Analysis Overview
SHA256
50efe19f592ecedce03338073485312af4c98215eb2ed3a1a82c1155d20c74c4
Threat Level: Shows suspicious behavior
The file dcb7db1f2655a4b8d2e2ac65f800bc8b was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Installs/modifies Browser Helper Object
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 22:01
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 22:01
Reported
2024-03-21 22:03
Platform
win7-20240220-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe
"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
\Users\Admin\AppData\Local\Temp\nsi1037.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\settings.ini
| MD5 | 4d0c45bfd18d319c8e8674dc4a0d9749 |
| SHA1 | 97031d00fd21b29f049ddcf7b01de09a106fcec5 |
| SHA256 | 6b089703d33f0035a912e3e1d608256c37d394ad1550c1184b19afc272c4e3b5 |
| SHA512 | 5f495f5f7e93fadb7506743b217d98f325a4179dac5270fdc1a53b43598bc770d657d299257dd4e40a23c0883628f4ae62167d4ec741ad5e874f125b31432722 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\bootstrap.js
| MD5 | 1ea48e82d5c30d17b4f767d24d2b931b |
| SHA1 | a66ee0461eec71405db0d55f8a99f65347cfa2d7 |
| SHA256 | e12cf6794432571425714261d2118728536cf283963cccf8f1f7439945acd19e |
| SHA512 | 1e098ebeead00045a2c42525b2874fb107096ced44f6240a22317957293ead172ec18da183db4cbe1fb02a7ea7e9e1dd37d01caba44830e8b9dbf52d99e56a96 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\chrome.manifest
| MD5 | 17a4a33520a9b91878d3be86d44641f5 |
| SHA1 | 0c382218a75af8e57a07377b3e820d612bd7ff7f |
| SHA256 | a1becb897aaacb4826771e613d0b506dd5bf2637846d046245050f0a6aea99eb |
| SHA512 | a4841d20a689bde48229309936b706df9d171a6cffeaf8dfd1129f70dbb2a598db41a79dc065d378671b5f3086c00e55212aee4bf2d866d64975d440bbe596b2 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\install.rdf
| MD5 | 8bf8c7f735c5f266af25778861071c21 |
| SHA1 | 1c9052d8b722236a162d91b71c68e7421f46d2c5 |
| SHA256 | 13d358ac31e5294176a0d1d2cd4147962c9235b9cffc3ba26d4da111ee660716 |
| SHA512 | 6bc0818f16ce65d9c166b675db69df678da72913fec2a1406045fe7c290bb18e40c3ec2a125ccdd625ad2c18e9b5c762b9ca665f4f71589843c0789827477909 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\content\bg.js
| MD5 | 38eb9589652a07f94e6197bbb4d900d6 |
| SHA1 | a06207341149758a97e4f53cdc99fbcafbc1870d |
| SHA256 | 39417ffce25096b6a0385aa98dc308582122ebaa09425dbf442261467c9de5e5 |
| SHA512 | fd15a304e17a771582ebffeb969ed38b3a596c951d72f469c72c01a67e41ceb3370803b15e49a29d68cbff26a9b9d7a008942bc461283889fc3b92effd560a43 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\[email protected]\content\zy.xul
| MD5 | 1fb17c53167bf552de47e1f643c135fb |
| SHA1 | 167fd4f997bcd1ffa8fe78860b22527cf402cf58 |
| SHA256 | bb9b73c7515e5e4f6bcc36613d1d39d7eb9155b1335a381f01c3f9f4f8a1abed |
| SHA512 | 81678b14e4fa42d1e2c3534de097475cbf3363079d14a46ef96dcb54b49e634740723938b41267483a399183d012054049da84e32fbcaaa32244f39e19da9dd3 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\igjnagejhhalgkbmgilcbaphkbhjcfdn.crx
| MD5 | 801596ebc92bdb8d1db7999c796573b5 |
| SHA1 | a997e1102488c17a5ddf9d06e298e343774ccb95 |
| SHA256 | 7b33b2b465dbdcc4de475812a7912864aba6390f982b6e98013d64a16fbc17d8 |
| SHA512 | 8fb666de6d725bf1fc82323834801bbef60ab91b9eb3d165df62cd76d309edf78e60249c44a936f96e19f660804eb17b223109e48afcb9e2210f5a7cd4cb03a6 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\background.html
| MD5 | 9f8664c8140576f6b379642c76a61e5d |
| SHA1 | 5e749479bfc9f3a6b62af74eb6ab3b6ebe7356ac |
| SHA256 | 721bf5edcbc2be5dc29662fb51bba26155d5bb68060798768bc32efbaf5fc0f1 |
| SHA512 | dd1ee6e4fe751e665fffd81e78cfe2fdec76ec212139910359a1f4d1ee695abf28902f0fc5f571a33709839e269ef48ec02b6e58e63597ee9e02f49c5f2e595e |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\content.js
| MD5 | a085de2113f5dd20fa31db46a17a8658 |
| SHA1 | 1cd932f10d10fd443a20e7c3966cee92d412ed7d |
| SHA256 | c53bf9df0ceb4c9c2191049cbe0318dfce2d75457daed7e3d18ac0dbd64aceff |
| SHA512 | f5ab1ec88d97f976540a9fb8c055d84d55e5069c2cf759434fb7283d9dd6799777cbc2e9abe817946f436fa1b15ff19f7954ecfbaefb6c02f21bfb2acc8c4ca8 |
C:\Users\Admin\AppData\Local\Temp\7zSFBA.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 22:01
Reported
2024-03-21 22:03
Platform
win10v2004-20231215-en
Max time kernel
94s
Max time network
122s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID\ = "{2228CCBC-B24A-0129-5211-70118C68BA55}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CurVer\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID\ = "bhoclass.dll.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\VersionIndependentProgID\ = "bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.dll.bhoclass.dll\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5036 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe |
| PID 5036 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe |
| PID 5036 wrote to memory of 3272 | N/A | C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{2228CCBC-B24A-0129-5211-70118C68BA55} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe
"C:\Users\Admin\AppData\Local\Temp\dcb7db1f2655a4b8d2e2ac65f800bc8b.exe"
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 207.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\setup.exe
| MD5 | 4ccf1a317aa8539c857835e4ebe9c806 |
| SHA1 | 223b73d09d7398f40aff3ccc569e66cae3886ee9 |
| SHA256 | 4529889c5575cd4e28b3691f0489c806442840292a9e459ada4dab3e024cc242 |
| SHA512 | ecab68799b5a51c7d2a3735a9b3c17ba20a315618aa9575a5b02d5d4535716966031a26982012669f069dbfd8a6ab62f95737b7c402bf680f3a498900f627312 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\settings.ini
| MD5 | 4d0c45bfd18d319c8e8674dc4a0d9749 |
| SHA1 | 97031d00fd21b29f049ddcf7b01de09a106fcec5 |
| SHA256 | 6b089703d33f0035a912e3e1d608256c37d394ad1550c1184b19afc272c4e3b5 |
| SHA512 | 5f495f5f7e93fadb7506743b217d98f325a4179dac5270fdc1a53b43598bc770d657d299257dd4e40a23c0883628f4ae62167d4ec741ad5e874f125b31432722 |
C:\Users\Admin\AppData\Local\Temp\nsz443E.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\bootstrap.js
| MD5 | 1ea48e82d5c30d17b4f767d24d2b931b |
| SHA1 | a66ee0461eec71405db0d55f8a99f65347cfa2d7 |
| SHA256 | e12cf6794432571425714261d2118728536cf283963cccf8f1f7439945acd19e |
| SHA512 | 1e098ebeead00045a2c42525b2874fb107096ced44f6240a22317957293ead172ec18da183db4cbe1fb02a7ea7e9e1dd37d01caba44830e8b9dbf52d99e56a96 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\chrome.manifest
| MD5 | 17a4a33520a9b91878d3be86d44641f5 |
| SHA1 | 0c382218a75af8e57a07377b3e820d612bd7ff7f |
| SHA256 | a1becb897aaacb4826771e613d0b506dd5bf2637846d046245050f0a6aea99eb |
| SHA512 | a4841d20a689bde48229309936b706df9d171a6cffeaf8dfd1129f70dbb2a598db41a79dc065d378671b5f3086c00e55212aee4bf2d866d64975d440bbe596b2 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\install.rdf
| MD5 | 8bf8c7f735c5f266af25778861071c21 |
| SHA1 | 1c9052d8b722236a162d91b71c68e7421f46d2c5 |
| SHA256 | 13d358ac31e5294176a0d1d2cd4147962c9235b9cffc3ba26d4da111ee660716 |
| SHA512 | 6bc0818f16ce65d9c166b675db69df678da72913fec2a1406045fe7c290bb18e40c3ec2a125ccdd625ad2c18e9b5c762b9ca665f4f71589843c0789827477909 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\content\bg.js
| MD5 | 38eb9589652a07f94e6197bbb4d900d6 |
| SHA1 | a06207341149758a97e4f53cdc99fbcafbc1870d |
| SHA256 | 39417ffce25096b6a0385aa98dc308582122ebaa09425dbf442261467c9de5e5 |
| SHA512 | fd15a304e17a771582ebffeb969ed38b3a596c951d72f469c72c01a67e41ceb3370803b15e49a29d68cbff26a9b9d7a008942bc461283889fc3b92effd560a43 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\[email protected]\content\zy.xul
| MD5 | 1fb17c53167bf552de47e1f643c135fb |
| SHA1 | 167fd4f997bcd1ffa8fe78860b22527cf402cf58 |
| SHA256 | bb9b73c7515e5e4f6bcc36613d1d39d7eb9155b1335a381f01c3f9f4f8a1abed |
| SHA512 | 81678b14e4fa42d1e2c3534de097475cbf3363079d14a46ef96dcb54b49e634740723938b41267483a399183d012054049da84e32fbcaaa32244f39e19da9dd3 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\igjnagejhhalgkbmgilcbaphkbhjcfdn.crx
| MD5 | 801596ebc92bdb8d1db7999c796573b5 |
| SHA1 | a997e1102488c17a5ddf9d06e298e343774ccb95 |
| SHA256 | 7b33b2b465dbdcc4de475812a7912864aba6390f982b6e98013d64a16fbc17d8 |
| SHA512 | 8fb666de6d725bf1fc82323834801bbef60ab91b9eb3d165df62cd76d309edf78e60249c44a936f96e19f660804eb17b223109e48afcb9e2210f5a7cd4cb03a6 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\background.html
| MD5 | 9f8664c8140576f6b379642c76a61e5d |
| SHA1 | 5e749479bfc9f3a6b62af74eb6ab3b6ebe7356ac |
| SHA256 | 721bf5edcbc2be5dc29662fb51bba26155d5bb68060798768bc32efbaf5fc0f1 |
| SHA512 | dd1ee6e4fe751e665fffd81e78cfe2fdec76ec212139910359a1f4d1ee695abf28902f0fc5f571a33709839e269ef48ec02b6e58e63597ee9e02f49c5f2e595e |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\content.js
| MD5 | a085de2113f5dd20fa31db46a17a8658 |
| SHA1 | 1cd932f10d10fd443a20e7c3966cee92d412ed7d |
| SHA256 | c53bf9df0ceb4c9c2191049cbe0318dfce2d75457daed7e3d18ac0dbd64aceff |
| SHA512 | f5ab1ec88d97f976540a9fb8c055d84d55e5069c2cf759434fb7283d9dd6799777cbc2e9abe817946f436fa1b15ff19f7954ecfbaefb6c02f21bfb2acc8c4ca8 |
C:\Users\Admin\AppData\Local\Temp\7zS4323.tmp\bhoclass.dll
| MD5 | 474a025909c75c607905b9e2cae8a56f |
| SHA1 | 83ed7383c8aa53c6134a2b0a701b7b272c5c7c1e |
| SHA256 | 25ab733f417a9def519ff2443f38cff31baa02743cac803f53f662c875b9be5f |
| SHA512 | 29d14b6143a45c76904beb6d7ba2d8020f13cd407c66d6eed8825b9e722138f11945a3747988beda0f5bf33acbcb3fcdf8a411a2fc9b07fe501938dc590d03f1 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | a724dac649142fef71fe4b529684e969 |
| SHA1 | e2878e84886ec53a1332ad969a825062526b5cd4 |
| SHA256 | b58c58b5073034d74c5d93902bbb9d402be063e907bdf77115b55bbb99af21dc |
| SHA512 | 9f475ad52fa2b7f82e74df87c02e42f937b5e3b62773b7d51cb53facfcc8b4934ad3c2fc21496cfabaa4dd103a309ed5cccad1ad3d6037f6c4f3a540e3e9d5b3 |