Analysis Overview
SHA256
30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2f
Threat Level: Likely malicious
The file 30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN was found to be: Likely malicious.
Malicious Activity Summary
Blocklisted process makes network request
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in Program Files directory
Unsigned PE
Command and Scripting Interpreter: JavaScript
Program crash
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Script User-Agent
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 12:57
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral11
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 224
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
112s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
117s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ConduitFloatingPlugin_ojpijjmpahflnipadmlpgbjmagmjchkk = "\"C:\\Windows\\SysWOW64\\Rundll32.exe\" \"C:\\Program Files (x86)\\Conduit\\CT2504091\\plugins\\TBVerifier.dll\",RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 632 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 632 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 632 wrote to memory of 1876 | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe
"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll" RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk,632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | setupapi.toolbar.conduit-services.com | udp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | downloads.conduit-services.com | udp |
| US | 50.16.131.148:80 | downloads.conduit-services.com | tcp |
| US | 8.8.8.8:53 | 148.131.16.50.in-addr.arpa | udp |
| US | 8.8.8.8:53 | usage.toolbar.conduit-services.com | udp |
| NL | 195.78.120.83:80 | usage.toolbar.conduit-services.com | tcp |
| NL | 195.78.120.83:80 | usage.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | storage.webapp.conduit-services.com | udp |
| GB | 172.217.16.238:80 | storage.webapp.conduit-services.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsUtils_2_1_1_0.dll
| MD5 | 08f7510b9718fd68f95f04f334d5027d |
| SHA1 | 0251a69a7c456e4a524e4aca4d21c001ab3b0b88 |
| SHA256 | f168f9d34ebbdb2060221e5140d6fd9861c76ee28e781bc01ad58d71b91ed23d |
| SHA512 | 336e9eab198d6421eae72ec8b2761bea386d7616447701cede3a82c43e2ce9c2039a5a39d6026aa35ecb78ba77b5850294a49996f760c94f8a05692e8e03363b |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsJSON_2_0_1_0.dll
| MD5 | 51eff3c4a3bd1c2a5726c81d5d02c695 |
| SHA1 | 4ea472a3b3ffd2bd5288ac43747d0ffd6b6e5f68 |
| SHA256 | 83c44cfcc5c0fe4987453e6306c55e2f2e62bb2be2297acae92f047ab8ad9e47 |
| SHA512 | 83b929607d9aa70a5a52976ed961cc047f09505f733a50ebc04fe925911dc0495c0f4b89a6a1bdc01e274d45a444ea7413db57305a653cefeb0ce21712f00ba2 |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsDialogs.dll
| MD5 | f7b92b78f1a00a872c8a38f40afa7d65 |
| SHA1 | 872522498f69ad49270190c74cf3af28862057f2 |
| SHA256 | 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e |
| SHA512 | 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79 |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsZip_1_0_2_0.dll
| MD5 | 830121b8ef1771452e856c9e12c2c7bf |
| SHA1 | 19f0ee257d2c86ae18d6f064c0e8bc235b3532b9 |
| SHA256 | 96b669fba768b7df76a7ff70b3c587e93fb3a8efbd67cca0e90c3ee6b56158b0 |
| SHA512 | 192690e515b8d771d62db491ce4a1706d3639cd364a57a8c5db1fc39f8561468d397d7744574bb3deacd16095dc0d29bfa1f7c46a341d987243bba85b7e3b68b |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsZip_1_0_1_0.dll
| MD5 | e50d4a26d1754e3ecefc9a494cd8de4e |
| SHA1 | 45f61393259d1f982ce092a85b1031de4537a496 |
| SHA256 | bfaa50c23bba0e47893b0ace5dc937287d92519180cdc1435ffa8f67746cea32 |
| SHA512 | febd86cca9c872bfbc89ae6f62a107731c1fbe1060ef2e4c048f648b89ab872b87b15521b9e044bddcf86c704e21467511321a3fa72363ff20d013f26d76629f |
C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll
| MD5 | fac18a5173ac0c425348086f307c8fec |
| SHA1 | 322d36a63709838e21905b9e1e5bcb9c7fad3a1d |
| SHA256 | b6dc15bb1686c13b1397b36ce2ba8c33155b139a7b464f0a9650c8c1aa3485a0 |
| SHA512 | f5cc2f6ec62d1a1deef56df2f2ce400ad741ce8474ac40ab275a712cdc658300ca366b63b962173aba98de58522efa97dd6ac50cb702f21a56530a83b7707353 |
C:\Users\Admin\AppData\Local\Temp\CT2504091.crx
| MD5 | be8e96e2f3717f17614745e0784a02cc |
| SHA1 | 8299fdb858020dbac9bb12bab7e04ac71b91b634 |
| SHA256 | 27ff2ebc4c88552d4ea9c44adb079815405b02c6c0cedb81ec444ec9d155883a |
| SHA512 | cddac5799c874338736b2ec94b100d215e30ea4499c582ca958d6ec0b7f6bd37533b521106bf11ac3add8a9199435f618fe92ceab4bf88b793325694df4c5a3a |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\nsCRandom_1_0_1_1.dll
| MD5 | 077a42a89875b2271731ce9afcfec5cd |
| SHA1 | 65c034b85516a5e7d55a94ce283851aee1fc37fe |
| SHA256 | 5efd476cb861695bfbd04ccdbb952655d40a393a30d8490e474a48c3937c62f4 |
| SHA512 | 18849c08991376658ce0206bc33baf7fb9eb8cd4c37e3c0da96cf64c7352896f0796fab5bc9ca92aaa1c5e383b5e19f3518a644ad42e2304a8ea6b5758edbf18 |
C:\Users\Admin\AppData\Local\Temp\nsp84BE.tmp
| MD5 | 4a55556bb333f20a28eb7d183a8e283f |
| SHA1 | ca7dfbf7a1e052ef7f84a43f1ad81d4e30df9147 |
| SHA256 | 3258c5c9c9131f528f051232769a07ab49caac5d3d54a10ddfb318879e3b44e2 |
| SHA512 | 640e34e189d54c34750b29f1d8c61754986c7ed1d33ea336be18f6d73311fcc7900107d5899b94ad7f1b50c5b1a603f963f163be7cf3f305178ccede8ebd7c00 |
C:\Users\Admin\AppData\Local\Temp\nst7512.tmp\Omnibox_2_0_1_1.dll
| MD5 | 6b75c874dc2d6408b4d0ba0aa5c1b11f |
| SHA1 | a0dabf72db0cda023756b196da489cbbc49a7a9b |
| SHA256 | d3d474a2c4982b55028f8d24395a8a463b95cb29777d34c3dca660b2441d1cd4 |
| SHA512 | d24e32ee0f25d033b691971c7c9553ae5e8b694d01bebeb7cf153d4e6f9f90e4c48fe9b69c5c93120ec716835960978c343f789e72e327b1ba671edfe6ea400c |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2460 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
108s
Max time network
110s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1936 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1936 wrote to memory of 2432 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Omnibox_2_0_1_1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2432 -ip 2432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2432 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
14s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1284 -s 224
Network
Files
Analysis: behavioral18
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
98s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4996 wrote to memory of 4784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 4784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4996 wrote to memory of 4784 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4784 -ip 4784
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4784 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral27
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20241023-en
Max time kernel
15s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js
Network
Files
Analysis: behavioral29
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
75s
Max time network
18s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js
Network
Files
Analysis: behavioral32
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
110s
Max time network
113s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
21s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2096 -s 220
Network
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20241010-en
Max time kernel
73s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2044 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
108s
Max time network
111s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
109s
Max time network
111s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1724 wrote to memory of 1080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 1080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1724 wrote to memory of 1080 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1080 -ip 1080
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
103s
Max time network
111s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3480 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3480 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3480 wrote to memory of 2480 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2480 -ip 2480
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20241010-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 248
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
101s
Max time network
103s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3460 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3460 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3460 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3320 -ip 3320
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3320 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
75s
Max time network
16s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1764 -s 220
Network
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
100s
Max time network
101s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral30
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
104s
Max time network
106s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\DeveloperMode.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
119s
Max time network
16s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerFront.js
Network
Files
Analysis: behavioral25
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Applications.js
Network
Files
Analysis: behavioral31
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20241010-en
Max time kernel
13s
Max time network
20s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\EmbeddedConfig.js
Network
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2800 -s 220
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
107s
Max time network
110s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4808 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4808 wrote to memory of 804 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsJSON_2_0_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 804 -ip 804
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 804 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
107s
Max time network
111s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4180 wrote to memory of 4136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4180 wrote to memory of 4136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4180 wrote to memory of 4136 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsUtils_2_1_1_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4136 -ip 4136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4136 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ConduitAbstractionLayerBack.js
Network
Files
Analysis: behavioral28
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
109s
Max time network
113s
Command Line
Signatures
Command and Scripting Interpreter: JavaScript
Processes
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\Search\NewTabPages\API\Bookmarks.js
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20241010-en
Max time kernel
119s
Max time network
116s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\ConduitFloatingPlugin_ojpijjmpahflnipadmlpgbjmagmjchkk = "\"C:\\Windows\\SysWOW64\\Rundll32.exe\" \"C:\\Program Files (x86)\\Conduit\\CT2504091\\plugins\\TBVerifier.dll\",RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe
"C:\Users\Admin\AppData\Local\Temp\30c2f5d2ba5aab173d5e6efcf37cb2170f51ea7966333b55b3cc07310ca8dd2fN.exe"
C:\Windows\SysWOW64\rundll32.exe
rundll32 "C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll" RunConduitFloatingPlugin ojpijjmpahflnipadmlpgbjmagmjchkk,2360
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | setupapi.toolbar.conduit-services.com | udp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| NL | 195.78.120.169:80 | setupapi.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | downloads.conduit-services.com | udp |
| US | 34.226.241.138:80 | downloads.conduit-services.com | tcp |
| US | 8.8.8.8:53 | usage.toolbar.conduit-services.com | udp |
| NL | 195.78.120.83:80 | usage.toolbar.conduit-services.com | tcp |
| NL | 195.78.120.83:80 | usage.toolbar.conduit-services.com | tcp |
| US | 8.8.8.8:53 | storage.webapp.conduit-services.com | udp |
| GB | 172.217.16.238:80 | storage.webapp.conduit-services.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\System.dll
| MD5 | 959ea64598b9a3e494c00e8fa793be7e |
| SHA1 | 40f284a3b92c2f04b1038def79579d4b3d066ee0 |
| SHA256 | 03cd57ab00236c753e7ddeee8ee1c10839ace7c426769982365531042e1f6f8b |
| SHA512 | 5e765e090f712beffce40c5264674f430b08719940d66e3a4d4a516fd4ade859f7853f614d9d6bbb602780de54e11110d66dbb0f9ca20ef6096ede531f9f6d64 |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsUtils_2_1_1_0.dll
| MD5 | 08f7510b9718fd68f95f04f334d5027d |
| SHA1 | 0251a69a7c456e4a524e4aca4d21c001ab3b0b88 |
| SHA256 | f168f9d34ebbdb2060221e5140d6fd9861c76ee28e781bc01ad58d71b91ed23d |
| SHA512 | 336e9eab198d6421eae72ec8b2761bea386d7616447701cede3a82c43e2ce9c2039a5a39d6026aa35ecb78ba77b5850294a49996f760c94f8a05692e8e03363b |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsJSON_2_0_1_0.dll
| MD5 | 51eff3c4a3bd1c2a5726c81d5d02c695 |
| SHA1 | 4ea472a3b3ffd2bd5288ac43747d0ffd6b6e5f68 |
| SHA256 | 83c44cfcc5c0fe4987453e6306c55e2f2e62bb2be2297acae92f047ab8ad9e47 |
| SHA512 | 83b929607d9aa70a5a52976ed961cc047f09505f733a50ebc04fe925911dc0495c0f4b89a6a1bdc01e274d45a444ea7413db57305a653cefeb0ce21712f00ba2 |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsDialogs.dll
| MD5 | f7b92b78f1a00a872c8a38f40afa7d65 |
| SHA1 | 872522498f69ad49270190c74cf3af28862057f2 |
| SHA256 | 2bee549b2816ba29f81c47778d9e299c3a364b81769e43d5255310c2bd146d6e |
| SHA512 | 3ad6afa6269b48f238b48cf09eeefdef03b58bab4e25282c8c2887b4509856cf5cbb0223fbb06c822fb745aeea000dd1eee878df46ad0ba7f2ef520a7a607f79 |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsZip_1_0_2_0.dll
| MD5 | 830121b8ef1771452e856c9e12c2c7bf |
| SHA1 | 19f0ee257d2c86ae18d6f064c0e8bc235b3532b9 |
| SHA256 | 96b669fba768b7df76a7ff70b3c587e93fb3a8efbd67cca0e90c3ee6b56158b0 |
| SHA512 | 192690e515b8d771d62db491ce4a1706d3639cd364a57a8c5db1fc39f8561468d397d7744574bb3deacd16095dc0d29bfa1f7c46a341d987243bba85b7e3b68b |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsZip_1_0_1_0.dll
| MD5 | e50d4a26d1754e3ecefc9a494cd8de4e |
| SHA1 | 45f61393259d1f982ce092a85b1031de4537a496 |
| SHA256 | bfaa50c23bba0e47893b0ace5dc937287d92519180cdc1435ffa8f67746cea32 |
| SHA512 | febd86cca9c872bfbc89ae6f62a107731c1fbe1060ef2e4c048f648b89ab872b87b15521b9e044bddcf86c704e21467511321a3fa72363ff20d013f26d76629f |
C:\Program Files (x86)\Conduit\CT2504091\plugins\TBVerifier.dll
| MD5 | fac18a5173ac0c425348086f307c8fec |
| SHA1 | 322d36a63709838e21905b9e1e5bcb9c7fad3a1d |
| SHA256 | b6dc15bb1686c13b1397b36ce2ba8c33155b139a7b464f0a9650c8c1aa3485a0 |
| SHA512 | f5cc2f6ec62d1a1deef56df2f2ce400ad741ce8474ac40ab275a712cdc658300ca366b63b962173aba98de58522efa97dd6ac50cb702f21a56530a83b7707353 |
C:\Users\Admin\AppData\Local\Temp\CT2504091.crx
| MD5 | be8e96e2f3717f17614745e0784a02cc |
| SHA1 | 8299fdb858020dbac9bb12bab7e04ac71b91b634 |
| SHA256 | 27ff2ebc4c88552d4ea9c44adb079815405b02c6c0cedb81ec444ec9d155883a |
| SHA512 | cddac5799c874338736b2ec94b100d215e30ea4499c582ca958d6ec0b7f6bd37533b521106bf11ac3add8a9199435f618fe92ceab4bf88b793325694df4c5a3a |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\nsCRandom_1_0_1_1.dll
| MD5 | 077a42a89875b2271731ce9afcfec5cd |
| SHA1 | 65c034b85516a5e7d55a94ce283851aee1fc37fe |
| SHA256 | 5efd476cb861695bfbd04ccdbb952655d40a393a30d8490e474a48c3937c62f4 |
| SHA512 | 18849c08991376658ce0206bc33baf7fb9eb8cd4c37e3c0da96cf64c7352896f0796fab5bc9ca92aaa1c5e383b5e19f3518a644ad42e2304a8ea6b5758edbf18 |
C:\Users\Admin\AppData\Local\Temp\nsoE5DF.tmp
| MD5 | ceb0a20a63e688e308eee50166ab9a7e |
| SHA1 | f3a8b8488606a6d916c5bbb69918996037020c90 |
| SHA256 | d9fb78d3bb85f4701efd0f4f0ec1cee1583ab8c1c737c93747fcb7edef892d3d |
| SHA512 | a1e1fcce2a3a3a5d0aebffbf206880cad610b948eb5671ef7c23f05985ebd3a5ac109e0dd5fa6ecff15b5ae3038ed1cc47e9449a7f92c9a3d145e6984254977c |
\Users\Admin\AppData\Local\Temp\nsjD422.tmp\Omnibox_2_0_1_1.dll
| MD5 | 6b75c874dc2d6408b4d0ba0aa5c1b11f |
| SHA1 | a0dabf72db0cda023756b196da489cbbc49a7a9b |
| SHA256 | d3d474a2c4982b55028f8d24395a8a463b95cb29777d34c3dca660b2441d1cd4 |
| SHA512 | d24e32ee0f25d033b691971c7c9553ae5e8b694d01bebeb7cf153d4e6f9f90e4c48fe9b69c5c93120ec716835960978c343f789e72e327b1ba671edfe6ea400c |
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win7-20240903-en
Max time kernel
14s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsCRandom_1_0_1_1.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 220
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
108s
Max time network
109s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 736 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 736 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 736 wrote to memory of 3648 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsExec.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 3648 -ip 3648
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-10-27 12:57
Reported
2024-10-27 12:59
Platform
win10v2004-20241007-en
Max time kernel
102s
Max time network
104s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2516 wrote to memory of 2300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2516 wrote to memory of 2300 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsZip_1_0_2_0.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2300 -ip 2300
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2300 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |