Malware Analysis Report

2025-08-11 01:15

Sample ID 241021-kmjdtsyfmm
Target 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118
SHA256 6e058ce4dc4d3a35811341392350c57700c10754e737daecce149f5ad17cf4f6
Tags
execution discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral28

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral27

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral32

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral29

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral30

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral31

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

6e058ce4dc4d3a35811341392350c57700c10754e737daecce149f5ad17cf4f6

Threat Level: Shows suspicious behavior

The file 662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

execution discovery spyware stealer

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Program crash

System Location Discovery: System Language Discovery

Command and Scripting Interpreter: JavaScript

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-21 08:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral28

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.29.10:443 g.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 10.29.171.150.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20241010-en

Max time kernel

120s

Max time network

127s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

120s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral27

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\options.js

Network

N/A

Files

N/A

Analysis: behavioral32

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

129s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240708-en

Max time kernel

101s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsjA268.tmp\System.dll

MD5 6621d1f4e191c018a0d8abb5c610d1aa
SHA1 c3af35a5df9361e2805bd84d3e3144e0b9c44d5b
SHA256 d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5
SHA512 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

\Users\Admin\AppData\Local\Temp\nsjA268.tmp\InstallOptions.dll

MD5 29459d9ee2bce32ed937fb1f965f9d5e
SHA1 8fff45ed45f3af8f8c248eba9a1c02c9c5fc911d
SHA256 ad07968b7d93ef19e10e1deb52e0c912e96dde30c0a49a0239daf176fd4c9ef5
SHA512 d4ef4eadb0f53e7086a1d242bf7f745ad79d83d9ecbfaa283cf0dd499271a804589a575040bb20d5c98e86197cc65ca05ab1a358c556ea82a3e297d0255015a6

C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\welcome.ini

MD5 84e2901534c5e0f2d343a799d0253ad2
SHA1 c5b68d71c67d9774a297496ad21cbdde61938886
SHA256 e23b391285c9899dad9ff2bdd0c02b74be32eb8cfe181a47c220b53b826cc01d
SHA512 a748212cb5eb3c709fce8c0fe22b6c0455f20761f34128e7a52c2da714cb4cc18d58bb3f1bd6eb69eb5e46d127a847a91b248aaf513b11b50ed2fc6e31e17a70

C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\welcome.ini

MD5 b0a28863ada2c5ed535f28db721bffcf
SHA1 4cca344c8dcc7b463dbbe8e5674635c8ca19bd66
SHA256 bf6f03f0abb5f88dac58898c483f55f87911b62682088d3dd41cf7e1e6860fce
SHA512 304db6818d0c1e27e58d089473d7973321324e9b4264dd86e45ef2d6cf20863bef792ef507584bab569daa89a6b0815c2f5fd5b8c02d0d4e9aed8a4b48bdbaa6

C:\Users\Admin\AppData\Local\Temp\nsjA268.tmp\privacy.ini

MD5 bdc99c3ef9546974b650e8ca41bfd2a8
SHA1 825c16177248e31bff25878ffcc625837bc7d7f7
SHA256 6f660cdcd8384b3ad37221bb03975bb380ae9a940b4b7aa35a6afbaf7ee35b75
SHA512 fe80252d896309d003df350cac597153f2b82735715eaf305d4db1f90431cb92b7e95434a97c4ed2d01579e6374f05cb5a4be1685ad1d08611bb2b21c111ab89

Analysis: behavioral21

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js

Network

N/A

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

130s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\i18n.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2100 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

150s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3764 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3764 wrote to memory of 2760 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2760 -ip 2760

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\y_toolbar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\System.dll

MD5 6621d1f4e191c018a0d8abb5c610d1aa
SHA1 c3af35a5df9361e2805bd84d3e3144e0b9c44d5b
SHA256 d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5
SHA512 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\welcome.ini

MD5 2e41a0be15c814d374a859f578c5a09b
SHA1 ff7c8b9316a078f1eb34a71b47a11be2f8fb045c
SHA256 f2695bce869d1abcac4d37a6abd17876885f4fcc0682e9d37981455ad2e45e0d
SHA512 de6901187bb929e86abbd508965115bdf02fce6f62867056ee9c4f6cf6aad4092700cf055b5768397ca8142603ae169aa7ad12a6dacbbc0dc09033253a50374f

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\InstallOptions.dll

MD5 29459d9ee2bce32ed937fb1f965f9d5e
SHA1 8fff45ed45f3af8f8c248eba9a1c02c9c5fc911d
SHA256 ad07968b7d93ef19e10e1deb52e0c912e96dde30c0a49a0239daf176fd4c9ef5
SHA512 d4ef4eadb0f53e7086a1d242bf7f745ad79d83d9ecbfaa283cf0dd499271a804589a575040bb20d5c98e86197cc65ca05ab1a358c556ea82a3e297d0255015a6

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\welcome.ini

MD5 ab52f1133ee813a32a144496c7c2486d
SHA1 359cbc373f9c3f57b6947af0251c77b233304b4c
SHA256 598f8f9e25abefa80a91f753a8cceca118c058d1b106b5abdca2f7b77e580569
SHA512 7f3cc5ea507d3b4e24ced99a8ac391a5704ee8b1589482e184e1bd717c4995e8259f0957a7213d70bed7927b6d968e6c9a6f519367e9416da02b3c4e84925611

C:\Users\Admin\AppData\Local\Temp\nso7715.tmp\privacy.ini

MD5 c1a915d2ce6ef3bee3e324bf389605b8
SHA1 462df4cf78728f740522eb6161af62260ab16e3a
SHA256 e5f08cfe7ca071b8c4deb6194b323dd3f352a56ad62b59d00ccd6ab303e23a55
SHA512 839f9bf737f989afd78afd48ff671c19b744d43d731203e10f12cb6b706a5d4540eb45f3134c32c93ebc88150e1f829da86ac9179c79f4b24f02c3f984b759b0

Analysis: behavioral15

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe
PID 1120 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe

Processes

C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe

"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe"

C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe

"C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe" /yallowjp /ytffver=1.4.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 versions.divx.com udp
NL 18.239.15.140:80 versions.divx.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\System.dll

MD5 ed228603bf5d6ba382b59274dba35a0a
SHA1 037d40e0399902b5119d48995dfd2e96bc6de9a4
SHA256 a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37
SHA512 9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\PCloser.dll

MD5 472f68bb5ba2cc581a9dc320c864f84c
SHA1 245c09e194c6b4899314d9c6b041153b33f26ca7
SHA256 f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84
SHA512 7fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a

memory/1120-25-0x00000000003E0000-0x00000000003F1000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\DivXConnectionTester.exe

MD5 d1b411fc28aa7839bb236febc0950c96
SHA1 58c65d6501c16cb57cc7254d4292e6fd9deba2bb
SHA256 d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b
SHA512 be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee

\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\ydetect.exe

MD5 4926b97e0cfc4edbda0ef962624e27a6
SHA1 fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b
SHA256 12d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51
SHA512 acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d

\Users\Admin\AppData\Local\Temp\nsi511D.tmp\System.dll

MD5 6621d1f4e191c018a0d8abb5c610d1aa
SHA1 c3af35a5df9361e2805bd84d3e3144e0b9c44d5b
SHA256 d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5
SHA512 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

\Users\Admin\AppData\Local\Temp\nso513D.tmp\ConnectionTester.dll

MD5 c0d23f9dd2f29b0ab20f2005b29b6a12
SHA1 412b1ff53c9d5d390d344787541450e091ea502b
SHA256 fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6
SHA512 75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744

memory/2764-100-0x0000000001E10000-0x0000000001E29000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\InstallOptions.dll

MD5 9b2bdf058d377da28704af9ca3ef1142
SHA1 0fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b
SHA256 92f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300
SHA512 ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f

C:\Users\Admin\AppData\Local\Temp\nsi4EFC.tmp\divx-bundle-updater.ini

MD5 7dd6ce8d313ef7f0673f5072d88650a4
SHA1 c2fcd1bf23addee746862e366e21a9d1f9dcc3c8
SHA256 b91daf80c850ad247207d7cf0a1a480327a3fa5c63d62a554e38e8e6914e63ab
SHA512 8b6b5527a331268821f343f7cdb74612203643af2745b2fd7338645b23ae33e92120320358d09a0d125ab99b98c4bebd48cc556cd77d39244cd407845968e1c2

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1932 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1932 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2248 -ip 2248

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2248 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 192.98.74.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

121s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\installerVariables.js

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

N/A

Analysis: behavioral29

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20241010-en

Max time kernel

12s

Max time network

19s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1616 wrote to memory of 1428 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 1428 -ip 1428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 648

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

156s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\dialog.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 98.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 8.8.8.8:53 252.15.104.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\feedFunctions.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral25

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

117s

Max time network

118s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\network.js

Network

N/A

Files

N/A

Analysis: behavioral30

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

139s

Max time network

124s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\setHomepage.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.30.10:443 g.bing.com tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 10.30.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 138.201.86.20.in-addr.arpa udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral31

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20241010-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\toolbarBuilder.js

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

120s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

Signatures

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2304 wrote to memory of 1236 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ConnectionTester.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240708-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2280 -s 244

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\662d135b8fd1bce690264eec52cc5ea5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe

"C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe"

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe

"C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe" /yallowjp /ytffver=1.4.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 versions.divx.com udp
NL 18.239.15.179:80 versions.divx.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 179.15.239.18.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\System.dll

MD5 ed228603bf5d6ba382b59274dba35a0a
SHA1 037d40e0399902b5119d48995dfd2e96bc6de9a4
SHA256 a1bada98dffbe23a96af2ce3f4df7d7927cec6ea0a1d2d1f77862fb117a74f37
SHA512 9dabf495eaeb979235b7626c0619bb8eaab61c158e66799b1afdb1500952c789b7ea645a358c8961876e06a9ec168159ef405b6238ec692f1f89fc1ccb1e9ae9

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\PCloser.dll

MD5 472f68bb5ba2cc581a9dc320c864f84c
SHA1 245c09e194c6b4899314d9c6b041153b33f26ca7
SHA256 f4d0fe1ee43fed2df0fc1156f959b62d8963d63f11afd7cef801c62b617e9a84
SHA512 7fc6c06fdf0e2aeffb0a2effd61839e6b3abe1dda808329bd59e5e72621f6c61bfd8d71f2b1c95f072626e0d2bfe0d8c60425096359f74e846950bc38a5fae9a

memory/4228-26-0x00000000023B0000-0x00000000023C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\DivXConnectionTester.exe

MD5 d1b411fc28aa7839bb236febc0950c96
SHA1 58c65d6501c16cb57cc7254d4292e6fd9deba2bb
SHA256 d6088d64ea8d85e6439b0845b7ef1086403b3103f5a5e04e0d32a1f9f965b57b
SHA512 be36614d0d07869bb94f3fe50454970ca7426fd19c6915687fd64a665bc84a015e745c4d7dcda0bf5bf3096820f9bd2a086ae313947bb064206f1a86f8fdf9ee

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\ydetect.exe

MD5 4926b97e0cfc4edbda0ef962624e27a6
SHA1 fdc9e0d5fd03f72dda1ac58cd7e4fb211e47317b
SHA256 12d70ee985fb5a7ea790d88ae3b5df3f5c1f39b54544c91ea715b0bb053dcd51
SHA512 acd29b3aa9e220d7d7f893c5c18b08a7517614b0a6228c0b44ebf31d3cfbf74b76894abb5a4cbbb3db540db3e1972eef8f4ba9b3b78f179ef6d6b18e64c4145d

C:\Users\Admin\AppData\Local\Temp\nse850F.tmp\ConnectionTester.dll

MD5 c0d23f9dd2f29b0ab20f2005b29b6a12
SHA1 412b1ff53c9d5d390d344787541450e091ea502b
SHA256 fcbf18736b567fff8839023bb1c3acb11a61ac58cee83e08cd40d333a1e13fe6
SHA512 75986c332c97397dd2ac6905a5ed03cee2b92c187ba2600c4c5eadede3333e166c0e0f3fd9f2a4fe1a36319596d20d93a4371b751c20929cbffed8b54f613744

memory/4704-51-0x00000000026B0000-0x00000000026C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsu851F.tmp\System.dll

MD5 6621d1f4e191c018a0d8abb5c610d1aa
SHA1 c3af35a5df9361e2805bd84d3e3144e0b9c44d5b
SHA256 d8d38c8983c4e29b13c93295876bf3726023fafd05985f354e09b806993f78c5
SHA512 6029146fc1f193214aa0fd81d7ca724e741fd79c55e42976cb69d37464e55d1258fa866fcfadc0182f3726de018381c660622d78617cd726472163e847a3f3a5

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\divx-bundle-updater.ini

MD5 914aac8e4fbdd0d5b5ec73f20177ebc1
SHA1 5a4113d646b81cd31d5b35dc8266c01a64024184
SHA256 c9d8b1082ed930cff4e2157b8ec75cb434a871ddbdb9364cb470c276991f4ff3
SHA512 66ec3a0ac9f98cffbad65dbac087253d5096cfd917d0f636ef0be8d4ff0d3562c034dbe781f93eb4560100f9f4f8b99e3c2b35e0cc9678c54a9ac5dadded6e3a

C:\Users\Admin\AppData\Local\Temp\nst8261.tmp\InstallOptions.dll

MD5 9b2bdf058d377da28704af9ca3ef1142
SHA1 0fc0d7fbc4c3a65eec33d9577ed38e545b3cc04b
SHA256 92f34db47c34d6867e6928d4a9cd27747ff642392c0e361f9cab2f5d8c4df300
SHA512 ba0c2a312732832874642f6ca8d3b5aa4274da5cbb3a09d990b442becdf9a1abb98c61c5cbbb55f6a5341d2997388d01f93f69e4946e923a1892c7621775b93f

Analysis: behavioral16

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win10v2004-20241007-en

Max time kernel

140s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\fileio.js

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral17

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240708-en

Max time kernel

122s

Max time network

123s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\globals.js

Network

N/A

Files

N/A

Analysis: behavioral19

Detonation Overview

Submitted

2024-10-21 08:42

Reported

2024-10-21 08:45

Platform

win7-20240903-en

Max time kernel

121s

Max time network

122s

Command Line

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js

Signatures

Command and Scripting Interpreter: JavaScript

execution

Processes

C:\Windows\system32\wscript.exe

wscript.exe C:\Users\Admin\AppData\Local\Temp\content\ytoolbar\history.js

Network

N/A

Files

N/A