Analysis Overview
SHA256
4245b59eb49f9ea2596ed1791ea2c81173acbfdfa2ceaf8e17ab418ace71d847
Threat Level: Known bad
The file afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe was found to be: Known bad.
Malicious Activity Summary
Risepro family
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
Executes dropped EXE
Command and Scripting Interpreter: JavaScript
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-10 18:11
Signatures
Risepro family
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 336 wrote to memory of 3120 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3120 -ip 3120
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3120 -s 612
Network
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240419-en
Max time kernel
135s
Max time network
138s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3000 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 3000 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 3000 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 3000 wrote to memory of 2004 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe
"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| N/A | 127.0.0.1:49205 | tcp | |
| N/A | 127.0.0.1:49207 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:49209 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:49211 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:49213 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:49215 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:49217 | tcp |
Files
\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 474a59515c2dbeaf0d7ee72e24ecbe00 |
| SHA1 | 8aa52d73eae8bf89ee46106ac5e5b41561ebdffd |
| SHA256 | 72079e6f9b748fc35a91161bafd28f2f5f183fd91ba86fe4e5c16186b3a26884 |
| SHA512 | 3e4de23a3039360421daedbd7915951e5e02b1a4e87458f70f48c3ff8167a471eb0a0aaf3f282701ce0fab81a15bb7ff5b4e1e1393522f09d0ec494ba4b198b4 |
\Users\Admin\AppData\Local\Temp\nsdAEB.tmp\NsLauncher.dll
| MD5 | e289f003033fb7d3d52ff9afccbd3677 |
| SHA1 | 2083fb9828ecc87d3b274208be0e8b88ba37136c |
| SHA256 | e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87 |
| SHA512 | 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863 |
Analysis: behavioral28
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
55s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240226-en
Max time kernel
112s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1368 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1368 wrote to memory of 1776 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1776 -ip 1776
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1776 -s 604
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4248 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| GB | 216.58.201.106:443 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240226-en
Max time kernel
141s
Max time network
160s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3484 wrote to memory of 736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3484 wrote to memory of 736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 736 -ip 736
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 736 -s 672
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2212 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 130.211.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.179.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 234.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
119s
Max time network
127s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2180 -s 228
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240426-en
Max time kernel
147s
Max time network
152s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4036 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4036 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4036 wrote to memory of 4676 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4676 -ip 4676
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4676 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.98.74.40.in-addr.arpa | udp |
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
94s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2188 wrote to memory of 1160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 1160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2188 wrote to memory of 1160 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1160 -ip 1160
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1160 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 216.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
159s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3220 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3220 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3220 wrote to memory of 4748 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| GB | 23.44.234.16:80 | tcp | |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\de.js
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240215-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe
"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49194 | tcp | |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| US | 163.181.154.244:443 | imv2-gl.farlightgames.com | tcp |
| N/A | 127.0.0.1:49197 | tcp | |
| N/A | 127.0.0.1:49199 | tcp | |
| US | 8.8.8.8:53 | app.farlightgames.com | udp |
| US | 8.8.8.8:53 | app.farlightgames.com | udp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| BE | 2.17.107.241:443 | app.farlightgames.com | tcp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| US | 8.8.8.8:53 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | udp |
| N/A | 127.0.0.1:49203 | tcp | |
| N/A | 127.0.0.1:49206 | tcp | |
| US | 34.36.110.19:443 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsdE93.tmp\NsLauncher.dll
| MD5 | e289f003033fb7d3d52ff9afccbd3677 |
| SHA1 | 2083fb9828ecc87d3b274208be0e8b88ba37136c |
| SHA256 | e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87 |
| SHA512 | 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863 |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
152s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 4388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 4388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 4388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4388 -ip 4388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4388 -s 612
Network
Files
memory/4388-0-0x0000000075920000-0x0000000075929000-memory.dmp
memory/4388-1-0x0000000075920000-0x0000000075929000-memory.dmp
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2784 wrote to memory of 2272 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\CrashSight.dll,#1
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240508-en
Max time kernel
122s
Max time network
124s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20231129-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240419-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 876 -s 228
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240215-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\SelfDel.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 220
Network
Files
memory/2324-2-0x0000000074D70000-0x0000000074D79000-memory.dmp
memory/2324-1-0x0000000074D60000-0x0000000074D69000-memory.dmp
memory/2324-0-0x0000000074D70000-0x0000000074D79000-memory.dmp
memory/2324-3-0x0000000074D60000-0x0000000074D69000-memory.dmp
memory/2324-5-0x0000000074D70000-0x0000000074D79000-memory.dmp
memory/2324-6-0x0000000074D70000-0x0000000074D79000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240508-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2108 -s 220
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 824 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
| PID 824 wrote to memory of 3280 | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe
"C:\Users\Admin\AppData\Local\Temp\AFKJourneyUninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| N/A | 127.0.0.1:51785 | tcp | |
| N/A | 127.0.0.1:51787 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:51789 | tcp | |
| N/A | 127.0.0.1:51791 | tcp | |
| N/A | 127.0.0.1:51793 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:51795 | tcp | |
| N/A | 127.0.0.1:51797 | tcp | |
| US | 8.8.8.8:53 | fake.fake | udp |
| US | 8.8.8.8:53 | fake.fake | udp |
| N/A | 127.0.0.1:51799 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
| MD5 | 474a59515c2dbeaf0d7ee72e24ecbe00 |
| SHA1 | 8aa52d73eae8bf89ee46106ac5e5b41561ebdffd |
| SHA256 | 72079e6f9b748fc35a91161bafd28f2f5f183fd91ba86fe4e5c16186b3a26884 |
| SHA512 | 3e4de23a3039360421daedbd7915951e5e02b1a4e87458f70f48c3ff8167a471eb0a0aaf3f282701ce0fab81a15bb7ff5b4e1e1393522f09d0ec494ba4b198b4 |
C:\Users\Admin\AppData\Local\Temp\nsi66EA.tmp\NsLauncher.dll
| MD5 | e289f003033fb7d3d52ff9afccbd3677 |
| SHA1 | 2083fb9828ecc87d3b274208be0e8b88ba37136c |
| SHA256 | e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87 |
| SHA512 | 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
62s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1168 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1168 wrote to memory of 3528 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3528 -ip 3528
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3528 -s 604
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240426-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
154s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\es.js
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NsLauncher.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1044 -s 260
Network
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| US | 163.181.154.244:443 | imv2-gl.farlightgames.com | tcp |
| N/A | 127.0.0.1:49190 | tcp | |
| US | 8.8.8.8:53 | pc.crashsight.wetest.net | udp |
| SG | 101.33.48.102:443 | pc.crashsight.wetest.net | tcp |
| US | 8.8.8.8:53 | app.farlightgames.com | udp |
| US | 8.8.8.8:53 | app.farlightgames.com | udp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| US | 8.8.8.8:53 | static-gl.farlightgames.com | udp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 34.104.34.239:443 | static-gl.farlightgames.com | tcp |
| US | 8.8.8.8:53 | static-gl.lilithgame.com | udp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49194 | tcp | |
| N/A | 127.0.0.1:49196 | tcp | |
| N/A | 127.0.0.1:49202 | tcp | |
| N/A | 127.0.0.1:49206 | tcp | |
| N/A | 127.0.0.1:49209 | tcp | |
| N/A | 127.0.0.1:49212 | tcp | |
| N/A | 127.0.0.1:49224 | tcp | |
| N/A | 127.0.0.1:49227 | tcp | |
| N/A | 127.0.0.1:49231 | tcp | |
| N/A | 127.0.0.1:49245 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 8.8.8.8:53 | psp-api.farlightgames.com | udp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| SG | 18.141.97.108:443 | psp-api.farlightgames.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49257 | tcp | |
| N/A | 127.0.0.1:49259 | tcp | |
| N/A | 127.0.0.1:49266 | tcp | |
| N/A | 127.0.0.1:49275 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49278 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49286 | tcp | |
| US | 8.8.8.8:53 | d1s9fa96v0yqzs.cloudfront.net | udp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49289 | tcp | |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| N/A | 127.0.0.1:49292 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49295 | tcp | |
| US | 8.8.8.8:53 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | udp |
| US | 34.36.110.19:443 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49298 | tcp | |
| N/A | 127.0.0.1:49305 | tcp | |
| N/A | 127.0.0.1:49308 | tcp | |
| N/A | 127.0.0.1:49315 | tcp | |
| N/A | 127.0.0.1:49322 | tcp | |
| N/A | 127.0.0.1:49325 | tcp | |
| N/A | 127.0.0.1:49328 | tcp | |
| N/A | 127.0.0.1:49331 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49342 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49345 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49348 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49355 | tcp | |
| N/A | 127.0.0.1:49358 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49365 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49368 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49374 | tcp | |
| N/A | 127.0.0.1:49378 | tcp | |
| N/A | 127.0.0.1:49385 | tcp | |
| N/A | 127.0.0.1:49388 | tcp | |
| N/A | 127.0.0.1:49391 | tcp | |
| N/A | 127.0.0.1:49402 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49405 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49408 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49411 | tcp | |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49418 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| NL | 18.239.82.2:443 | d1s9fa96v0yqzs.cloudfront.net | tcp |
| N/A | 127.0.0.1:49425 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49428 | tcp | |
| N/A | 127.0.0.1:49431 | tcp | |
| N/A | 127.0.0.1:49442 | tcp | |
| N/A | 127.0.0.1:49447 | tcp | |
| N/A | 127.0.0.1:49454 | tcp | |
| N/A | 127.0.0.1:49457 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49464 | tcp | |
| N/A | 127.0.0.1:49467 | tcp | |
| N/A | 127.0.0.1:49474 | tcp | |
| N/A | 127.0.0.1:49477 | tcp | |
| N/A | 127.0.0.1:49484 | tcp | |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| US | 163.181.154.234:443 | static-gl.lilithgame.com | tcp |
| N/A | 127.0.0.1:49487 | tcp | |
| N/A | 127.0.0.1:49494 | tcp | |
| N/A | 127.0.0.1:49497 | tcp |
Files
memory/1728-2-0x0000000002F00000-0x0000000002F27000-memory.dmp
memory/1728-4-0x0000000076280000-0x0000000076290000-memory.dmp
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
140s
Max time network
104s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\AFKJourneyLauncher.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| N/A | 127.0.0.1:51671 | tcp | |
| US | 8.8.8.8:53 | pc.crashsight.wetest.net | udp |
| US | 8.8.8.8:53 | static-gl.farlightgames.com | udp |
| US | 8.8.8.8:53 | pc.crashsight.wetest.net | udp |
| N/A | 127.0.0.1:51675 | tcp | |
| N/A | 127.0.0.1:51678 | tcp | |
| US | 8.8.8.8:53 | static1-gl.farlightgames.com | udp |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| N/A | 127.0.0.1:51681 | tcp | |
| N/A | 127.0.0.1:51683 | tcp | |
| N/A | 127.0.0.1:51685 | tcp | |
| N/A | 127.0.0.1:51687 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 8.8.8.8:443 | tcp | |
| US | 52.111.227.11:443 | tcp |
Files
memory/400-2-0x0000000004740000-0x00000000047BE000-memory.dmp
memory/400-4-0x0000000075D10000-0x0000000075D20000-memory.dmp
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240426-en
Max time kernel
92s
Max time network
95s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\hpatchz.exe
"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 219.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
117s
Max time network
125s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\hpatchz.exe
"C:\Users\Admin\AppData\Local\Temp\hpatchz.exe"
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240226-en
Max time kernel
140s
Max time network
162s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe | N/A |
Enumerates physical storage devices
Processes
C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe
"C:\Users\Admin\AppData\Local\Temp\afkjourneysetup_eff1c777128fb6dd30b513508b2f289b.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1028 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.202:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | 202.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | imv2-gl.farlightgames.com | udp |
| N/A | 127.0.0.1:49832 | tcp | |
| GB | 79.133.176.171:443 | imv2-gl.farlightgames.com | tcp |
| N/A | 127.0.0.1:49835 | tcp | |
| N/A | 127.0.0.1:49836 | tcp | |
| US | 8.8.8.8:53 | app.farlightgames.com | udp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| US | 8.8.8.8:53 | 171.176.133.79.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 184.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:49848 | tcp | |
| BE | 2.17.107.184:443 | app.farlightgames.com | tcp |
| US | 8.8.8.8:53 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | udp |
| US | 34.36.110.19:443 | tsg-hdp-raw-log.data.cn-singapore-lls01-d01.sls-pub.farlightgames.com | tcp |
| N/A | 127.0.0.1:49852 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.110.36.34.in-addr.arpa | udp |
| US | 13.107.246.64:443 | tcp | |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsg2112.tmp\NsLauncher.dll
| MD5 | e289f003033fb7d3d52ff9afccbd3677 |
| SHA1 | 2083fb9828ecc87d3b274208be0e8b88ba37136c |
| SHA256 | e243bcd7575fdff522a23d97a848f562a52d484cea06151642ec5e36773a1b87 |
| SHA512 | 99b9ec5c405b86754dd48959643080b5dccca4231e3092c1be77a8e86c5dfc893122b7d04cb2a87e4c21ce900f7eace488d01494045381cb96055a96cadc7863 |
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsis7z.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2908 -s 220
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20231129-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgWorker.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2896 -s 228
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win7-20240221-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\ar.js
Network
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-06-10 18:11
Reported
2024-06-10 18:14
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
151s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\resource\lang\en.js