Analysis Overview
SHA256
51ef5b112e89b59d2a8c7921af0dc5272d059b9c5a1ddbd1bfe4f9a5fcff8e46
Threat Level: Shows suspicious behavior
The file dbc3b7443f9fc4dc0b51b186f9feee29 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Checks installed software on the system
Installs/modifies Browser Helper Object
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 13:41
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 13:41
Reported
2024-03-21 13:44
Platform
win7-20240221-en
Max time kernel
117s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe
"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\settings.ini
| MD5 | a780c9e02de08a2eb5ffbbe8cf1288d5 |
| SHA1 | ae9db3390008dc61f843e907d1c0d760112f361d |
| SHA256 | c2976606e230c9bf32266781b66f3cf5e43b766342db3c97b44b49e574c12e88 |
| SHA512 | ea8aca3bdb2dbedb7da9fd6b28b25148cb302e3e337624ebd579c37adc82e12653c3e0b9f7985d716ce36d8a4dc2e953c8699603efae38e5fafb6db1e81a7de3 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\bootstrap.js
| MD5 | b9165e81934c746e3a33afc6bde86143 |
| SHA1 | ce38f37d26d5fa6309f4d42cbf470bc4a884b100 |
| SHA256 | 3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624 |
| SHA512 | fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\chrome.manifest
| MD5 | e7e543d1c04192314d3b4f8c38181380 |
| SHA1 | 521b4a98932279d4233dcabbf69b6cf8f77f4254 |
| SHA256 | 63abb8024a686073dff842d91e89232db01254f97b6eb91056789f213a2430cf |
| SHA512 | 27ed73a9ef90265b6e4f9077a7d37845d32ac856324b208c85eae55a7e34bbfbc4e9378fa757c483ae4ce62dbc9093402a07ed5c09405bb1e8f021e0bbd94327 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\install.rdf
| MD5 | d403b95f264fc09ca718ed8c28fc551c |
| SHA1 | a5cc7c33761d47d7e5d8d163c2328e65371259a6 |
| SHA256 | e14455c835deb2535b3cf9b0d96d49d338ef9814c0e29777acea417299f00394 |
| SHA512 | 0651574c5bc47115dbfb79812ffeb4dcca14c9f5aa8284d9ea8b7e453ad828579e17fd7e21141e1518f641b2288231ee25c9e08160f98df3507141500a2c6f25 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\bg.js
| MD5 | 242f79795d732646b17bc0dc54475b67 |
| SHA1 | d7e3204ecaa652e622a4fdc1f1032be6fbbc1391 |
| SHA256 | c968eb81998b8c327edad4ef2719d2127c3f8cb297e7810d2ab285306b136160 |
| SHA512 | 6e91cf06da1d121544b3832eb47ca2684c1a74312ab2115084f8aedc550ba1f92fedf12bd0227402a4bfa6c9f47f7b3973440c35031964deba125e0468c65dac |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\zy.xul
| MD5 | a1264ce9ffc47c7442ac3cd92549dbfe |
| SHA1 | 0a59a196c47015375fe36eaa1459f9eb4776f211 |
| SHA256 | 52f69d71c567894d045311d275ae6f003f3da8e04d63118b0ae9fe1397cf5d45 |
| SHA512 | 83a6c0ef4ef2bb50183fd12bbbfef0df3857e86028690940ee5427f868faa522f042ea449f31f9ae22c432442516e369b602ed17e567826baef4e40fe2927799 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\hnmcnkenkejknnmjmhnopldmbilbfjbp.crx
| MD5 | 3b5e21cdaec9856f48e2b59de562dd95 |
| SHA1 | f4988e726d52c7075a91e49e8c0f45086a88ced1 |
| SHA256 | d78ffe892929237d69d6a159333e8ea8ddb3fda0f88e8ebcdcb69536f80ea3f3 |
| SHA512 | 980c786073995b2fda073440ffe2f9b8f8e26a843a8b1e6899498c13967c5faa135accb4066cf6ab5b658258efddbb8771e6eb0ce67eec9f159cb92c1d4391bd |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\background.html
| MD5 | f99e3ce2a4b055651f1d6cae063d6177 |
| SHA1 | a0c8a2c6ba88062edac44a9989d55e6d8ffe6661 |
| SHA256 | e8aeae359dab85ff8a66886bfe7484c0831392ffceb281c4b6bde4d4a2ca8cc2 |
| SHA512 | 29cfcdd30d518ee66b8ef42727e5049b039ae5060717dfc2793614c7c5bb31aed811a73871baaeafd671a33ebe0af4146a96d3077d19bee025f4a8d91188fed3 |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\content.js
| MD5 | 653e783c90f0ddfeca78491dd1a64b54 |
| SHA1 | 219d72d86277224f55359e37c4b991bad57d52d3 |
| SHA256 | d6826548fdb82fa48f0a0513d85b72c7c50f917a4301977bd29bfc2703f58366 |
| SHA512 | 656e47b1e0c1b365d5591ee9f43a19d099c25e330342e9d11cdb3d4f916c50446cbdb7c90dfe8c43c63ad070846a8ba99ba44fa25ea460cad202ddd0f78b0c6f |
C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\bhoclass.dll
| MD5 | 0fba1e50c5ca7a4cfeac6ab8f1fcfda9 |
| SHA1 | 532b7ba678f2de4b4493c89ac13624622058c54a |
| SHA256 | 160a3d5b09df4d7e764ad8173ba44aba43aace29df364d788fd069b2530a977f |
| SHA512 | 339f6ffc41b70fe312fe6b517e8c5931c24a7a4bcd2d84db2923d089aa29ecdfa3e78944f9c0f9580dd92eb26daa45ee4c1453634ad36a5057a12a3088cb34bf |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 13:41
Reported
2024-03-21 13:44
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast Class" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2756 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe |
| PID 2756 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe |
| PID 2756 wrote to memory of 3164 | N/A | C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe
"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.5.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.227.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.135.221.88.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe
| MD5 | 16ef6e914973925977cdc5ef6b8b2565 |
| SHA1 | 4815da2815975b33f5dc94d482e6dbc02588afa6 |
| SHA256 | 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f |
| SHA512 | c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\settings.ini
| MD5 | a780c9e02de08a2eb5ffbbe8cf1288d5 |
| SHA1 | ae9db3390008dc61f843e907d1c0d760112f361d |
| SHA256 | c2976606e230c9bf32266781b66f3cf5e43b766342db3c97b44b49e574c12e88 |
| SHA512 | ea8aca3bdb2dbedb7da9fd6b28b25148cb302e3e337624ebd579c37adc82e12653c3e0b9f7985d716ce36d8a4dc2e953c8699603efae38e5fafb6db1e81a7de3 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\bootstrap.js
| MD5 | b9165e81934c746e3a33afc6bde86143 |
| SHA1 | ce38f37d26d5fa6309f4d42cbf470bc4a884b100 |
| SHA256 | 3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624 |
| SHA512 | fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\chrome.manifest
| MD5 | e7e543d1c04192314d3b4f8c38181380 |
| SHA1 | 521b4a98932279d4233dcabbf69b6cf8f77f4254 |
| SHA256 | 63abb8024a686073dff842d91e89232db01254f97b6eb91056789f213a2430cf |
| SHA512 | 27ed73a9ef90265b6e4f9077a7d37845d32ac856324b208c85eae55a7e34bbfbc4e9378fa757c483ae4ce62dbc9093402a07ed5c09405bb1e8f021e0bbd94327 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\install.rdf
| MD5 | d403b95f264fc09ca718ed8c28fc551c |
| SHA1 | a5cc7c33761d47d7e5d8d163c2328e65371259a6 |
| SHA256 | e14455c835deb2535b3cf9b0d96d49d338ef9814c0e29777acea417299f00394 |
| SHA512 | 0651574c5bc47115dbfb79812ffeb4dcca14c9f5aa8284d9ea8b7e453ad828579e17fd7e21141e1518f641b2288231ee25c9e08160f98df3507141500a2c6f25 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\content\bg.js
| MD5 | 242f79795d732646b17bc0dc54475b67 |
| SHA1 | d7e3204ecaa652e622a4fdc1f1032be6fbbc1391 |
| SHA256 | c968eb81998b8c327edad4ef2719d2127c3f8cb297e7810d2ab285306b136160 |
| SHA512 | 6e91cf06da1d121544b3832eb47ca2684c1a74312ab2115084f8aedc550ba1f92fedf12bd0227402a4bfa6c9f47f7b3973440c35031964deba125e0468c65dac |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\content\zy.xul
| MD5 | a1264ce9ffc47c7442ac3cd92549dbfe |
| SHA1 | 0a59a196c47015375fe36eaa1459f9eb4776f211 |
| SHA256 | 52f69d71c567894d045311d275ae6f003f3da8e04d63118b0ae9fe1397cf5d45 |
| SHA512 | 83a6c0ef4ef2bb50183fd12bbbfef0df3857e86028690940ee5427f868faa522f042ea449f31f9ae22c432442516e369b602ed17e567826baef4e40fe2927799 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\hnmcnkenkejknnmjmhnopldmbilbfjbp.crx
| MD5 | 3b5e21cdaec9856f48e2b59de562dd95 |
| SHA1 | f4988e726d52c7075a91e49e8c0f45086a88ced1 |
| SHA256 | d78ffe892929237d69d6a159333e8ea8ddb3fda0f88e8ebcdcb69536f80ea3f3 |
| SHA512 | 980c786073995b2fda073440ffe2f9b8f8e26a843a8b1e6899498c13967c5faa135accb4066cf6ab5b658258efddbb8771e6eb0ce67eec9f159cb92c1d4391bd |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\background.html
| MD5 | f99e3ce2a4b055651f1d6cae063d6177 |
| SHA1 | a0c8a2c6ba88062edac44a9989d55e6d8ffe6661 |
| SHA256 | e8aeae359dab85ff8a66886bfe7484c0831392ffceb281c4b6bde4d4a2ca8cc2 |
| SHA512 | 29cfcdd30d518ee66b8ef42727e5049b039ae5060717dfc2793614c7c5bb31aed811a73871baaeafd671a33ebe0af4146a96d3077d19bee025f4a8d91188fed3 |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\content.js
| MD5 | 653e783c90f0ddfeca78491dd1a64b54 |
| SHA1 | 219d72d86277224f55359e37c4b991bad57d52d3 |
| SHA256 | d6826548fdb82fa48f0a0513d85b72c7c50f917a4301977bd29bfc2703f58366 |
| SHA512 | 656e47b1e0c1b365d5591ee9f43a19d099c25e330342e9d11cdb3d4f916c50446cbdb7c90dfe8c43c63ad070846a8ba99ba44fa25ea460cad202ddd0f78b0c6f |
C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\bhoclass.dll
| MD5 | 0fba1e50c5ca7a4cfeac6ab8f1fcfda9 |
| SHA1 | 532b7ba678f2de4b4493c89ac13624622058c54a |
| SHA256 | 160a3d5b09df4d7e764ad8173ba44aba43aace29df364d788fd069b2530a977f |
| SHA512 | 339f6ffc41b70fe312fe6b517e8c5931c24a7a4bcd2d84db2923d089aa29ecdfa3e78944f9c0f9580dd92eb26daa45ee4c1453634ad36a5057a12a3088cb34bf |
C:\ProgramData\wxDfast\uninstall.exe
| MD5 | 8be20144dbd200c6de0c9430ed9280cf |
| SHA1 | b81e3aacaaedd66ef0896acabc6983c94758e2b4 |
| SHA256 | 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6 |
| SHA512 | fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e |