Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-s9rbysge3t
Target dc02961c3109e7369f377da2913ba80d
SHA256 bd2c84eb297ff45149c18bcee3a8c57ed663176d4a79c1440b9ef9cc1af310b0
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

bd2c84eb297ff45149c18bcee3a8c57ed663176d4a79c1440b9ef9cc1af310b0

Threat Level: Shows suspicious behavior

The file dc02961c3109e7369f377da2913ba80d was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in System32 directory

Enumerates physical storage devices

Program crash

Unsigned PE

NSIS installer

Modifies Internet Explorer settings

Modifies Internet Explorer Protected Mode Banner

Modifies Internet Explorer Protected Mode

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 15:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win7-20240221-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7ac812c6-b714-e717-7e5e-77de319fc517} C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{7ac812c6-b714-e717-7e5e-77de319fc517}\NoExplorer = "\"\"" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nst8F38.tmp C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
File created C:\Windows\SysWOW64\nst8F38.dll C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
File created C:\Windows\SysWOW64\9d435dea-7c79-4c80-f8fa-68f67a5077f5.exe C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517} C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\ = "adtimes" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32\ = "C:\\Windows\\SysWow64\\nst8F38.dll" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7ac812c6-b714-e717-7e5e-77de319fc517}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe

"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 adtimes.info udp
US 3.33.130.190:80 adtimes.info tcp

Files

\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\System.dll

MD5 7e3c808299aa2c405dffa864471ddb7f
SHA1 b5de7804dd35ed7afd0c3b59d866f1a0749495e0
SHA256 91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd
SHA512 599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

memory/2200-9-0x00000000004A0000-0x00000000004BA000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\Math.dll

MD5 8835b67f15d96144f3184e684fa76b43
SHA1 365e34a34eb8c123d765b7deefd3ebb90fe0fe4b
SHA256 df1e70965e0aab1b464e623ccaee5457e66dc2e955733658c8fc337a893aa51c
SHA512 3a7f89af391708c56d1d117e24f2f9f1c5e3db27716665fcfed66aea64d2a72ac293cb3b8d09482438b06f5e1f97338fd700d0ccef036814047b0842ad8b9c13

\Windows\SysWOW64\nst8F38.dll

MD5 104be7b21b09b5863ea03eb7c6c1298a
SHA1 f87600bca12beef0396f19650f34587c2c80cdee
SHA256 afe8c52bf5d96ad9b890477e1608e2f56f332a4e7bae449f68f6d47e4592b54b
SHA512 339beaba14c9ee8b7277eba97d1d1af1ebb50bf59be4c3dc0f0aa02655c2ea0661738007b4c21642fb76b8c61edf6599208d4cc53b15b6a21eec6656f55eb5a1

memory/2200-169-0x0000000002F60000-0x0000000003098000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsj8AB5.tmp\NSISdl.dll

MD5 f0e51d5722c11a4fe40c97b746c1ffc5
SHA1 8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193
SHA256 93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d
SHA512 212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Analysis: behavioral3

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win7-20240221-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2880 -s 224

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win10v2004-20240226-en

Max time kernel

135s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4344 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4344 wrote to memory of 3456 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Math.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3456 -ip 3456

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3456 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 33.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win7-20240220-en

Max time kernel

122s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1780 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1336 wrote to memory of 1900 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\NSISdl.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 1900 -ip 1900

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1900 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win7-20240319-en

Max time kernel

118s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3f0e742a-6622-09bd-96bc-5a736e41c9c4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\ = "adtimes" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R1.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3f0e742a-6622-09bd-96bc-5a736e41c9c4}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2884 wrote to memory of 2948 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R1.dll

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c007115d-6e57-7da4-c234-60c105b1f7de} C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c007115d-6e57-7da4-c234-60c105b1f7de}\NoExplorer = "\"\"" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\nsa544D.tmp C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
File created C:\Windows\SysWOW64\nsa544D.dll C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
File created C:\Windows\SysWOW64\e0e137dc-3eba-dae0-f1c9-1a25147bcbbc.exe C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer Protected Mode

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3\2500 = "3" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies Internet Explorer Protected Mode Banner

Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Internet Explorer\Main\NoProtectedModeBanner = "1" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de} C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\ = "adtimes" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32\ = "C:\\Windows\\SysWow64\\nsa544D.dll" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{c007115d-6e57-7da4-c234-60c105b1f7de}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe

"C:\Users\Admin\AppData\Local\Temp\dc02961c3109e7369f377da2913ba80d.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 adtimes.info udp
US 3.33.130.190:80 adtimes.info tcp
US 8.8.8.8:53 190.130.33.3.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\System.dll

MD5 7e3c808299aa2c405dffa864471ddb7f
SHA1 b5de7804dd35ed7afd0c3b59d866f1a0749495e0
SHA256 91c47a9a54a3a8c359e89a8b4e133e6b7296586748ed3e8f4fe566abd6c81ddd
SHA512 599f61d5270227a68e5c4b8db41b5aa7bc17a4bbe91dd7336b410516fa6107f4f5bf0bbb3f6cc4b2e15b16bf9495fdc70832bab6262046cb136ad18f0c9b3738

C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\Math.dll

MD5 8835b67f15d96144f3184e684fa76b43
SHA1 365e34a34eb8c123d765b7deefd3ebb90fe0fe4b
SHA256 df1e70965e0aab1b464e623ccaee5457e66dc2e955733658c8fc337a893aa51c
SHA512 3a7f89af391708c56d1d117e24f2f9f1c5e3db27716665fcfed66aea64d2a72ac293cb3b8d09482438b06f5e1f97338fd700d0ccef036814047b0842ad8b9c13

memory/5028-10-0x0000000003040000-0x000000000305A000-memory.dmp

C:\Windows\SysWOW64\nsa544D.dll

MD5 104be7b21b09b5863ea03eb7c6c1298a
SHA1 f87600bca12beef0396f19650f34587c2c80cdee
SHA256 afe8c52bf5d96ad9b890477e1608e2f56f332a4e7bae449f68f6d47e4592b54b
SHA512 339beaba14c9ee8b7277eba97d1d1af1ebb50bf59be4c3dc0f0aa02655c2ea0661738007b4c21642fb76b8c61edf6599208d4cc53b15b6a21eec6656f55eb5a1

memory/5028-173-0x00000000031A0000-0x00000000032D8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsf5390.tmp\NSISdl.dll

MD5 f0e51d5722c11a4fe40c97b746c1ffc5
SHA1 8ec31853e9ef08fdc2a8c3c8eaa5f5b9469af193
SHA256 93a27f96055ae6b7f44916e13487b0efa7cd6d762e6768f7cb6427e32bda777d
SHA512 212c1ed753b54e5eccf7e1421bcca86955e09d6e3873f891d3d7076e21f79feb5f1dba350818804a215980875c306283b02f628fbc191d958f0de0f528c7194a

Analysis: behavioral7

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win7-20240221-en

Max time kernel

122s

Max time network

140s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2508 -s 228

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4812 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4812 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4812 wrote to memory of 820 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 820 -ip 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 820 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 15.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-03-21 15:49

Reported

2024-03-21 15:52

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

155s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\NoExplorer = "\"\"" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\ = "adtimes" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\$R1.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{e2bbf3f5-c6c0-6876-ffd6-4732c5250dbf}\InProcServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 312 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 312 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2720 wrote to memory of 312 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R1.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R1.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 50.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 195.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp
GB 96.17.178.195:80 tcp

Files

N/A