Analysis Overview
SHA256
e24e506c5f0e94aff89f5623a3d948aaaf9a1a511656793dc9937cfe04e36ba1
Threat Level: Shows suspicious behavior
The file 4a5881510b389c117ceefd6ebd7ac781 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Registers COM server for autorun
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Installs/modifies Browser Helper Object
Adds Run key to start application
Checks installed software on the system
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-08 03:42
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-08 03:42
Reported
2024-01-08 03:45
Platform
win7-20231215-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4HighIn.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Registers COM server for autorun
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Wow6432Node\CLSID\{e7472076-ff9d-4325-8eaf-613572008758}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Wow6432Node\CLSID\{e7472076-ff9d-4325-8eaf-613572008758}\InprocServer32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\v4SrcAs.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\Wow6432Node\CLSID\{e7472076-ff9d-4325-8eaf-613572008758}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DictionaryBoss Search Scope Monitor = "\"C:\\PROGRA~2\\DICTIO~1\\bar\\1.bin\\v4srchmn.exe\" /m=2 /w /h" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DictionaryBoss Browser Plugin Loader = "C:\\PROGRA~2\\DICTIO~1\\bar\\1.bin\\v4brmon.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{58376892-60e7-4f63-aca0-0f686af554d6} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{58376892-60e7-4f63-aca0-0f686af554d6}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6eb534fb-2001-45c4-b860-bc904865a379} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{6eb534fb-2001-45c4-b860-bc904865a379}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{58376892-60e7-4f63-aca0-0f686af554d6} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{58376892-60e7-4f63-aca0-0f686af554d6} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\NPv4Stub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4htmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4httpct.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4tpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\msimg32.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4feedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrchMn.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\IE9Mesg\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\Settings\s_pid.dat | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4auxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4dlghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4reghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\ieuser.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4dyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4barsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4datact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4datact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4impipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4uabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4bar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4bar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4highin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4htmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4idle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4sknlcr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4mlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4mlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\LOGO.BMP | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4auxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4html.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4html.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4medint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrchMn.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\installKeys.js | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\CHROME.MANIFEST | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4barsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4ieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4radio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4httpct.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4idle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4radio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4script.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\Message\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\chrome\v4ffxtbr.jar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\gen1\COMMON.T8S | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4dlghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4highin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4medint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4Plugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4msg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4reghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4sknlcr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{e7472076-ff9d-4325-8eaf-613572008758} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66222c2f-e3da-46fe-ac02-b30ba0daa13a}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66222c2f-e3da-46fe-ac02-b30ba0daa13a} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66222c2f-e3da-46fe-ac02-b30ba0daa13a}\AppPath = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{272143f8-3dbe-424c-949f-20acd11e5a6d}\AppName = "v4SkPlay.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{272143f8-3dbe-424c-949f-20acd11e5a6d}\AppPath = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8c0cfcbe-d7e4-4778-8bfd-3a8d8b5a9ccd}\AppName = "v4impipe.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8c0cfcbe-d7e4-4778-8bfd-3a8d8b5a9ccd}\AppPath = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{272143f8-3dbe-424c-949f-20acd11e5a6d}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8c0cfcbe-d7e4-4778-8bfd-3a8d8b5a9ccd} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c7d153b1-5602-41a4-a012-06165b4b0c53}\AppName = "v4SlSrch.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{163a7621-d9a7-4595-bd0c-ca2d34425c35} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{66222c2f-e3da-46fe-ac02-b30ba0daa13a}\AppName = "v4SrchMn.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{163a7621-d9a7-4595-bd0c-ca2d34425c35}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{163a7621-d9a7-4595-bd0c-ca2d34425c35}\AppPath = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{272143f8-3dbe-424c-949f-20acd11e5a6d} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{3042df7a-e900-4389-9b94-923df0daa57e} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{163a7621-d9a7-4595-bd0c-ca2d34425c35}\AppName = "v4medint.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c7d153b1-5602-41a4-a012-06165b4b0c53} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c7d153b1-5602-41a4-a012-06165b4b0c53}\AppPath = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c7d153b1-5602-41a4-a012-06165b4b0c53}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\UrlSearchHooks | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8c0cfcbe-d7e4-4778-8bfd-3a8d8b5a9ccd}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Run | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2c72f7a5-8160-4024-94d8-e0995d547bb0}\InprocServer32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\v4dyn.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.MultipleButton\CurVer | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5b610696-32b6-416c-bf5c-ca4f60a345dd}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.UrlAlertButton.1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{045c5f24-9e13-4ea8-ab93-fddab34f3fa5}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D1479029-BACC-4C9A-8C15-D857A2974E27}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{ED49DF44-2DC8-4CFC-8510-DAF4DFCC5F40}\TypeLib\ = "{696D3B4F-71EF-41CC-96FF-342317E644DE}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.ScriptButton\CLSID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5b610696-32b6-416c-bf5c-ca4f60a345dd}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5b610696-32b6-416c-bf5c-ca4f60a345dd}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{ED49DF44-2DC8-4CFC-8510-DAF4DFCC5F40}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BD5AE73-FDA3-469B-9358-D4EDA7123370}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.Radio.1\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BECF6AB-82E3-4E58-9E73-78565FFE5C05}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9D14CAF3-88C2-4C9A-AE73-FE77C2A5697D}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8A44A538-73FC-4D86-83DB-68ACE71E5FE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696D3B4F-71EF-41CC-96FF-342317E644DE}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6DDD8F3F-3774-484C-938C-4D9AB3A5F575}\TypeLib\ = "{4DE8B15E-E379-482A-81C5-CD99EB8CEF40}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2c72f7a5-8160-4024-94d8-e0995d547bb0}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9378167C-FAC6-4DFB-BD4F-F7C195D2B1E4}\1.0\0\win32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\t8res.dll\\1506" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{b4ea8204-ee81-4f73-a240-ec4aeb8ad3de}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{e001b32e-5acb-4cce-9910-2d379ce0a6d6}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E79601CE-6CB5-4A4C-A643-A9FEC2C136F5}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{F9A402FD-82C8-4743-991E-BC77E62DA0E5}\ProgID\ = "DictionaryBoss.HTMLMenu.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0270C2C5-40BD-4CFF-B0DF-79AD2E283AD3}\TypeLib\ = "{696D3B4F-71EF-41CC-96FF-342317E644DE}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE9F4D06-3A23-4F1A-902F-D9E113793576}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7448C04F-A2EC-43F8-B42C-49001A49A199}\ = "SKINWINDOW_INTERFACE" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\MiscStatus | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{eb2049f6-9dfa-4e51-b2a1-fc5a6e596c80}\ProgID\ = "DictionaryBoss.HTMLPanel.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE17CD12-2988-47B4-86E3-640288DE42CB}\ = "IHttpControlEvents" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A525B28E-04EE-455F-8C17-3A0273EBEA2C}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{934894D3-9DF1-4063-BE0B-4246762A87D8}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{715321aa-a1fc-4058-8ffa-668d687b6e32}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{715321aa-a1fc-4058-8ffa-668d687b6e32}\ProgID\ = "DictionaryBoss.Radio.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{82481cff-738f-4410-bffb-77595d5d9faa}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SkinLauncherSettings | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{03119103-0854-469D-807A-171568457991}\1.0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{08855E67-37D6-48CC-B59E-A010D658A7BB}\TypeLib\ = "{6C367B45-0824-419A-AF7F-157665B56ABA}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{19C920DF-88F9-44F8-A17E-A35A12D60525} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{317D0A60-985E-4C4D-BA9B-8D1026665EA9}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{488c2712-1482-42ad-bc4d-681e5832f0c2}\TypeLib\ = "{d1479029-bacc-4c9a-8c15-d857a2974e27}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{eb2049f6-9dfa-4e51-b2a1-fc5a6e596c80}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9BECF6AB-82E3-4E58-9E73-78565FFE5C05}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9378167C-FAC6-4DFB-BD4F-F7C195D2B1E4}\1.0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{806AADCB-C4D7-4545-954B-5E6C2952CE79}\ = "POPUPMENU_INTERFACE" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{715321aa-a1fc-4058-8ffa-668d687b6e32}\ProgID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D43161C-85D1-460D-B835-342DEABD978D}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.XMLSessionPlugin\CLSID\ = "{6d0c6f55-e3eb-4d6b-8f52-996b4da196d9}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5BD5AE73-FDA3-469B-9358-D4EDA7123370}\ = "ITemplateXMLElement" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C0CFCBE-D7E4-4778-8BFD-3A8D8B5A9CCD}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73a7cce6-ff3a-4c7f-9a3e-db9bd92be292}\Control | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{da08805b-ba32-426b-ad14-ecac8235a8aa}\Programmable | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73a7cce6-ff3a-4c7f-9a3e-db9bd92be292}\InprocServer32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\v4skin.dll" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{696D3B4F-71EF-41CC-96FF-342317E644DE}\1.0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A436C6EC-9040-4322-AB62-BDB9E81E2F6C}\1.0\0\win32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\t8res.dll\\405" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{806AADCB-C4D7-4545-954B-5E6C2952CE79}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SettingsPlugin\CurVer\ = "DictionaryBoss.SettingsPlugin.1" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2499090-ACE6-48A0-ADD9-19FF13B69657}\1.0\ = "TEMPLATEHTMLMenuLib" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{6d0c6f55-e3eb-4d6b-8f52-996b4da196d9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4HighIn.exe
"C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4HighIn.exe" v4tpinst.dll,#5
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe"
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe" -install
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe" -remove
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe" /m=2 /w /h /r
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=XQ/n="DictionaryBoss"
C:\Users\Admin\AppData\Local\Temp\4a5881510b389c117ceefd6ebd7ac781.exe
"C:\Users\Admin\AppData\Local\Temp\4a5881510b389c117ceefd6ebd7ac781.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1948-155-0x00000000033F0000-0x000000000349B000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-08 03:42
Reported
2024-01-08 03:45
Platform
win10v2004-20231222-en
Max time kernel
0s
Max time network
129s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DictionaryBoss Search Scope Monitor = "\"C:\\PROGRA~2\\DICTIO~1\\bar\\1.bin\\v4srchmn.exe\" /m=2 /w /h" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DictionaryBoss Browser Plugin Loader = "C:\\PROGRA~2\\DICTIO~1\\bar\\1.bin\\v4brmon.exe" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4htmlmu.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4reghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4uabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4bar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrcAs.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrchMn.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\CHROME.MANIFEST | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4bar.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4datact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4feedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4html.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4uabtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\msimg32.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4radio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skplay.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4barsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4datact.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4idle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4mlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4impipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4radio.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\INSTALL.RDF | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\LOGO.BMP | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4feedmg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4impipe.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4sknlcr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\NPv4Stub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4Plugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4Plugin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4hkstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4medint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4auxstb.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4dlghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4hkstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrcAs.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brmon.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4brstub.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4skin.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4sknlcr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\T8RES.DLL | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4SrchMn.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4tpinst.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4highin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4highin.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4html.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4medint.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4msg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4msg.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regfft.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4reghk.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4barsvc.exe | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4dyn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4idle.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4mlbtn.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4script.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4ieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File created | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4ieovr.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| File opened for modification | C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4regiet.dll | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\0\win32\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin\\t8res.dll\\626" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7D153B1-5602-41A4-A012-06165B4B0C53} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73A92446-8E2A-4B4D-8BFB-FA18F6B1C9A8} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\ = "ITemplateBarControl" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\MiscStatus\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\VersionIndependentProgID\ = "DictionaryBoss.SettingsPlugin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SettingsPlugin.1\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\Version | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73A92446-8E2A-4B4D-8BFB-FA18F6B1C9A8}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SettingsPlugin\CLSID | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A92446-8E2A-4B4D-8BFB-FA18F6B1C9A8}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7D153B1-5602-41A4-A012-06165B4B0C53}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\ = "ITemplateBarMenu" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5A61E8B4-1D41-43FC-8237-AAAF8755317B}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\MiscStatus\1\ = "131473" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C7D153B1-5602-41A4-A012-06165B4B0C53} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\MiscStatus\1 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\ = "SEARCHSCOPE_INTERFACE" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3042df7a-e900-4389-9b94-923df0daa57e}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ = "ITemplateBarButtonRect" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\TypeLib | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{476C9DB6-2846-4507-A4FC-B95B9D84637C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7D153B1-5602-41A4-A012-06165B4B0C53}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C7D153B1-5602-41A4-A012-06165B4B0C53}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A92446-8E2A-4B4D-8BFB-FA18F6B1C9A8} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8eb0aaa0-2ffe-4326-8331-efe2d5d15ec7}\TypeLib\ = "{1a033ae8-0d4d-4ec8-a4a9-47bbe0b6489b}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{264E97DD-7AD7-442B-87A8-F9EC4819E47B} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SettingsPlugin\ | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\DictionaryBoss.SettingsPlugin\CurVer | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\DictionaryBoss\\bar\\1.bin" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FF14F9E4-44C9-4CAB-88CE-A4E8221D0206}\ = "ITemplateBarButtonRect" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{73A92446-8E2A-4B4D-8BFB-FA18F6B1C9A8}\TypeLib\ = "{1A033AE8-0D4D-4EC8-A4A9-47BBE0B6489B}" | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3042df7a-e900-4389-9b94-923df0daa57e} | C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4a5881510b389c117ceefd6ebd7ac781.exe
"C:\Users\Admin\AppData\Local\Temp\4a5881510b389c117ceefd6ebd7ac781.exe"
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe" -install
C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4HighIn.exe
"C:\Program Files (x86)\DictionaryBoss\bar\1.bin\v4HighIn.exe" v4tpinst.dll,#5
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4brmon.exe"
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4barsvc.exe" -remove
C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe
"C:\PROGRA~2\DICTIO~1\bar\1.bin\v4srchmn.exe" /m=2 /w /h /r
C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
"C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=XQ/n="DictionaryBoss"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.178.17.96.in-addr.arpa | udp |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| GB | 96.17.178.176:80 | tcp | |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
Files
memory/1568-177-0x00000000034B0000-0x000000000355B000-memory.dmp