Malware Analysis Report

2025-01-06 09:03

Sample ID 240601-fvfwfsbf48
Target 8972662f97de698650c7d96f331c5767_JaffaCakes118
SHA256 6f707e2f57ec4431abc3ec065d8b64e180de7c8c78bc50bed0235271d6b50b43
Tags
evasion spyware stealer trojan persistence
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

6f707e2f57ec4431abc3ec065d8b64e180de7c8c78bc50bed0235271d6b50b43

Threat Level: Likely malicious

The file 8972662f97de698650c7d96f331c5767_JaffaCakes118 was found to be: Likely malicious.

Malicious Activity Summary

evasion spyware stealer trojan persistence

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Enumerates VirtualBox registry keys

Looks for VMWare Tools registry key

Checks BIOS information in registry

Executes dropped EXE

Registers COM server for autorun

Reads user/profile data of web browsers

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Loads dropped DLL

Checks system information in the registry

Program crash

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy service COM API

Uses Volume Shadow Copy WMI provider

Uses Task Scheduler COM API

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-01 05:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

100s

Max time network

144s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

Signatures

Enumerates VirtualBox registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VBoxGuest C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\FADT\VBOX__ C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Checks system information in the registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFence.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe"

C:\Windows\system32\netsh.exe

"C:\Windows\system32\netsh.exe" winsock show catalog

C:\Windows\SysWOW64\netsh.exe

"C:\Windows\SysWOW64\netsh.exe" winsock show catalog

C:\Windows\System32\bitsadmin.exe

"C:\Windows\System32\bitsadmin.exe" /rawreturn /nowrap /list /allusers /verbose

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 api.reason.technology udp
US 8.8.8.8:53 proxel.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 8.8.8.8:53 api.reasonsecurity.com udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 cdn.bytefence.com udp
US 8.8.8.8:53 mc-003.bytefence.com udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
BE 2.17.107.9:80 crl.microsoft.com tcp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 ocsp.thawte.com udp
US 152.199.19.74:80 ocsp.thawte.com tcp
US 8.8.8.8:53 crl.thawte.com udp
SE 192.229.221.95:80 crl.thawte.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 104.22.1.235:443 api.reasonsecurity.com tcp
US 8.8.8.8:53 csc3-2004-crl.verisign.com udp

Files

memory/2684-0-0x000007FEF47AE000-0x000007FEF47AF000-memory.dmp

memory/2684-1-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-2-0x000000001C0B0000-0x000000001C604000-memory.dmp

memory/2684-3-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-4-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-5-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-6-0x0000000001260000-0x000000000129C000-memory.dmp

memory/2684-7-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2524-10-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 69b661f1c5111bab508264cdc91e33ef
SHA1 d2b443a7aa799e0bd48124e6583ed92b591ffc3d
SHA256 2d60399359ec8f2906cac7f836a0f10162c961b89eae1e849073acbbb6d3d84d
SHA512 cf132dc26464264d2c6ec093efc7aa0b64afdbb9ad0e2f1ce0faf8f54447f0588627677de33a67e30a12110aea3d1103be7e4d00fc8dc30cf85b314a73b63c07

memory/2524-35-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rsEngine.config

MD5 56471e1d552cf365892a221059747376
SHA1 89cb5955b2ea777edd6366c5139029946310bafd
SHA256 d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50
SHA512 a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972

memory/2684-37-0x000000001C7C0000-0x000000001C82A000-memory.dmp

memory/2684-38-0x000000001CAC0000-0x000000001CB12000-memory.dmp

memory/2684-39-0x0000000000CA0000-0x0000000000CA6000-memory.dmp

memory/2684-40-0x000000001E2B0000-0x000000001E42C000-memory.dmp

memory/2684-47-0x0000000026060000-0x00000000260A0000-memory.dmp

memory/2684-48-0x000000002A740000-0x000000002A784000-memory.dmp

memory/2684-49-0x000000002A8E0000-0x000000002A916000-memory.dmp

memory/2684-50-0x000007FEF47AE000-0x000007FEF47AF000-memory.dmp

memory/2684-51-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-54-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-55-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Signatures.dat

MD5 fb84325fd7362b5634c4de62b3a2c001
SHA1 ebb54ec78a071ce47a1c86f47903d56d77b34cf7
SHA256 23bdccb16e5900857c621b67c779b2a49179aca564eeaf1e74fd10c4eb1651ef
SHA512 d59933302521c9b3eead330a38577faf1df0378aa926690c6001186d495abe4fc470bf578bc9deabd82e26d7b1f8ed446957494122bd65047456c657dc9bade2

memory/2684-65-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

memory/2684-67-0x000007FEF44F0000-0x000007FEF4E8D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabA66F.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarADC6.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cea7e984b4d99eb31153fc3177fc93d
SHA1 9f6d6034e36e0270c4aa2a2d38ff1515aac09648
SHA256 0a7797e1c52cb28b9328a9c7d3b6e445046a184fefac179bdabb24c89c31ff82
SHA512 afebff6963b73f46a34b32a4913d74bd64e59abdcd226aa53489e39a0d47ae6591b7e6032822718d9a619380b94fbdebce49acab8b59ecad244386811a03ce8d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 3687a365fc9440b09f36e60641da1c93
SHA1 75e69863e238ff69a75e7e121b73b06b4cebbcf2
SHA256 194c6b522f47aa695c5e511aaa581bec8b6565193d82180e495393c7f75e2736
SHA512 4812a57700994ca599efe35bceaa730a1567040858beba7f6bcbaf963ec9e5d6a6c62da308f083e0d6aa8ede98b3958fd96322ee8be97e7ed51141939f62210b

\??\c:\users\admin\appdata\local\temp\Errors.dat

MD5 85b3aff96264e2039ba02322cb4ac4a9
SHA1 07c6cdc6b050d18795cbdcc638c85f8687dc32de
SHA256 510ff27870f3e2120e1007682c238f345b046e8dad0d6355df4f05d2448a4221
SHA512 9a29444bd059308ab503204ae5fbf357a1752baf3a499972b13afeb5e36c4c833eb3be892560efa88124f55c189e2ccf379295dc7acb697ccf088ce62507e019

\??\c:\users\admin\appdata\local\temp\Logs\err.dat

MD5 a274d252b6bd38ccf33c1f2debce11ad
SHA1 3cd44a53e03ab006efc69cf9ad21670563269f4a
SHA256 eb6aa5dd31c611ae6315abbe79e633ca85cefb1cc1a47ad8ebb678dc7940cd88
SHA512 160a093be1dda8b9f9de7eefe979fa4c565174600e7918e7bd73414c520ea6e5045f7ae06fc4a6268c77382aac797c669a768fd04206fa6567c2e920017d419c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\2F23D0F5E4D72862517E1CB26A329742_59C6B5742244136A08A70F9396A5A57A

MD5 5bfa51f3a417b98e7443eca90fc94703
SHA1 8c015d80b8a23f780bdd215dc842b0f5551f63bd
SHA256 bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128
SHA512 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

memory/2684-784-0x000000001AD00000-0x000000001AD3E000-memory.dmp

memory/2684-786-0x000000001AD00000-0x000000001AD57000-memory.dmp

memory/2684-787-0x000000001AD00000-0x000000001AD57000-memory.dmp

memory/2684-789-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

memory/2684-790-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

memory/2684-793-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-792-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-795-0x000000001AD00000-0x000000001AD56000-memory.dmp

memory/2684-798-0x000000001AD00000-0x000000001AD2F000-memory.dmp

memory/2684-797-0x000000001AD00000-0x000000001AD2F000-memory.dmp

memory/2684-801-0x000000001AD00000-0x000000001AD89000-memory.dmp

memory/2684-800-0x000000001AD00000-0x000000001AD89000-memory.dmp

memory/2684-807-0x000000001ACB0000-0x000000001ACB7000-memory.dmp

memory/2684-806-0x000000001ACB0000-0x000000001ACB7000-memory.dmp

memory/2684-805-0x000000001ACD0000-0x000000001ACE2000-memory.dmp

memory/2684-804-0x000000001ACD0000-0x000000001ACE2000-memory.dmp

memory/2684-811-0x000000001AD00000-0x000000001AD57000-memory.dmp

memory/2684-812-0x000000001ACB0000-0x000000001ACB7000-memory.dmp

memory/2684-810-0x000000001AD00000-0x000000001AD3E000-memory.dmp

memory/2684-809-0x000000001AD00000-0x000000001AD3E000-memory.dmp

memory/2684-815-0x000000001ACD0000-0x000000001ACE7000-memory.dmp

memory/2684-814-0x000000001ACD0000-0x000000001ACE7000-memory.dmp

memory/2684-820-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-819-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-818-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-817-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

memory/2684-824-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-823-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-822-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-826-0x000000001AD00000-0x000000001AD56000-memory.dmp

memory/2684-832-0x000000001ACD0000-0x000000001ACE2000-memory.dmp

memory/2684-831-0x000000001ACB0000-0x000000001ACBB000-memory.dmp

memory/2684-830-0x000000001ACB0000-0x000000001ACBB000-memory.dmp

memory/2684-828-0x000000001AD00000-0x000000001AD47000-memory.dmp

memory/2684-827-0x000000001AD00000-0x000000001AD47000-memory.dmp

memory/2684-836-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-835-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-834-0x000000001ACD0000-0x000000001ACE2000-memory.dmp

memory/2684-840-0x000000001ACD0000-0x000000001ACE9000-memory.dmp

memory/2684-839-0x000000001ACD0000-0x000000001ACE9000-memory.dmp

memory/2684-838-0x000000001ACB0000-0x000000001ACB7000-memory.dmp

memory/2684-842-0x000000001ACD0000-0x000000001ACEB000-memory.dmp

memory/2684-843-0x000000001ACD0000-0x000000001ACEB000-memory.dmp

memory/2684-847-0x000000001ACB0000-0x000000001ACBB000-memory.dmp

memory/2684-846-0x000000001ACB0000-0x000000001ACBB000-memory.dmp

memory/2684-845-0x000000001ACD0000-0x000000001ACE7000-memory.dmp

memory/2684-851-0x000000001ACB0000-0x000000001ACB9000-memory.dmp

memory/2684-850-0x000000001ACB0000-0x000000001ACB9000-memory.dmp

memory/2684-849-0x000000001ACD0000-0x000000001ACE7000-memory.dmp

memory/2684-860-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-859-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-858-0x000000001AD00000-0x000000001AD48000-memory.dmp

memory/2684-857-0x000000001AD00000-0x000000001AD48000-memory.dmp

memory/2684-856-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-855-0x000000001AD00000-0x000000001AD7B000-memory.dmp

memory/2684-854-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-853-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-862-0x000000001AD00000-0x000000001AD47000-memory.dmp

memory/2684-865-0x000000001ACD0000-0x000000001ACE1000-memory.dmp

memory/2684-864-0x000000001ACD0000-0x000000001ACE1000-memory.dmp

memory/2684-868-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-867-0x000000001AD00000-0x000000001AD47000-memory.dmp

memory/2684-866-0x000000001ACD0000-0x000000001ACEE000-memory.dmp

memory/2684-873-0x000000001ACB0000-0x000000001ACB8000-memory.dmp

memory/2684-872-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

memory/2684-871-0x000000001ACB0000-0x000000001ACBA000-memory.dmp

memory/2684-870-0x000000001ACB0000-0x000000001ACBB000-memory.dmp

memory/2684-874-0x000000001ACB0000-0x000000001ACB8000-memory.dmp

memory/2684-877-0x000000001ACD0000-0x000000001ACE5000-memory.dmp

memory/2684-876-0x000000001AD00000-0x000000001AD4C000-memory.dmp

memory/2684-875-0x000000001AD00000-0x000000001AD4C000-memory.dmp

memory/2684-878-0x000000001ACD0000-0x000000001ACE9000-memory.dmp

memory/2684-879-0x000000001ACD0000-0x000000001ACE9000-memory.dmp

\??\c:\users\admin\appdata\local\temp\installutil.installlog

MD5 4bb9c11a69ca4bd01f4c1fcd74fc3133
SHA1 7902de60e6f8d0f9d5da9116fe3882c3191b65c8
SHA256 dd5d3c883641e6e6f1a522b723772040e0160e968988463845dc6383ca8d38c7
SHA512 fe86117c0af64f490f9334158ed7734b5b766d6481686fa32ed8c749aaaf059a486437e3284b18d1ce0b4b6968e7c347f8e8e2bb0e9b9bd7589db2fdf1b8617a

\??\c:\users\admin\appdata\local\temp\bytefenceservice.installstate

MD5 4f130e22d88664a9fc01d4e1350ef1b5
SHA1 76504e0aeae03d51e2ce52a11d59f5ff18254d86
SHA256 b80d9b6e89383642c68bcb2285af4746101fa6470fccfccee210790fce79e9ab
SHA512 6777bc2866092dc417c37ebf3dfa64598c719e037316b69d816fb53e9c89a474a7b2f71cf937212574107a44c8efe035b838393fc9bef1d8c8ffec110dc9df30

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amd64\KernelTraceControl.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\amd64\KernelTraceControl.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3988,i,18168883380598738769,14202261231630113808,262144 --variations-seed-version --mojo-platform-channel-handle=1424 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20231129-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallTools.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe
PID 2316 wrote to memory of 1644 N/A C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\InstallTools.exe

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe" "C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe" Software\ByteFence INSNDE "C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe" /mode=s /url=logs.bytefence.com/event /product=Bytefence

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe" /LM=3 /INSTEX /cd=12345 /thankyou /IGNORE="C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\InstallTools.exe

MD5 7bfcafbcc8ee124ce3ea6b098105865a
SHA1 f404c9a50e0740e465106321012c3b7859c999dc
SHA256 d7ffd96c98cdcd1bacbe7542b403d60a8b700ab8305de02738f1f1c2d98aa71f
SHA512 02b873be813abc8a50b882bed60ad2c57ad6cba8f83984c30d2ca0b5dba6c5b6427d44626bd2689e179bff539160b78b3ff6b604d1d134a147e41c9861b1600c

\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

MD5 bd660f5e0f39dd05d5eefff4ce65c017
SHA1 956847325b76f4f02c8803f71204f4c747823ea2
SHA256 223ab46425284dd4ae73f8e7ad478eca6a0dcb4902cbc2f203b73b7cfe0da90b
SHA512 4fb02afb13c67c3d99cb0b183ca20ede069fb7a92cacd2f9bc73891e05a51bd6bd3ca2988fb71813444f9c9853ab8ad42193b234d5d0a60ca6a63355b51c0469

\Users\Admin\AppData\Local\Temp\nso10F3.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

\Users\Admin\AppData\Local\Temp\nso10F3.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 52.111.229.48:443 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 85.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4348 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4348 wrote to memory of 3548 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3548 -ip 3548

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

133s

Max time network

141s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2240 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240215-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Win32.TaskScheduler.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1720 -s 240

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3932 wrote to memory of 4200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 4200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3932 wrote to memory of 4200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4200 -ip 4200

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4200 -s 628

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

132s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

96s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20231129-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\rsEngine.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240215-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\InstallTools.exe

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe"

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\InstallTools.exe

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1424 --field-trial-handle=2180,i,12780723798465539942,12010519452607841069,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 172.217.169.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 74.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 106.246.116.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

129s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsz5ED4.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

\Users\Admin\AppData\Local\Temp\nsz5ED4.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsisdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2724 -s 220

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\f: C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\ = "Scan with ByteFence Anti-Malware..." C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\Icon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFence.exe\",0" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan\command C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\Position = "Middle" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\ByteFence Folder Scan\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\ByteFenceScan.exe\" /scan:\"%1\"" C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeBackupPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeRestorePrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeLoadDriverPrivilege N/A \??\c:\users\admin\appdata\local\temp\ByteFenceService.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFence.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFence.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i

\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe

"c:\users\admin\appdata\local\temp\ByteFenceService.exe"

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

dw20.exe -x -s 2324

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 logs.bytefence.com udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

memory/636-0-0x00007FF85B635000-0x00007FF85B636000-memory.dmp

memory/636-1-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-2-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-3-0x000000001CE90000-0x000000001D3E4000-memory.dmp

memory/636-4-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-5-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-6-0x000000001E270000-0x000000001E73E000-memory.dmp

memory/636-7-0x000000001D8C0000-0x000000001D95C000-memory.dmp

memory/636-8-0x000000001CA10000-0x000000001CA4C000-memory.dmp

memory/636-9-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-11-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-13-0x000000001DA50000-0x000000001DA70000-memory.dmp

memory/968-14-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/968-15-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/968-16-0x000000001B960000-0x000000001B978000-memory.dmp

memory/968-17-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/968-18-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/968-19-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/968-22-0x000000001C650000-0x000000001C674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 6eaa1926a6ef20c0742b1344bf1d8a14
SHA1 a9ba7268b609d64e0434d9a8f3f78d2371a2ac1d
SHA256 119aacf78c0083c15adc496df961bb78fe33efac6d3f41227d903f6c63b3ee28
SHA512 f4fef01bcded694a182440501f7a0dd47d6441e2558f1df26d019697a2f9372fd0f0e6ba8e1bb2b30b4fe34f53eefbc439e7ead6f1d726fd465543c9fccc9889

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.InstallLog

MD5 69b661f1c5111bab508264cdc91e33ef
SHA1 d2b443a7aa799e0bd48124e6583ed92b591ffc3d
SHA256 2d60399359ec8f2906cac7f836a0f10162c961b89eae1e849073acbbb6d3d84d
SHA512 cf132dc26464264d2c6ec093efc7aa0b64afdbb9ad0e2f1ce0faf8f54447f0588627677de33a67e30a12110aea3d1103be7e4d00fc8dc30cf85b314a73b63c07

memory/968-46-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/1704-47-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-48-0x00007FF85B635000-0x00007FF85B636000-memory.dmp

memory/636-49-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/1704-50-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

\??\c:\users\admin\appdata\local\temp\rsEngine.config

MD5 56471e1d552cf365892a221059747376
SHA1 89cb5955b2ea777edd6366c5139029946310bafd
SHA256 d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50
SHA512 a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972

memory/1704-54-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-53-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-55-0x000000001F350000-0x000000001F3BA000-memory.dmp

memory/636-58-0x000000001F420000-0x000000001F472000-memory.dmp

memory/636-60-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-59-0x000000001C8A0000-0x000000001C8A8000-memory.dmp

memory/636-61-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-62-0x000000001F210000-0x000000001F216000-memory.dmp

memory/636-63-0x00000000208A0000-0x0000000020A1C000-memory.dmp

memory/636-76-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-77-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/636-82-0x00000000219F0000-0x0000000021A52000-memory.dmp

memory/636-90-0x0000000021DE0000-0x0000000021E20000-memory.dmp

memory/636-92-0x0000000025500000-0x0000000025536000-memory.dmp

memory/636-91-0x0000000025220000-0x0000000025264000-memory.dmp

memory/636-93-0x0000000023700000-0x0000000023836000-memory.dmp

memory/636-102-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/1704-103-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

memory/1704-104-0x00007FF85B380000-0x00007FF85BD21000-memory.dmp

\??\c:\users\admin\appdata\local\temp\Errors.dat

MD5 7196f1e0b7cbeb178d417d6cd0d9a6c7
SHA1 e01b0318996b5fd807f924eef6cb457d6a72ec97
SHA256 7c9f181822c7507ec0154eeee2ebf521af0e55be61425c24bff076e3d0ac1ae4
SHA512 6e1721b081d177a9dcc489d31788398cd0e05151d96f125cf538f845a9cea80c4a40b52fdb06bf0c2e47ff1cf8da766fdf130ac20b8ba415fa69c9c73a89e4ff

\??\c:\users\admin\appdata\local\temp\Logs\err.dat

MD5 352cda68ea4091df26b80638d07428af
SHA1 f4a7db1111b0f137ace980061ade8f3f510d3f39
SHA256 a371ea00ef4626d94b2d6333817dde1ad33e0baff1fe864de5a871736c5a23b3
SHA512 5afe4e3684c8f0339812f312e14c5a3b133ccefad71013f594a80ea2613eeaf35a8ad358e07a0e9912cc832fba873c9046652e7df2db961b94d3d7d298f6abd4

Analysis: behavioral28

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Signatures

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\CLSID C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" C:\Windows\system32\regsvr32.exe N/A

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\amd64\msdia140.dll

Network

N/A

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240226-en

Max time kernel

139s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1348 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 220

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240426-en

Max time kernel

92s

Max time network

97s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 968 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 968 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 968 wrote to memory of 4696 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4696 -ip 4696

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4696 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

105s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/4572-0-0x00007FFAC12F5000-0x00007FFAC12F6000-memory.dmp

memory/4572-1-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp

memory/4572-2-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp

memory/4572-3-0x000000001B480000-0x000000001B498000-memory.dmp

memory/4572-4-0x000000001BA00000-0x000000001BF54000-memory.dmp

memory/4572-5-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp

memory/4572-6-0x000000001BF80000-0x000000001BFA0000-memory.dmp

memory/4572-7-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp

memory/4572-9-0x00007FFAC1040000-0x00007FFAC19E1000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

133s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4428,i,5047420736443372512,9747851268033796534,262144 --variations-seed-version --mojo-platform-channel-handle=4368 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsgFA5F.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

C:\Users\Admin\AppData\Local\Temp\nsgFA5F.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240508-en

Max time kernel

119s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2264 -s 220

Network

N/A

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

117s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceService.exe"

Network

N/A

Files

memory/1984-0-0x000007FEF54AE000-0x000007FEF54AF000-memory.dmp

memory/1984-1-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/1984-2-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/1984-3-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/1984-4-0x000000001B200000-0x000000001B754000-memory.dmp

memory/1984-5-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

memory/1984-6-0x000007FEF51F0000-0x000007FEF5B8D000-memory.dmp

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240419-en

Max time kernel

119s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe

"C:\Users\Admin\AppData\Local\Temp\ByteFenceScan.exe"

Network

N/A

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Microsoft.Diagnostics.Tracing.TraceEvent.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240221-en

Max time kernel

119s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\protobuf-net.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallTools.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\InstallTools.exe

"C:\Users\Admin\AppData\Local\Temp\InstallTools.exe" "C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe" Software\ByteFence INSNDE "C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe" /mode=s /url=logs.bytefence.com/event /product=Bytefence

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

"C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe" /LM=3 /INSTEX /cd=12345 /thankyou /IGNORE="C:\Users\Admin\AppData\Local\Temp\8972662f97de698650c7d96f331c5767_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\InstallTools.exe

MD5 7bfcafbcc8ee124ce3ea6b098105865a
SHA1 f404c9a50e0740e465106321012c3b7859c999dc
SHA256 d7ffd96c98cdcd1bacbe7542b403d60a8b700ab8305de02738f1f1c2d98aa71f
SHA512 02b873be813abc8a50b882bed60ad2c57ad6cba8f83984c30d2ca0b5dba6c5b6427d44626bd2689e179bff539160b78b3ff6b604d1d134a147e41c9861b1600c

C:\Users\Admin\AppData\Local\Temp\bytefence-installer-5.5.0.7.exe

MD5 bd660f5e0f39dd05d5eefff4ce65c017
SHA1 956847325b76f4f02c8803f71204f4c747823ea2
SHA256 223ab46425284dd4ae73f8e7ad478eca6a0dcb4902cbc2f203b73b7cfe0da90b
SHA512 4fb02afb13c67c3d99cb0b183ca20ede069fb7a92cacd2f9bc73891e05a51bd6bd3ca2988fb71813444f9c9853ab8ad42193b234d5d0a60ca6a63355b51c0469

C:\Users\Admin\AppData\Local\Temp\nsj5CA8.tmp\nsDialogs.dll

MD5 ab101f38562c8545a641e95172c354b4
SHA1 ec47ac5449f6ee4b14f6dd7ddde841a3e723e567
SHA256 3cdf3e24c87666ed5c582b8b028c01ee6ac16d5a9b8d8d684ae67605376786ea
SHA512 72d4b6dc439f40b7d68b03353a748fc3ad7ed10b0401741c5030705d9b1adef856406075e9ce4f1a08e4345a16e1c759f636c38ad92a57ef369867a9533b7037

C:\Users\Admin\AppData\Local\Temp\nsj5CA8.tmp\System.dll

MD5 fbe295e5a1acfbd0a6271898f885fe6a
SHA1 d6d205922e61635472efb13c2bb92c9ac6cb96da
SHA256 a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1
SHA512 2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win7-20240508-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-01 05:11

Reported

2024-06-01 05:14

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

160s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ByteFenceGUI.dll,#1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=2264,i,15001568551143786084,90255922961447677,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

N/A