Malware Analysis Report

2024-07-28 05:19

Sample ID 240603-mrcsysbf8s
Target Toolbar.exe
SHA256 dba88e518881af49aac564d21784b3105e4193bfaea1036bace015c922c75432
Tags
adware discovery stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dba88e518881af49aac564d21784b3105e4193bfaea1036bace015c922c75432

Threat Level: Shows suspicious behavior

The file Toolbar.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery stealer

Loads dropped DLL

Executes dropped EXE

Installs/modifies Browser Helper Object

Checks installed software on the system

Drops file in Program Files directory

Unsigned PE

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Browser Extensions
T1176
Privilege Escalation
TA0004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:41

Reported

2024-06-03 10:44

Platform

win7-20240508-en

Max time kernel

121s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\ = "Bar Button Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\InprocServer32\ = "C:\\Windows\\SysWow64\\shdocvw.dll" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ProgID\ = "AskTBar.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ = "IAskTBarSettings" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance\InitPropertyBag\Url = "http://www.popswatter.com/f3edit.html?p=a5" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\ = "Toolbar 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin.1\CLSID\ = "{FE063DBB-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer\ = "AskTBar.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\CurVer\ = "AskTBar.PopSwatterBarButton.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\ C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\ = "Ask Toolbar Settings Plugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\ = "Ask PopSwatter" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403E-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\VersionIndependentProgID\ = "AskTBar.PopSwatterSettingsControl" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\CLSID\ = "{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\ = "PopSwatter Server Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl.1\ = "PopSwatter Settings Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ = "IAskTBarSettings" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 2028 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

MD5 f90f8e211bb2ba49218188caa1dc2f3a
SHA1 8a18eb5ec6f37f9c4f0654069815f30f651b1d8c
SHA256 024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035
SHA512 107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL

MD5 69a3eb924678bb23047e6248648e6534
SHA1 844949940edfa51d38c5fa3294892b92c8d3cf8e
SHA256 8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851
SHA512 6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL

MD5 59dbfe16aa20144cb11e7fc8b2d21eaa
SHA1 b4403810c1db8482c5a26b418499a8643e4a6410
SHA256 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c
SHA512 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

MD5 e7d9ce28eae7d5ce00878a39a7d2584f
SHA1 73b4be59997f90e3bb3e87df47efe76b10fa6a92
SHA256 87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439
SHA512 c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:41

Reported

2024-06-03 10:44

Platform

win10v2004-20240508-en

Max time kernel

134s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar BHO" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE063DB1-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File created C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
File opened for modification C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{FE063DB9-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\CLSID\ = "{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\ = "Ask Toolbar Settings Plugin" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\ProgID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib\ = "{FE063DB0-4EC0-403e-8DD8-394C54984B2C}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ = "IAskTBarPopSwatterSettings" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB1-4EC0-403e-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CLSID C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterSettingsControl\CurVer C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\VersionIndependentProgID\ = "AskTBar.PopSwatterSettingsControl" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\InprocServer32\ = "C:\\Windows\\SysWow64\\shdocvw.dll" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ = "_IAskTBarSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\VersionIndependentProgID\ = "AskTBar.PopSwatterBarButton" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}\1.0\ = "PopSwatter Control 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\InprocServer32\ = "C:\\Program Files (x86)\\AskTBar\\bar\\1.bin\\A5POPSWT.DLL" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD04DAE2-8C1B-4cc5-9E06-22DE05C2EDA0}\Programmable C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72FE8681-0BFA-471b-9B2A-B37ED68DD09E}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBC-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9AFB8248-617F-460d-9366-D71CDEDA3179}\ C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DBB-4EC0-403e-8DD8-394C54984B2C}\MiscStatus\1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{FE063DB0-4EC0-403E-8DD8-394C54984B2C}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton\ = "Bar Button Class" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FE063DBA-4EC0-403E-8DD8-394C54984B2C}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\ = "_IAskTBarPopSwatterSettingsEvents" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE063DB9-4EC0-403e-8DD8-394C54984B2C}\ = "Ask Toolbar" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.PopSwatterBarButton.1 C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{83453071-3F9C-4ab0-BE30-EDA368D7976D}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{09BD51AE-7E02-4916-9B12-647A92C02B7F}\TypeLib\ = "{BD04DAE0-8C1B-4cc5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D} C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83453070-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83453072-3F9C-4AB0-BE30-EDA368D7976D}\TypeLib\ = "{BD04DAE0-8C1B-4CC5-9E06-22DE05C2EDA0}" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AskTBar.SettingsPlugin\CurVer\ = "AskTBar.SettingsPlugin.1" C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 224 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 224 wrote to memory of 5068 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE
PID 224 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 224 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE
PID 224 wrote to memory of 3628 N/A C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe

"C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

"C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE" "C:\Users\Admin\AppData\Local\Temp\Device\HarddiskVolume3\Users\HaseebP\AppData\Local\Temp\NER53D8.tmp\Toolbar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SETUP.EXE

MD5 f90f8e211bb2ba49218188caa1dc2f3a
SHA1 8a18eb5ec6f37f9c4f0654069815f30f651b1d8c
SHA256 024fe6f1d33edbdb2a9064564273db5e4e2bf87fa6b6380b8a118a7b110b7035
SHA512 107889d1a470a4a622a3a09ee39077d12a444c6bb90e2897e56720c722db8e926f0853bc5cbc435d211105335ea0db1d334f8811c2c6d5ad63b7072742eb4f7e

C:\Program Files (x86)\AskTBar\bar\1.bin\A5POPSWT.DLL

MD5 69a3eb924678bb23047e6248648e6534
SHA1 844949940edfa51d38c5fa3294892b92c8d3cf8e
SHA256 8150669b6e743bdc725abfd4e51c3da721e4b1a2a86ee2cda4d61f8e2bbee851
SHA512 6f3c3b4a81965a6cf462943f1c0b0c8db1fbe7b89e24459411dc279cb18d534568c2cf0097bfea6848ceca9818bf10f86c1ea4aaf601f1b1e42dbd9ec696dd06

C:\Program Files (x86)\AskTBar\bar\1.bin\ASKTBAR.DLL

MD5 59dbfe16aa20144cb11e7fc8b2d21eaa
SHA1 b4403810c1db8482c5a26b418499a8643e4a6410
SHA256 809bbfa3fb67c79f1901b159b754dd955c5defe28d5879f91972d269d706d55c
SHA512 83ce6c1631d36ebc19be3fc178932f41fdef7c7f8a9dd5d3631527a25f894936477a053ad96d65ba58b8775732741b52af1edc390b260009775406b05df36297

C:\Users\Admin\AppData\Local\Temp\bar.0\A5SRCSP.EXE

MD5 e7d9ce28eae7d5ce00878a39a7d2584f
SHA1 73b4be59997f90e3bb3e87df47efe76b10fa6a92
SHA256 87f40724067f8e3bfbb2d78962f9925ec77b83fb7763513387a016b6b1683439
SHA512 c7bffecd908007e2b53e83f444e3a685f525c022f12d8e2e3733a47f64c00e2165737450ccca4d86738c79d2104cf3ed6652803eb8fd78f36a2a26423600acd5