Analysis Overview
SHA256
3f0fad0de5319c67ce158793a2651f62668dfc1ef0615393350b5cbdd7f89bce
Threat Level: Shows suspicious behavior
The file 8fe22d9012398e4b5e109d9d6703b2cd was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Installs/modifies Browser Helper Object
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
NSIS installer
System policy modification
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-04 18:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-04 18:47
Reported
2024-02-04 18:49
Platform
win7-20231215-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe
"C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe"
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\settings.ini
| MD5 | 1250f4a3cce76c624d3d651681a054b3 |
| SHA1 | 9249cb7ae76fd80c0d7cb768eafd1ccd1a27c1ef |
| SHA256 | d4033b65c5c555ac54c745be29e428e0eda403170ff57ab75f8f581e817c28e2 |
| SHA512 | 82235714f92168ec8b145e639c8ae335be0f4b7b2e6f454201f477eb963f251decd025e5dd3890920ad6119032a98ef36909b7eebd523e1d937644c185924a4e |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\[email protected]\bootstrap.js
| MD5 | f0ded83c97e0190109bc35e59c3a86a3 |
| SHA1 | 8ba0d099b3ae07ed479f45000f422f78a579254f |
| SHA256 | 9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484 |
| SHA512 | 6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52 |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\[email protected]\chrome.manifest
| MD5 | 0c1d81dda49ba25ac627d71081836ee8 |
| SHA1 | 21678c783cc814b3123c8e934517e1a513d3d822 |
| SHA256 | e4177a36ba9902f1c403d1cdc396a3cca62f6f647ae91bb4b172bcb18c85727f |
| SHA512 | ca85ab54b2883410f93e0d80a67a2df3f2abbb5cf67b85e2b169662bbda5404e4377b91640928170eec4634ffe8992d5ab27693b3f79b6b54bedcda724fd35ff |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\[email protected]\install.rdf
| MD5 | 5970b39017e732ca352554d8d41c2317 |
| SHA1 | 9c4c681bbf468f397d8bde4808ebd3a6e82795e4 |
| SHA256 | f826aa0af1e9ff8d8c1021db0a729c0b731d1ccf9b1f30b5b8e9bf6d2926ce9d |
| SHA512 | 7a0e0af1c2c3bfc055d9bc46ea05e13d611b6e313d41dbf1ecb4feacecaea7c0d333aac546f9a2303cf96e350f80c23ba04cabaf3850991b59a06124f084911e |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\[email protected]\content\bg.js
| MD5 | 3b91185d0a8d1a2741a4f8ecbaae117f |
| SHA1 | 245378d4416da91fa51dd3f4598595605c353626 |
| SHA256 | 4d3a683c9ea6b3b3f0d89fcf85f14b2ae281e2d1d08669f34f78bb0e0f83c55e |
| SHA512 | 777ad87b6b8fe21d1d04ba01b96ca698f3c863727281ba1bf48e4e9d18d7d548024a580dd04c1f0ee506b5a99e88b12d4220a28b672d5b752c088573a14e23bf |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\[email protected]\content\zy.xul
| MD5 | 09644f0ac805b6f88be0d5ca48602fcb |
| SHA1 | 2227b8cb86f7c6cb9393f235e90eb7af398103a2 |
| SHA256 | 4a2c5fbac4166da0a61c6ddb99b9324c574502ae4e03edcb35aa9045521fabfb |
| SHA512 | 3f806ed48fa603c6356fc3021192157a3ba4050b4c2571b86d85757858ff4fc1738e4303f3fb2830eb614fdd2fbdd9a49522986e8c03dae7d2efe35011fe1064 |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\ppjiiddlhppaddpanebnidfpefikkphd.crx
| MD5 | 894e02b7a7a44a82ceeb550420372bd0 |
| SHA1 | 846eafa31ac3cd92fcf5417cf768916270db718b |
| SHA256 | ee15544238a9da778dfe3a4e81f58118398d2a4e6690e745ae6916c3c00a0932 |
| SHA512 | 3e4ce317b02edf04ab4d95272e449aa2e10bee6bf072478ed01e728ea24ce8c6e52f5dc3e36a5a4090105672ee27fda268390ce4e9934d3aa4c0816fa7a8694f |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\background.html
| MD5 | d84a5926468decd26e172d800dd86bba |
| SHA1 | a676b23c781e7e6ee0dc1a79b50b251f8dca13e2 |
| SHA256 | 2598646012dc74560db1ad98544412f4d33cedc852e30c10dbefd28cc0b1246d |
| SHA512 | 9e65b47cd9564188a8ab29c2204a49985d191e95178acb2d7c769e1cf3f0460ab437326f81a7c17213a66f0e4dab1bdc8c7cfabac95160ba8458c22b32348489 |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\content.js
| MD5 | cf6721ed9f2a829eeb15bf3e41f75895 |
| SHA1 | 1d330123ab9553663c72c1eecb0404c57a0385e7 |
| SHA256 | 5a03eb012a23126976699a0368671c37342b926cddf7de8e2b44415454665a94 |
| SHA512 | cacd0d411e6901d2779a2d9f2df788d5d7f5d4739aa10ed0e07693e81815048be3b9adbbcc43cafc1dcbf88c86a5023d434307ad056df4f5a5e502b4c27e8e40 |
C:\Users\Admin\AppData\Local\Temp\7zS17C5.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-04 18:47
Reported
2024-02-04 18:50
Platform
win10v2004-20231215-en
Max time kernel
142s
Max time network
156s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\ADDICT-THING\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "ADDICT-THING" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\ = "ADDICT-THING Class" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2312 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe |
| PID 2312 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe |
| PID 2312 wrote to memory of 456 | N/A | C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2BA6291B-EF0B-339F-8A26-E28B87D3E98E} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe
"C:\Users\Admin\AppData\Local\Temp\8fe22d9012398e4b5e109d9d6703b2cd.exe"
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\settings.ini
| MD5 | 1250f4a3cce76c624d3d651681a054b3 |
| SHA1 | 9249cb7ae76fd80c0d7cb768eafd1ccd1a27c1ef |
| SHA256 | d4033b65c5c555ac54c745be29e428e0eda403170ff57ab75f8f581e817c28e2 |
| SHA512 | 82235714f92168ec8b145e639c8ae335be0f4b7b2e6f454201f477eb963f251decd025e5dd3890920ad6119032a98ef36909b7eebd523e1d937644c185924a4e |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\bootstrap.js
| MD5 | f0ded83c97e0190109bc35e59c3a86a3 |
| SHA1 | 8ba0d099b3ae07ed479f45000f422f78a579254f |
| SHA256 | 9301e5cd5c9018835f5656cdbc01e62968d2cdc305f4230fdd2b12e256463484 |
| SHA512 | 6a437fc06c2db07568606e8a9561f51e6d038d8afb2c05608167e42c5c134290d96a8be80851b01175e579f07685dc49ac1921f497f2f384670ccb24a1cbbb52 |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\install.rdf
| MD5 | 5970b39017e732ca352554d8d41c2317 |
| SHA1 | 9c4c681bbf468f397d8bde4808ebd3a6e82795e4 |
| SHA256 | f826aa0af1e9ff8d8c1021db0a729c0b731d1ccf9b1f30b5b8e9bf6d2926ce9d |
| SHA512 | 7a0e0af1c2c3bfc055d9bc46ea05e13d611b6e313d41dbf1ecb4feacecaea7c0d333aac546f9a2303cf96e350f80c23ba04cabaf3850991b59a06124f084911e |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\chrome.manifest
| MD5 | 0c1d81dda49ba25ac627d71081836ee8 |
| SHA1 | 21678c783cc814b3123c8e934517e1a513d3d822 |
| SHA256 | e4177a36ba9902f1c403d1cdc396a3cca62f6f647ae91bb4b172bcb18c85727f |
| SHA512 | ca85ab54b2883410f93e0d80a67a2df3f2abbb5cf67b85e2b169662bbda5404e4377b91640928170eec4634ffe8992d5ab27693b3f79b6b54bedcda724fd35ff |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\content\bg.js
| MD5 | 3b91185d0a8d1a2741a4f8ecbaae117f |
| SHA1 | 245378d4416da91fa51dd3f4598595605c353626 |
| SHA256 | 4d3a683c9ea6b3b3f0d89fcf85f14b2ae281e2d1d08669f34f78bb0e0f83c55e |
| SHA512 | 777ad87b6b8fe21d1d04ba01b96ca698f3c863727281ba1bf48e4e9d18d7d548024a580dd04c1f0ee506b5a99e88b12d4220a28b672d5b752c088573a14e23bf |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\[email protected]\content\zy.xul
| MD5 | 09644f0ac805b6f88be0d5ca48602fcb |
| SHA1 | 2227b8cb86f7c6cb9393f235e90eb7af398103a2 |
| SHA256 | 4a2c5fbac4166da0a61c6ddb99b9324c574502ae4e03edcb35aa9045521fabfb |
| SHA512 | 3f806ed48fa603c6356fc3021192157a3ba4050b4c2571b86d85757858ff4fc1738e4303f3fb2830eb614fdd2fbdd9a49522986e8c03dae7d2efe35011fe1064 |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\ppjiiddlhppaddpanebnidfpefikkphd.crx
| MD5 | 894e02b7a7a44a82ceeb550420372bd0 |
| SHA1 | 846eafa31ac3cd92fcf5417cf768916270db718b |
| SHA256 | ee15544238a9da778dfe3a4e81f58118398d2a4e6690e745ae6916c3c00a0932 |
| SHA512 | 3e4ce317b02edf04ab4d95272e449aa2e10bee6bf072478ed01e728ea24ce8c6e52f5dc3e36a5a4090105672ee27fda268390ce4e9934d3aa4c0816fa7a8694f |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\background.html
| MD5 | d84a5926468decd26e172d800dd86bba |
| SHA1 | a676b23c781e7e6ee0dc1a79b50b251f8dca13e2 |
| SHA256 | 2598646012dc74560db1ad98544412f4d33cedc852e30c10dbefd28cc0b1246d |
| SHA512 | 9e65b47cd9564188a8ab29c2204a49985d191e95178acb2d7c769e1cf3f0460ab437326f81a7c17213a66f0e4dab1bdc8c7cfabac95160ba8458c22b32348489 |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\content.js
| MD5 | cf6721ed9f2a829eeb15bf3e41f75895 |
| SHA1 | 1d330123ab9553663c72c1eecb0404c57a0385e7 |
| SHA256 | 5a03eb012a23126976699a0368671c37342b926cddf7de8e2b44415454665a94 |
| SHA512 | cacd0d411e6901d2779a2d9f2df788d5d7f5d4739aa10ed0e07693e81815048be3b9adbbcc43cafc1dcbf88c86a5023d434307ad056df4f5a5e502b4c27e8e40 |
C:\Users\Admin\AppData\Local\Temp\7zS85D9.tmp\bhoclass.dll
| MD5 | 4b35f6c1f932f52fa9901fbc47b432df |
| SHA1 | 8e842bf068b04f36475a3bf86c5ea6a9839bbb5e |
| SHA256 | 2b4d643a8a14f060bf3885f872b36e5e1fe1e777ad94783ba9593487c8e1f196 |
| SHA512 | 8716b9a8e46933bf29348254a68d1a21392bdbbe3b4d5010e55fe638d02cc04eb685e424d440f7c5b58ffbca82e5772dd95bef73fa831595c2ae9599f3b05a99 |
C:\ProgramData\ADDICT-THING\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |