Malware Analysis Report

2024-07-28 05:18

Sample ID 240603-mhyztsbc7t
Target Toolbar.exe
SHA256 1ab515547654c84a0a846ca8438056451b42ebab2ee4e3d21675f60ad7d48f44
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1ab515547654c84a0a846ca8438056451b42ebab2ee4e3d21675f60ad7d48f44

Threat Level: Shows suspicious behavior

The file Toolbar.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Browser Extensions
T1176
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:28

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:28

Reported

2024-06-03 10:31

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\CLSID\ = "{83453071-3F9C-4ab0-BE30-EDA368D7976D}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CurVer\ = "AskTBar.PopSwatterSettingsControl.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{147A976F-EEE1-4377-8EA7-4716E4CDD239} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\ = "Toolbar 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID\ = "{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID\ = "AskTBar.SettingsPlugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Implemented Categories C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1\CLSID\ = "{FE063DBB-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer\ = "AskTBar.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ = "IAskTBarSettings" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\VersionIndependentProgID\ = "AskTBar.PopSwatterBarButton" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\ = "PopSwatter Settings Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1\ = "Ask Toolbar Settings Plugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\CLSID\ = "{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ProgID\ = "AskTBar.PopSwatterBarButton.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID\ = "{FE063DBB-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 1968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 1968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 1968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 1968 wrote to memory of 1988 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

MD5 f90f8e211bb2ba49218188caa1dc2f3a
SHA1 8a18eb5ec6f37f9c4f0654069815f30f651b1d8c
SHA256 024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035
SHA512 107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL

MD5 69a3eb924678bb23047e6248648e6534
SHA1 844949940edfa51d38c5fa3294892b92c8d3cf8e
SHA256 8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851
SHA512 6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL

MD5 59dbfe16aa20144cb11e7fc8b2d21eaa
SHA1 b4403810c1db8482c5a26b418499a8643e4a6410
SHA256 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c
SHA512 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

MD5 e7d9ce28eae7d5ce00878a39a7d2584f
SHA1 73b4be59997f90e3bb3e87df47efe76b10fa6a92
SHA256 87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439
SHA512 c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:28

Reported

2024-06-03 10:31

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ = "IAskTBarPopSwatterSettings" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\ = "Ask Toolbar Settings Plugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\0\win32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID\ = "AskTBar.SettingsPlugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID\ = "{83453071-3F9C-4ab0-BE30-EDA368D7976D}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\ProgID\ = "AskTBar.PopSwatterSettingsControl.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib\ = "{BD04DAE0-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0\win32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID\ = "{FE063DBB-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ProgID\ = "AskTBar.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1\ = "Ask Toolbar Settings Plugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\ = "PopSwatter Settings Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Control C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\ASKTBAR.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\ = "Ask PopSwatter" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 4036 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 4036 wrote to memory of 1232 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 4036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 4036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 4036 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER88D9.tmp\Toolbar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

MD5 f90f8e211bb2ba49218188caa1dc2f3a
SHA1 8a18eb5ec6f37f9c4f0654069815f30f651b1d8c
SHA256 024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035
SHA512 107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL

MD5 69a3eb924678bb23047e6248648e6534
SHA1 844949940edfa51d38c5fa3294892b92c8d3cf8e
SHA256 8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851
SHA512 6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL

MD5 59dbfe16aa20144cb11e7fc8b2d21eaa
SHA1 b4403810c1db8482c5a26b418499a8643e4a6410
SHA256 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c
SHA512 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

MD5 e7d9ce28eae7d5ce00878a39a7d2584f
SHA1 73b4be59997f90e3bb3e87df47efe76b10fa6a92
SHA256 87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439
SHA512 c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5