Malware Analysis Report

2025-01-18 21:26

Sample ID 240321-1xagnsde4v
Target dcb7db1f2655a4b8d2e2ac65f800bc8b
SHA256 50efe19f592ecedce03338073485312af4c98215eb2ed3a1a82c1155d20c74c4
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

50efe19f592ecedce03338073485312af4c98215eb2ed3a1a82c1155d20c74c4

Threat Level: Shows suspicious behavior

The file dcb7db1f2655a4b8d2e2ac65f800bc8b was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Installs/modifies Browser Helper Object

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 22:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 22:01

Reported

2024-03-21 22:03

Platform

win7-20240220-en

Max time kernel

118s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID\ = "bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} = "1" C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe

"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe

MD5 4ccf1a317aa8539c857835e4ebe9c806
SHA1 223b73d09d7398f40aff3ccc569e66cae3886ee9
SHA256 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242
SHA512 ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

\Users\Admin\AppData\Local\Temp\nsi1037.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\settings.ini

MD5 4d0c45bfd18d319c8e8674dc4a0d9749
SHA1 97031d00fd21b29f049ddcf7b01de09a106fcec5
SHA256 6b089703d33f0035a912e3e1d608256c37d394ad1550c1184b19afc272c4e3b5
SHA512 5f495f5f7e93fadb7506743b217d98f325a4179dac5270fdc1a53b43598bc770d657d299257dd4e40a23c0883628f4ae62167d4ec741ad5e874f125b31432722

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\bootstrap.js

MD5 1ea48e82d5c30d17b4f767d24d2b931b
SHA1 a66ee0461eec71405db0d55f8a99f65347cfa2d7
SHA256 e12cf6794432571425714261d2118728536cf283963cccf8f1f7439945acd19e
SHA512 1e098ebeead00045a2c42525b2874fb107096ced44f6240a22317957293ead172ec18da183db4cbe1fb02a7ea7e9e1dd37d01caba44830e8b9dbf52d99e56a96

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\chrome.manifest

MD5 17a4a33520a9b91878d3be86d44641f5
SHA1 0c382218a75af8e57a07377b3e820d612bd7ff7f
SHA256 a1becb897aaacb4826771e613d0b506dd5bf2637846d046245050f0a6aea99eb
SHA512 a4841d20a689bde48229309936b706df9d171a6cffeaf8dfd1129f70dbb2a598db41a79dc065d378671b5f3086c00e55212aee4bf2d866d64975d440bbe596b2

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\install.rdf

MD5 8bf8c7f735c5f266af25778861071c21
SHA1 1c9052d8b722236a162d91b71c68e7421f46d2c5
SHA256 13d358ac31e5294176a0d1d2cd4147962c9235b9cffc3ba26d4da111ee660716
SHA512 6bc0818f16ce65d9c166b675db69df678da72913fec2a1406045fe7c290bb18e40c3ec2a125ccdd625ad2c18e9b5c762b9ca665f4f71589843c0789827477909

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\content\bg.js

MD5 38eb9589652a07f94e6197bbb4d900d6
SHA1 a06207341149758a97e4f53cdc99fbcafbc1870d
SHA256 39417ffce25096b6a0385aa98dc308582122ebaa09425dbf442261467c9de5e5
SHA512 fd15a304e17a771582ebffeb969ed38b3a596c951d72f469c72c01a67e41ceb3370803b15e49a29d68cbff26a9b9d7a008942bc461283889fc3b92effd560a43

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\content\zy.xul

MD5 1fb17c53167bf552de47e1f643c135fb
SHA1 167fd4f997bcd1ffa8fe78860b22527cf402cf58
SHA256 bb9b73c7515e5e4f6bcc36613d1d39d7eb9155b1335a381f01c3f9f4f8a1abed
SHA512 81678b14e4fa42d1e2c3534de097475cbf3363079d14a46ef96dcb54b49e634740723938b41267483a399183d012054049da84e32fbcaaa32244f39e19da9dd3

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\igjnagejhhalgkbmgilcbaphkbhjcfdn.crx

MD5 801596ebc92bdb8d1db7999c796573b5
SHA1 a997e1102488c17a5ddf9d06e298e343774ccb95
SHA256 7b33b2b465dbdcc4de475812a7912864aba6390f982b6e98013d64a16fbc17d8
SHA512 8fb666de6d725bf1fc82323834801bbef60ab91b9eb3d165df62cd76d309edf78e60249c44a936f96e19f660804eb17b223109e48afcb9e2210f5a7cd4cb03a6

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\background.html

MD5 9f8664c8140576f6b379642c76a61e5d
SHA1 5e749479bfc9f3a6b62af74eb6ab3b6ebe7356ac
SHA256 721bf5edcbc2be5dc29662fb51bba26155d5bb68060798768bc32efbaf5fc0f1
SHA512 dd1ee6e4fe751e665fffd81e78cfe2fdec76ec212139910359a1f4d1ee695abf28902f0fc5f571a33709839e269ef48ec02b6e58e63597ee9e02f49c5f2e595e

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\content.js

MD5 a085de2113f5dd20fa31db46a17a8658
SHA1 1cd932f10d10fd443a20e7c3966cee92d412ed7d
SHA256 c53bf9df0ceb4c9c2191049cbe0318dfce2d75457daed7e3d18ac0dbd64aceff
SHA512 f5ab1ec88d97f976540a9fb8c055d84d55e5069c2cf759434fb7283d9dd6799777cbc2e9abe817946f436fa1b15ff19f7954ecfbaefb6c02f21bfb2acc8c4ca8

C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\bhoclass.dll

MD5 474a025909c75c607905b9e2cae8a56f
SHA1 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e
SHA256 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f
SHA512 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

C:\ProgramData\Bcool\uninstall.exe

MD5 a724dac649142fef71fe4b529684e969
SHA1 e2878e84886ec53a1332ad969a825062526b5cd4
SHA256 b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc
SHA512 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 22:01

Reported

2024-03-21 22:03

Platform

win10v2004-20231215-en

Max time kernel

94s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID\ = "bhoclass.dll.1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID\ = "bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} = "1" C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe

"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 207.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 172.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe

MD5 4ccf1a317aa8539c857835e4ebe9c806
SHA1 223b73d09d7398f40aff3ccc569e66cae3886ee9
SHA256 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242
SHA512 ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\settings.ini

MD5 4d0c45bfd18d319c8e8674dc4a0d9749
SHA1 97031d00fd21b29f049ddcf7b01de09a106fcec5
SHA256 6b089703d33f0035a912e3e1d608256c37d394ad1550c1184b19afc272c4e3b5
SHA512 5f495f5f7e93fadb7506743b217d98f325a4179dac5270fdc1a53b43598bc770d657d299257dd4e40a23c0883628f4ae62167d4ec741ad5e874f125b31432722

C:\Users\Admin\AppData\Local\Temp\nsz443E.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\bootstrap.js

MD5 1ea48e82d5c30d17b4f767d24d2b931b
SHA1 a66ee0461eec71405db0d55f8a99f65347cfa2d7
SHA256 e12cf6794432571425714261d2118728536cf283963cccf8f1f7439945acd19e
SHA512 1e098ebeead00045a2c42525b2874fb107096ced44f6240a22317957293ead172ec18da183db4cbe1fb02a7ea7e9e1dd37d01caba44830e8b9dbf52d99e56a96

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\chrome.manifest

MD5 17a4a33520a9b91878d3be86d44641f5
SHA1 0c382218a75af8e57a07377b3e820d612bd7ff7f
SHA256 a1becb897aaacb4826771e613d0b506dd5bf2637846d046245050f0a6aea99eb
SHA512 a4841d20a689bde48229309936b706df9d171a6cffeaf8dfd1129f70dbb2a598db41a79dc065d378671b5f3086c00e55212aee4bf2d866d64975d440bbe596b2

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\install.rdf

MD5 8bf8c7f735c5f266af25778861071c21
SHA1 1c9052d8b722236a162d91b71c68e7421f46d2c5
SHA256 13d358ac31e5294176a0d1d2cd4147962c9235b9cffc3ba26d4da111ee660716
SHA512 6bc0818f16ce65d9c166b675db69df678da72913fec2a1406045fe7c290bb18e40c3ec2a125ccdd625ad2c18e9b5c762b9ca665f4f71589843c0789827477909

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\content\bg.js

MD5 38eb9589652a07f94e6197bbb4d900d6
SHA1 a06207341149758a97e4f53cdc99fbcafbc1870d
SHA256 39417ffce25096b6a0385aa98dc308582122ebaa09425dbf442261467c9de5e5
SHA512 fd15a304e17a771582ebffeb969ed38b3a596c951d72f469c72c01a67e41ceb3370803b15e49a29d68cbff26a9b9d7a008942bc461283889fc3b92effd560a43

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\content\zy.xul

MD5 1fb17c53167bf552de47e1f643c135fb
SHA1 167fd4f997bcd1ffa8fe78860b22527cf402cf58
SHA256 bb9b73c7515e5e4f6bcc36613d1d39d7eb9155b1335a381f01c3f9f4f8a1abed
SHA512 81678b14e4fa42d1e2c3534de097475cbf3363079d14a46ef96dcb54b49e634740723938b41267483a399183d012054049da84e32fbcaaa32244f39e19da9dd3

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\igjnagejhhalgkbmgilcbaphkbhjcfdn.crx

MD5 801596ebc92bdb8d1db7999c796573b5
SHA1 a997e1102488c17a5ddf9d06e298e343774ccb95
SHA256 7b33b2b465dbdcc4de475812a7912864aba6390f982b6e98013d64a16fbc17d8
SHA512 8fb666de6d725bf1fc82323834801bbef60ab91b9eb3d165df62cd76d309edf78e60249c44a936f96e19f660804eb17b223109e48afcb9e2210f5a7cd4cb03a6

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\background.html

MD5 9f8664c8140576f6b379642c76a61e5d
SHA1 5e749479bfc9f3a6b62af74eb6ab3b6ebe7356ac
SHA256 721bf5edcbc2be5dc29662fb51bba26155d5bb68060798768bc32efbaf5fc0f1
SHA512 dd1ee6e4fe751e665fffd81e78cfe2fdec76ec212139910359a1f4d1ee695abf28902f0fc5f571a33709839e269ef48ec02b6e58e63597ee9e02f49c5f2e595e

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\content.js

MD5 a085de2113f5dd20fa31db46a17a8658
SHA1 1cd932f10d10fd443a20e7c3966cee92d412ed7d
SHA256 c53bf9df0ceb4c9c2191049cbe0318dfce2d75457daed7e3d18ac0dbd64aceff
SHA512 f5ab1ec88d97f976540a9fb8c055d84d55e5069c2cf759434fb7283d9dd6799777cbc2e9abe817946f436fa1b15ff19f7954ecfbaefb6c02f21bfb2acc8c4ca8

C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\bhoclass.dll

MD5 474a025909c75c607905b9e2cae8a56f
SHA1 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e
SHA256 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f
SHA512 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1

C:\ProgramData\Bcool\uninstall.exe

MD5 a724dac649142fef71fe4b529684e969
SHA1 e2878e84886ec53a1332ad969a825062526b5cd4
SHA256 b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc
SHA512 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3