MD5 62303cad43688ed22d5c555ca3780786
SHA1 345fe92b6db59b8e8376b76f1922b08c15c2a4a1
SHA256 240c023f039b2eef4ff4ad27acfc36385ae236f566baba97c1dab9c82ca5f529
SHA512 c95a15e98e4ba3a6f9d59ea913016d9815bde943fd935a74b4f97c0ff1c9eb4321a0c891127065cbe726a2712028ec3c4820c839ffb83f31c53267982f707663

Analysis: behavioral13

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\0.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\2.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\1.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\12.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\6.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\1.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\11.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\14.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\6.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\8.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\install_start.htm C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\4.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\8.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\9.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\install_start.htm C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\0.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\13.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\7.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\9.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\13.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\14.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\12.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\3.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\5.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\11.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\4.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\5.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\7.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\10.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\2.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\3.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
File opened for modification C:\Program Files (x86)\Bing Bar Installer\BootStrapper\10.png C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 2012 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe
PID 2920 wrote to memory of 316 N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie

C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie

Network

Country Destination Domain Proto
US 8.8.8.8:53 msnportal.112.2o7.net udp
IE 66.235.152.221:80 msnportal.112.2o7.net tcp
US 8.8.8.8:53 install.toolbar.msn.com udp
US 65.55.170.245:443 install.toolbar.msn.com tcp
IE 66.235.152.221:80 msnportal.112.2o7.net tcp
US 65.55.170.245:443 install.toolbar.msn.com tcp
US 65.55.170.245:443 install.toolbar.msn.com tcp
US 65.55.170.245:443 install.toolbar.msn.com tcp
US 8.8.8.8:53 www.antanda.com udp
US 159.89.244.183:80 www.antanda.com tcp

Files

\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

MD5 ecec9204d3a794306cc4af1d260932e3
SHA1 3269a4724e61d9d97d807c1f4224e77f98333cd6
SHA256 0e3123bce0fcf8c1d37ecc7b52bd8b5dacb9954b15d7f84d19d64e44a2e92fa6
SHA512 d94b48c0e633d920c8f1745f63ef983556af10df0208eb88ca0e51c91c7b3f0f629245143b7d0cc64ff9e47d9b2e39f860a6eebcc98c186a1dccdf742d42b321

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\install_start.htm

MD5 719908909ad6eb41b6f21c7cae92cb73
SHA1 881cd0db051aef989afa72db48cb6797397eb6de
SHA256 2285508a51ff8d53e0aef95d124dad94f31dcb07023eca304c4b9fc00f6c06a6
SHA512 64dabd85282f71c534641e213c650df3830087c85650a59b23e1260d734640f71695db38bc8fc68b6bb76740f8eeb71ed9dcf421cf032a52f7ff9844f34307e5

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\0.png

MD5 9fab81a2c85784079ce6a2426937f6e5
SHA1 f0e29090dbfc60c565828e485e8a97be66b7d75c
SHA256 5c8424bd478426ef1a2c4126fd68773596ec1191d95dc63b7bd87180d263eba0
SHA512 7678e54539806b3369a003b61f5a1ae23f77d662f1dccf6415992a331f033d29c508ffea0732cce335f17d937b35d3bc93a18b73192189222617b401f1e8a404

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\1.png

MD5 c49a86fae1a06dc1529fd28e0e76f08f
SHA1 6b7841ca9297369da54cd7076e2d95ed5cdd2a21
SHA256 171b11d89b15f74b78684f5b75b86f356602d47fb17bf0361ab0278e6e09d990
SHA512 8f69fad3be3ee47f99e43522c9542b4aa9ccca25c479c87a35ca793dbd645f3e3482c2987f2a13e182dcced01838181b33a861b45b41235d7c592f7a5e639061

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\2.png

MD5 1100d2f62d61a60c82a3df3973756991
SHA1 279d4a0080f886d3850c027bf3d6ed76f195a96c
SHA256 83549254d62a490c354b0b18c6f78b6516ef7269b80befc27ce89b86f91ecf84
SHA512 e75b186b81483b82443abbf00dde6687223566b0f4f90a8ad5cbf10a88df0ed4c2b3f858e8db01a66dd74158a3122e3cbc8692d45319938bb5972234d3cc6543

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\3.png

MD5 68850397554620ea213b4c5ac6fe2f75
SHA1 722a3bdba8408c4c3618e149e549c04b7cec88de
SHA256 df672b7090a55e13e9dc3ed767b601aa211b6deed6f7c79a4c6cb95665829ae2
SHA512 c64b77d57a2d3f19a2350cb575f1f1002b75592c62da06d922c9d23390d54aa91c737b4e0e0f0d9559a7ca057f1710ac605755d2da90a244d76f2d280b28366b

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\4.png

MD5 7053ee00ed19203bef761a38d1b8450f
SHA1 9bb7d635523aa7e85586892eb25b87074c4567fb
SHA256 76f3cad2c2336f134d1ef19d356adc88464357252bf349b37a25a9a457454423
SHA512 677035f4bc9903d4d39db263cc221d77c033fbc7593b63b5cc7f0bfffbdfaa43bb5eb3109a7f956ade00ebea61b1bc6f8466b218e36bc8181aa8f2d3f0c46beb

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\5.png

MD5 a26abdfd764dd7e803271e963ceda310
SHA1 e0deb4b9545dbe90361c25ddcfe479e589fd136a
SHA256 1234d63208f55e89857d444ba3e12155a9f3cd9d179a686187d9f17149931103
SHA512 e51bb0fbdddc1441fcf02916cf0ab5da25a5c17846e6770d0962222366198d635229250a327010d9aa09bfda5511467a51d0428913c43aaa4dca6dc37d424f27

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\6.png

MD5 b272e5ff20eabccd7eeebba905c54b2f
SHA1 682baa363ce3cd8a9b3f17e48c924a1cecb9a143
SHA256 f414dbb771ecd22d29c267283db135e830fb3bd478e32db2b0aa24d3eb4c18dc
SHA512 2a42729f6a66db7892289a51719a434585b2f241d64395ba90cec4b74ef57c38237becdf9c723c2da22df90092f502ec27a17f5b09131b547ff77cd3b560eb01

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\7.png

MD5 49b280b4adcf8ba31b748c5e188881e1
SHA1 02c68a5f85290813ef6ecee6f4239e515b01d8c6
SHA256 3adbf19b0a4adb9318d8babb0bd2f9a40fe4f92c9c3592bfeab42cf38c28978f
SHA512 d21cdefa8892592db1b789e292b74b91c2d82d6d85b0928fa58cdb41823dcd97ef20df4f7b4beb3777b14d47c6cb59f786dbe6449e2b6fe8a7eea94d49f9c0d4

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\8.png

MD5 6225c545f4621a6762ec0b4625454b81
SHA1 5e688967ed12d8b726991fb26815df8f5c33200a
SHA256 3f07315a1e739c546b7d8f3f027c14c56fa4baaf675480b35adf88aa65418b31
SHA512 f74831ed3347058626f46340a0e8f7af2083e371e9da12ede5d222f9eca8b64a378273a91e82c99774f3186562f102f38b5a283386f42951076438fbc6e29dcd

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\9.png

MD5 92dab8a92497e385c3016472aa89d9ff
SHA1 00d5b63b196ef5de4ffd508e04f9339bb01275ce
SHA256 1a2fa17fa54be4fff3032ad4a3c66c56792f1e3c51dde84c4ec5177e3837b2e2
SHA512 90473166f2b91d94f155b62c59d375c25e075baca1b2c7e74d46cd6779f09bc8419acf91c8ae2ef02f6122870e1d03cbf83466a7047278cfea0d0d35354ec1e3

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\10.png

MD5 cc34894f597d5041059d5663f0b70dd0
SHA1 32c66ccdc8d48be5d158d533649e7c42e6faa902
SHA256 d25968f1978264e2d82f9e9a8be4e01a0deeae5a11ed0e3fa4a39c36b35434eb
SHA512 6eb54313aa638f32ebe16ef2cd59145c1c04f7aa934a03a0c0cb8bb274f9f351865a31854a23466c7a331e0147d4a87fcb6f2b4305bca97daaf424bc4fe68876

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\11.png

MD5 342bc04d199ecad5f39f6cb8f914742e
SHA1 72fff58d9aa471e0f7ad019fd8598cec7dceff44
SHA256 789b4ca216ad307f031d0f42ff52a815d4bfdf0a090a24074dfb720b0da39d14
SHA512 7e9dba3afdee0c33edb2efd6d2f1e64898a818fa816ceb99ea518130ae9e0ac42e18baea5bb01ae6f9b826d69ad9a4e40022d3cbe896e26b9b8272b9e467df99

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\12.png

MD5 fe6f7f06679176dff54241a9044c9072
SHA1 6c9f1242c4f9bd70779a6da4ca9f95b10973c2fc
SHA256 3fcecb8d5f3a62640ffb6a6d9e12a071b332220519078eda57c133f194cbaa2f
SHA512 90b13fd186bba74a006bb9348d0aea95d6fc4d8faa37c0e044f5cb12aff3fa1a8dcfd0df0c336ff961d0e1b61e071d1d03b330cd4773686399c9d00cced20079

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\13.png

MD5 16241b375e82116b54f57c4a7180444d
SHA1 74c00fd14827ae5044a0a1abf2da26a940ccd228
SHA256 51f2c1d4160b4583f2a681e55044a5e02d6fce7d41c6c638fb01f78787280b3d
SHA512 e1442b7025f869cf2f7ae3f11d11d6cfcd3067c4ea66a07098ccb55443f6e005aaccfd5537d99b5006ba696a72b9d61fa118f583d12936a8fd7fab0d3f05256f

C:\Program Files (x86)\Bing Bar Installer\BootStrapper\14.png

MD5 2de3201aefb5bba956df641c31879a9f
SHA1 7328afca21b1762c9d5225f8eca4969a9359f58e
SHA256 fa1fc1a522adf52e76ec6a3b9c0cb1791b7f781ab33c4e7335aa2d738627fb61
SHA512 869831bc32d517587ef314348573b47e30adb6af80615e5a49af06815a4d04e73f0ada992defc98bd946c8f6c236ead6321b4ca0cf61a604a51648ca6a9ee09e

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_a42634aa-f501-41cf-bed1-b8158857da02

MD5 d1119605276823bc705491abee54968e
SHA1 814c636d1a7757a90ef13afc04d253d670bcc9d6
SHA256 8c893f4e7cf5dc0dfdebc122caa5aa1dbeb2172dff9f177cdc1a0d93d9347620
SHA512 385598c26bc0c7e5f9315b26cde4c997e97042040b29185baf80c7b0e57b3f886d23bf5604cb3529b41051b38434da397918759ebaae06cf2e2260a7263a4745

C:\Users\Admin\AppData\Local\Temp\TFR79E1.tmp

MD5 3b5395f4aca99fc43945e5a491367b1d
SHA1 a80f3a07632987c06b63a65ce03eff69332dc02a
SHA256 b28bb3a7b5de2ca40dcc28d8887cc467b87df8f37bb4984575b8237f35255110
SHA512 3111af751c79e9a1f5224f4c938a21b91ecb280fb8a16f0e9a49735959f1ea78c1500f90fd2307b0f88f608ba92cfe001e4c336ffc520fa4b18e70c959b07fff

Analysis: behavioral14

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\FileUnlocker_Installer.exe"

C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie

C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe" /silent /ignorebrowsercheck /forcedefaultsearch /launchie

Network

Country Destination Domain Proto
US 8.8.8.8:53 msnportal.112.2o7.net udp
IE 66.235.152.225:80 msnportal.112.2o7.net tcp
IE 66.235.152.225:80 msnportal.112.2o7.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 www.antanda.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 225.152.235.66.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 164.90.244.158:80 www.antanda.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 158.244.90.164.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\bing_toolbar.exe

MD5 ecec9204d3a794306cc4af1d260932e3
SHA1 3269a4724e61d9d97d807c1f4224e77f98333cd6
SHA256 0e3123bce0fcf8c1d37ecc7b52bd8b5dacb9954b15d7f84d19d64e44a2e92fa6
SHA512 d94b48c0e633d920c8f1745f63ef983556af10df0208eb88ca0e51c91c7b3f0f629245143b7d0cc64ff9e47d9b2e39f860a6eebcc98c186a1dccdf742d42b321

C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\ae0fecb16efd8cc4e62a978d47949200_4d0966de-9ba4-4ee9-b282-eaf9cf9c9160

MD5 e5fe89e70c78bc4e160a52bacbb97363
SHA1 645362dc00e20a791cccbbe5643be33e7873500a
SHA256 675a2d0bc3b56ae96f9666f8d0850365049e897614e516d9ff6396874dc8a13c
SHA512 68235a3b3a9ccab577f9b71412f40123806cd27a3e802376983832aaa594c9f8e85ccc52b2e67ba295390e4c32d0103a2b959e94ddcb50c00e0bfb6fb06f301c

Analysis: behavioral15

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240508-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\ngenlock.dat C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\30ROE94Y\Update.exe C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\ZJ7UBF2L\Interop.SHDocVw.dll C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\GACLock.dat C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
File created C:\Windows\assembly\tmp\5ZY4HSUI\QuickStoresToolbar.dll C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Class = "QuickStoresToolbar.QuickStoresToolbar" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories\{00021494-0000-0000-C000-000000000046} C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\HelpText = "This is a free QuickStores-Toolbar." C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\ = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\MenuText = "QuickStores-Toolbar" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\ = "mscoree.dll" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F}\InprocServer32\Assembly = "QuickStoresToolbar, Version=1.1.0.0, Culture=neutral, PublicKeyToken=318d21d4b0463a3b" C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{10EDB994-47F8-43F7-AE96-F2EA63E9F90F} C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp

"C:\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp" /SL5="$5014E,166493,54272,C:\Users\Admin\AppData\Local\Temp\$TEMP\QuickStores_Unlocker.exe"

Network

N/A

Files

memory/1700-0-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1700-3-0x0000000000401000-0x000000000040B000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-9JOCV.tmp\QuickStores_Unlocker.tmp

MD5 ce4e0ff83ac2a3256fd5c220562294a1
SHA1 72429c43cc4ed0a184a9c7b208902005489ff49a
SHA256 130ec61d37b76fa26a4c7ebcf210467c5be3ae2ace7346546c65f093478bb06b
SHA512 b375a78ca9b8e30ba665d3934716e5d3ac5737d8cf05a562f59c8b142923e3a79f1c44b55e995bd43fd0a9056a122cbe332d33947f626fa2d5bfb9f2e1824e98

\Users\Admin\AppData\Local\Temp\is-J5VNC.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/2000-10-0x0000000000400000-0x00000000004BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-J5VNC.tmp\isxdl.dll

MD5 792620390aae5305220283f2ce33ca68
SHA1 d9fee4cb3e2fa5e7d88b45662fd58b30aa9979f0
SHA256 21bc620515ebbdeb125d273c2d8db45577d05408ef624464af26afcfecfd201a
SHA512 470914116f40e4f7216c840ccbc706eb7953c10e62195c9b4d15e73f422625096df6c68edb33c25e2eec3305b4a1b159054f812c4a2307aeb3e49d35ae5f575c

\Users\Admin\AppData\Roaming\QuickStoresToolbar\QuickStoresToolbar.dll

MD5 5494d46cbe14a5e0644cb219c9ac2fea
SHA1 d90389af5872217a258e4c5c07b7d064f50deea8
SHA256 fd3c814cd7a101ae6d82e044e9bdfc3bccd0f8b402d8f028aca53dbddc00976d
SHA512 0e3d40af922e8a2a1ed8f3a92080ff937dc6c700f1c28f34505c9710e55db0ff6f30f20ec4d36f9640fc344d799b97064a6f6b63d8da86851000c7c67e3e324f

memory/2000-34-0x0000000000400000-0x00000000004BA000-memory.dmp

\Users\Admin\AppData\Roaming\QuickStoresToolbar\Update.exe

MD5 723130df7bbca7fc4bfb1f829abd13b3
SHA1 b0b2c0a3e9915ef419d5fa4f7d8c662445d78c99
SHA256 0e7bcd39f8255eaa3c9dc017586fc52f6912c0c34fabea3143beef7b211ec4a6
SHA512 037ecae3012c8e7ce6ced6f9faf10c2ebd46a517b0be4f59696f1758502741b43e7600a675c9260efee29210ab9e47b58e663ac54a434ce271c5082bed77d77c

\Users\Admin\AppData\Roaming\QuickStoresToolbar\Interop.SHDocVw.dll

MD5 2613734670b491be45410d496cef7fa8
SHA1 5b9ae74a23e76863c025fdede54c4ee3316074fb
SHA256 d84e2fcb321bb969eebca48d44787fffc8016f70660c4a58e46589dd22906bda
SHA512 69dc8ad210361bce4c28b15ad31cfccb916557fd60d366642a90a37e046ba4b023c1d41833a15534ab9413f046a5af350403e44c7e80fc40eba58724c3d14c04

memory/2000-68-0x0000000000400000-0x00000000004BA000-memory.dmp

memory/1700-69-0x0000000000400000-0x0000000000414000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20231129-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe

"C:\Users\Admin\AppData\Local\Temp\Destroy Windows 10 Spying\Destroy Windows 10 Spying.exe"

Network

N/A

Files

memory/2244-0-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2244-1-0x0000000000B60000-0x0000000000BB6000-memory.dmp

memory/2244-2-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2244-3-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2244-4-0x000007FEF5253000-0x000007FEF5254000-memory.dmp

memory/2244-5-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

memory/2244-6-0x000007FEF5250000-0x000007FEF5C3C000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240508-en

Max time kernel

131s

Max time network

105s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 6084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 6084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1124 wrote to memory of 6084 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Delay.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 6084 -ip 6084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6084 -s 604

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

108s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 2060 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2060 -ip 2060

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2060 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240220-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2868 -s 244

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240221-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2728 -s 224

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"

Signatures

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\UnlockerDriver5\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerDriver5.sys" C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Unlocker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Unlocker.exe

"C:\Users\Admin\AppData\Local\Temp\Unlocker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240419-en

Max time kernel

117s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UnlockerCOM.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\ = "UnlockerShellExtension" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension\ = "{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\UnlockerCOM.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{DDE4BEEB-DDE6-48fd-8EB5-035C09923F83}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\software\classes\clsid\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AllFileSystemObjects\shellex\ContextMenuHandlers\UnlockerShellExtension C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\UnlockerCOM.dll

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-05-25 01:18

Reported

2024-05-25 01:21

Platform

win7-20240215-en

Max time kernel

121s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe

"C:\Users\Admin\AppData\Local\Temp\UnlockerInject32.exe"

Network

N/A

Files

N/A