Malware Analysis Report

2025-01-18 21:28

Sample ID 240321-qzh7gscf57
Target dbc3b7443f9fc4dc0b51b186f9feee29
SHA256 51ef5b112e89b59d2a8c7921af0dc5272d059b9c5a1ddbd1bfe4f9a5fcff8e46
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

51ef5b112e89b59d2a8c7921af0dc5272d059b9c5a1ddbd1bfe4f9a5fcff8e46

Threat Level: Shows suspicious behavior

The file dbc3b7443f9fc4dc0b51b186f9feee29 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 13:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 13:41

Reported

2024-03-21 13:44

Platform

win7-20240221-en

Max time kernel

117s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} = "1" C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe

"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\settings.ini

MD5 a780c9e02de08a2eb5ffbbe8cf1288d5
SHA1 ae9db3390008dc61f843e907d1c0d760112f361d
SHA256 c2976606e230c9bf32266781b66f3cf5e43b766342db3c97b44b49e574c12e88
SHA512 ea8aca3bdb2dbedb7da9fd6b28b25148cb302e3e337624ebd579c37adc82e12653c3e0b9f7985d716ce36d8a4dc2e953c8699603efae38e5fafb6db1e81a7de3

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\bootstrap.js

MD5 b9165e81934c746e3a33afc6bde86143
SHA1 ce38f37d26d5fa6309f4d42cbf470bc4a884b100
SHA256 3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624
SHA512 fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\chrome.manifest

MD5 e7e543d1c04192314d3b4f8c38181380
SHA1 521b4a98932279d4233dcabbf69b6cf8f77f4254
SHA256 63abb8024a686073dff842d91e89232db01254f97b6eb91056789f213a2430cf
SHA512 27ed73a9ef90265b6e4f9077a7d37845d32ac856324b208c85eae55a7e34bbfbc4e9378fa757c483ae4ce62dbc9093402a07ed5c09405bb1e8f021e0bbd94327

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\install.rdf

MD5 d403b95f264fc09ca718ed8c28fc551c
SHA1 a5cc7c33761d47d7e5d8d163c2328e65371259a6
SHA256 e14455c835deb2535b3cf9b0d96d49d338ef9814c0e29777acea417299f00394
SHA512 0651574c5bc47115dbfb79812ffeb4dcca14c9f5aa8284d9ea8b7e453ad828579e17fd7e21141e1518f641b2288231ee25c9e08160f98df3507141500a2c6f25

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\bg.js

MD5 242f79795d732646b17bc0dc54475b67
SHA1 d7e3204ecaa652e622a4fdc1f1032be6fbbc1391
SHA256 c968eb81998b8c327edad4ef2719d2127c3f8cb297e7810d2ab285306b136160
SHA512 6e91cf06da1d121544b3832eb47ca2684c1a74312ab2115084f8aedc550ba1f92fedf12bd0227402a4bfa6c9f47f7b3973440c35031964deba125e0468c65dac

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\[email protected]\content\zy.xul

MD5 a1264ce9ffc47c7442ac3cd92549dbfe
SHA1 0a59a196c47015375fe36eaa1459f9eb4776f211
SHA256 52f69d71c567894d045311d275ae6f003f3da8e04d63118b0ae9fe1397cf5d45
SHA512 83a6c0ef4ef2bb50183fd12bbbfef0df3857e86028690940ee5427f868faa522f042ea449f31f9ae22c432442516e369b602ed17e567826baef4e40fe2927799

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\hnmcnkenkejknnmjmhnopldmbilbfjbp.crx

MD5 3b5e21cdaec9856f48e2b59de562dd95
SHA1 f4988e726d52c7075a91e49e8c0f45086a88ced1
SHA256 d78ffe892929237d69d6a159333e8ea8ddb3fda0f88e8ebcdcb69536f80ea3f3
SHA512 980c786073995b2fda073440ffe2f9b8f8e26a843a8b1e6899498c13967c5faa135accb4066cf6ab5b658258efddbb8771e6eb0ce67eec9f159cb92c1d4391bd

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\background.html

MD5 f99e3ce2a4b055651f1d6cae063d6177
SHA1 a0c8a2c6ba88062edac44a9989d55e6d8ffe6661
SHA256 e8aeae359dab85ff8a66886bfe7484c0831392ffceb281c4b6bde4d4a2ca8cc2
SHA512 29cfcdd30d518ee66b8ef42727e5049b039ae5060717dfc2793614c7c5bb31aed811a73871baaeafd671a33ebe0af4146a96d3077d19bee025f4a8d91188fed3

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\content.js

MD5 653e783c90f0ddfeca78491dd1a64b54
SHA1 219d72d86277224f55359e37c4b991bad57d52d3
SHA256 d6826548fdb82fa48f0a0513d85b72c7c50f917a4301977bd29bfc2703f58366
SHA512 656e47b1e0c1b365d5591ee9f43a19d099c25e330342e9d11cdb3d4f916c50446cbdb7c90dfe8c43c63ad070846a8ba99ba44fa25ea460cad202ddd0f78b0c6f

C:\Users\Admin\AppData\Local\Temp\7zS45E6.tmp\bhoclass.dll

MD5 0fba1e50c5ca7a4cfeac6ab8f1fcfda9
SHA1 532b7ba678f2de4b4493c89ac13624622058c54a
SHA256 160a3d5b09df4d7e764ad8173ba44aba43aace29df364d788fd069b2530a977f
SHA512 339f6ffc41b70fe312fe6b517e8c5931c24a7a4bcd2d84db2923d089aa29ecdfa3e78944f9c0f9580dd92eb26daa45ee4c1453634ad36a5057a12a3088cb34bf

C:\ProgramData\wxDfast\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 13:41

Reported

2024-03-21 13:44

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ = "wxDfast Class" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "wxDfast" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\wxDfast\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{DB0D3E57-5D58-0D3D-30D6-EECD957467B9} = "1" C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe

"C:\Users\Admin\AppData\Local\Temp\dbc3b7443f9fc4dc0b51b186f9feee29.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 211.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 81.135.221.88.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\setup.exe

MD5 16ef6e914973925977cdc5ef6b8b2565
SHA1 4815da2815975b33f5dc94d482e6dbc02588afa6
SHA256 6b9a2b64b90799f1d50458dc38fb4e9e13a8abb37210c8f5d9eeedae84c6912f
SHA512 c74f0e17878c4598b626edb5e75e7ee098b71c0c26454ba709e2ea438517670ce11abf7d909470e6c935a21d0413c0d14b29960af9bd6a423e3261789a35b059

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\settings.ini

MD5 a780c9e02de08a2eb5ffbbe8cf1288d5
SHA1 ae9db3390008dc61f843e907d1c0d760112f361d
SHA256 c2976606e230c9bf32266781b66f3cf5e43b766342db3c97b44b49e574c12e88
SHA512 ea8aca3bdb2dbedb7da9fd6b28b25148cb302e3e337624ebd579c37adc82e12653c3e0b9f7985d716ce36d8a4dc2e953c8699603efae38e5fafb6db1e81a7de3

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\bootstrap.js

MD5 b9165e81934c746e3a33afc6bde86143
SHA1 ce38f37d26d5fa6309f4d42cbf470bc4a884b100
SHA256 3edbe3448cc74e7862db06fb08a8250c044a6aadbbea35a365560080eaaa3624
SHA512 fab8731e561554bf3ac4a32950a4111d3bca7d9223727ed6eccca598777bd697606a11f658eae3d28f6dae16faf40fda7387d0e25cd8f3cb750c871f77178bc8

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\chrome.manifest

MD5 e7e543d1c04192314d3b4f8c38181380
SHA1 521b4a98932279d4233dcabbf69b6cf8f77f4254
SHA256 63abb8024a686073dff842d91e89232db01254f97b6eb91056789f213a2430cf
SHA512 27ed73a9ef90265b6e4f9077a7d37845d32ac856324b208c85eae55a7e34bbfbc4e9378fa757c483ae4ce62dbc9093402a07ed5c09405bb1e8f021e0bbd94327

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\install.rdf

MD5 d403b95f264fc09ca718ed8c28fc551c
SHA1 a5cc7c33761d47d7e5d8d163c2328e65371259a6
SHA256 e14455c835deb2535b3cf9b0d96d49d338ef9814c0e29777acea417299f00394
SHA512 0651574c5bc47115dbfb79812ffeb4dcca14c9f5aa8284d9ea8b7e453ad828579e17fd7e21141e1518f641b2288231ee25c9e08160f98df3507141500a2c6f25

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\content\bg.js

MD5 242f79795d732646b17bc0dc54475b67
SHA1 d7e3204ecaa652e622a4fdc1f1032be6fbbc1391
SHA256 c968eb81998b8c327edad4ef2719d2127c3f8cb297e7810d2ab285306b136160
SHA512 6e91cf06da1d121544b3832eb47ca2684c1a74312ab2115084f8aedc550ba1f92fedf12bd0227402a4bfa6c9f47f7b3973440c35031964deba125e0468c65dac

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\[email protected]\content\zy.xul

MD5 a1264ce9ffc47c7442ac3cd92549dbfe
SHA1 0a59a196c47015375fe36eaa1459f9eb4776f211
SHA256 52f69d71c567894d045311d275ae6f003f3da8e04d63118b0ae9fe1397cf5d45
SHA512 83a6c0ef4ef2bb50183fd12bbbfef0df3857e86028690940ee5427f868faa522f042ea449f31f9ae22c432442516e369b602ed17e567826baef4e40fe2927799

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\hnmcnkenkejknnmjmhnopldmbilbfjbp.crx

MD5 3b5e21cdaec9856f48e2b59de562dd95
SHA1 f4988e726d52c7075a91e49e8c0f45086a88ced1
SHA256 d78ffe892929237d69d6a159333e8ea8ddb3fda0f88e8ebcdcb69536f80ea3f3
SHA512 980c786073995b2fda073440ffe2f9b8f8e26a843a8b1e6899498c13967c5faa135accb4066cf6ab5b658258efddbb8771e6eb0ce67eec9f159cb92c1d4391bd

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\background.html

MD5 f99e3ce2a4b055651f1d6cae063d6177
SHA1 a0c8a2c6ba88062edac44a9989d55e6d8ffe6661
SHA256 e8aeae359dab85ff8a66886bfe7484c0831392ffceb281c4b6bde4d4a2ca8cc2
SHA512 29cfcdd30d518ee66b8ef42727e5049b039ae5060717dfc2793614c7c5bb31aed811a73871baaeafd671a33ebe0af4146a96d3077d19bee025f4a8d91188fed3

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\content.js

MD5 653e783c90f0ddfeca78491dd1a64b54
SHA1 219d72d86277224f55359e37c4b991bad57d52d3
SHA256 d6826548fdb82fa48f0a0513d85b72c7c50f917a4301977bd29bfc2703f58366
SHA512 656e47b1e0c1b365d5591ee9f43a19d099c25e330342e9d11cdb3d4f916c50446cbdb7c90dfe8c43c63ad070846a8ba99ba44fa25ea460cad202ddd0f78b0c6f

C:\Users\Admin\AppData\Local\Temp\7zS4D07.tmp\bhoclass.dll

MD5 0fba1e50c5ca7a4cfeac6ab8f1fcfda9
SHA1 532b7ba678f2de4b4493c89ac13624622058c54a
SHA256 160a3d5b09df4d7e764ad8173ba44aba43aace29df364d788fd069b2530a977f
SHA512 339f6ffc41b70fe312fe6b517e8c5931c24a7a4bcd2d84db2923d089aa29ecdfa3e78944f9c0f9580dd92eb26daa45ee4c1453634ad36a5057a12a3088cb34bf

C:\ProgramData\wxDfast\uninstall.exe

MD5 8be20144dbd200c6de0c9430ed9280cf
SHA1 b81e3aacaaedd66ef0896acabc6983c94758e2b4
SHA256 634557ab79a29fe800721bc5f146a9b86799b72eb6755e821492f85ca66818a6
SHA512 fd7db954002be6332c8c6f4500fc38c1d5286022bb56f21b97567e837ee3d5a3c6db08cabcd2ffe405e7180918d6bb0b57b330703a9d045851901d01115ff94e