Malware Analysis Report

2025-01-18 21:30

Sample ID 240321-p4hwvadd8w
Target dbabc231576ccb7c0b6ad0d335133aa7
SHA256 9be97149e812fa9082eb7362c8e7e45edf06170b73b0cd70042d13c469b6910a
Tags
adware discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9be97149e812fa9082eb7362c8e7e45edf06170b73b0cd70042d13c469b6910a

Threat Level: Shows suspicious behavior

The file dbabc231576ccb7c0b6ad0d335133aa7 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

Modifies registry class

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 12:52

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 12:52

Reported

2024-03-21 12:55

Platform

win7-20240221-en

Max time kernel

120s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} = "1" C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe

"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe

.\setup.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\settings.ini

MD5 77a81c0d5a6a48d0eab6368ae62e8424
SHA1 1ccf201d4adde8fa4c0dcb6283740cd211396615
SHA256 4b525d1fdb106f603369d0c4f30097f7dbddd568963928587bdfbf4cad2166ac
SHA512 2b8f77947c2da820191076f49aff93c11fbef182e1a0a8ce32a91f062243f2cddfd90a62989b3c1856fc7e5cea86c760948c5a890363bc764fba6e11a8ac8523

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\chrome.manifest

MD5 33c15c5d8645488247580f48553a4dac
SHA1 907d75117e012023484dd13d8292a8e2bfb9121d
SHA256 03cd4487c1972e7c93acab254c6153a09f014a8e6b45f206e20d4c0d3f9ecf97
SHA512 9cbc9901ad9e4ab3599eebfb664802bb12ba8c7fad6ad637f3b5f9c240ef3ebc691b297e1b2dfbce5a7abe221ea966c28517c27f487be88c64c13b8afc7bf749

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\install.rdf

MD5 682e5d5db010d2d653f7e9e7911460a0
SHA1 6e1f504a6d31ddbc7a88e4c8b372d9c431b80a37
SHA256 d0c1c270a6716d8eaccedb9718fef081e43aab6119617c86576240586d037e1b
SHA512 e7f5df7b07b3054f2e7b44e686a7a70ad990211b49efad6ca21c4e21817c17f5b61b187a56f5f2562d49969fcb4fd87102b718e06f5042b5cc01259a084fd397

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\indexeddb.js

MD5 68a6bef08e9f274a00cf4955e995d4e1
SHA1 1bdba16ba99acee9985b31c1acd85bc76059a9af
SHA256 72a4ee736f80585f65c959388cbe930c2fde20e2536c78b357d05fc195567b1a
SHA512 ce4672506c7c64396bdba8d830cbf00122e76389fee64dc443633611fccfc7d6763cc9796981848da863bb700195c1b7e23fbc05ee641999f234385defa59430

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jsext.js

MD5 9b15c7c37e348d9e7bdbc3702ba5cd2d
SHA1 9c4d2f246d14d66c0f4bf13264b35feed1a2b70a
SHA256 95ae115a3d9d34ff9ded5c32b8a09db7ac0d91cf36aeb374c6b1262ebadb891d
SHA512 960d5e00f059f59c62bb7ca261299a6de54d4cc78a1b9c52ae77e5bbd36d987126f242719c5608131a65d11cdd7a555ca40a97718e331fb3f7954d09e07b8e51

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\lsdb.js

MD5 b4e5037dbef3ca965343ee5cb81e8116
SHA1 64b4efdae708bf7935104184f912b9cebece0d27
SHA256 f38ea32b10393864f04312115fdde3c920f8ae5af5c9235b1bf344b8247404ff
SHA512 3f30146afa0d6e466f7b01b8d8a74bab6d9a33e5cc240e7457b29bc3f5d1dd2a552637ce7e6b3963d2d3aa027f7fd2697189e42c6655f7795b09545df981df03

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\sqlite.js

MD5 c192f40af50a3a07469c2cccbde6180a
SHA1 220121844988f76bce87af423cf3ca0998d0f046
SHA256 3b2c991174fc1b490659011cadd4ab21f11c7ba8b18908ba4b47ce116b8c7645
SHA512 1a84152644c824814ad8b759fcdf3b7b00cb47de1f9c1a35111c75fa9de99253da9dee538de72e6d07ed3a38ee424eb438adf4fc0adb35b3213166fa7afb5753

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\prfdb.js

MD5 8d9260f0dc3dd495c1ab2d2eb43e027b
SHA1 3b2f703a8b6467a5a4c3fb0724905da92b298e2a
SHA256 9d36809d4dc86118b057400083e6853c6c0e02c93236b11d4ba9f75bbd7ea344
SHA512 04028599c078f2a34a54e712d6551c7268e5d9089658178086202441a12539f238d9ac316162c038786439037312ce6e9ca0fd311ba3cc2d0ce99d34dd7532f9

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\wx.xul

MD5 4953546eed26c1f4b3254e4aa461aa37
SHA1 cb86024826493c26e2a1befc87d1eaa36848bc96
SHA256 92de0bb720f8110cfb1ce49af09dd958959714d4919e3b557095ce8bb1d94707
SHA512 b9b99a64f7fd63c0cc31e8e1e6f83e32291dff700b1c4af33193d837d9c56e3af2246f5566328bdc14c9dcbf1d510bdfdd78c266749675d92d3f836337fe7cc2

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\mhmiflodoaengponimbfgoaklodmlmdg.crx

MD5 07bf88469c9e5a3f16bf7005d5360693
SHA1 60cd4ae64028de0662da3b92e56836124ad15801
SHA256 27c33e2e0414f1b1dcec831edee5445c756df5f924a3c9cae4e007d97ce42f0e
SHA512 8f498b2c9140ca9539f8ff743390c87fab7c0607532a0a5bca8c853adb76c5ba62ac7c5229aa4ea96ffd9a203683b289a051090cdd45e5fe6d7c0f355272beab

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\background.html

MD5 70ef0a59208f4ef1f444211a777f0796
SHA1 990f3523c128a6cc131c98259da419d4ede630bf
SHA256 362efc2bf7093153dbc6dade8f4ec3d33afc179080882e81d5a6743867c3fa73
SHA512 3953fb52096dfe8b7db2794c8d08564b02d20a4c37af74f9b365a9dd21a0e0902c5005a1a40360dae9df41046eccfe2938effee31b24e7dbb00cdbcb29972d2f

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\content.js

MD5 73ca4184cdd270c4c19ced2a26b0d799
SHA1 1d20d3c360760d75ed3e5d88f1dedcbc08cc28e0
SHA256 fed1184e04312ea495103c7c5b17c55da205609899239249f36dd3923230578f
SHA512 a829d71c37d402db8400d23330234ea71a0af5ce1960a069588c4aaff25398cf98e8ea8ff84d84004cfaba31716006ada70869d45e969084738c59a54bc71968

C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Bcool\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 12:52

Reported

2024-03-21 12:55

Platform

win10v2004-20240226-en

Max time kernel

144s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID\ = "bhoclass.bho" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID\ = "bhoclass.bho.1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool Class" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} = "1" C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe

"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe

.\setup.exe /s

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 128.227.79.178.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe

MD5 201d2311011ffdf6c762fd46cdeb52ab
SHA1 65c474ca42a337745e288be0e21f43ceaafd5efe
SHA256 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa
SHA512 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\settings.ini

MD5 77a81c0d5a6a48d0eab6368ae62e8424
SHA1 1ccf201d4adde8fa4c0dcb6283740cd211396615
SHA256 4b525d1fdb106f603369d0c4f30097f7dbddd568963928587bdfbf4cad2166ac
SHA512 2b8f77947c2da820191076f49aff93c11fbef182e1a0a8ce32a91f062243f2cddfd90a62989b3c1856fc7e5cea86c760948c5a890363bc764fba6e11a8ac8523

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\chrome.manifest

MD5 33c15c5d8645488247580f48553a4dac
SHA1 907d75117e012023484dd13d8292a8e2bfb9121d
SHA256 03cd4487c1972e7c93acab254c6153a09f014a8e6b45f206e20d4c0d3f9ecf97
SHA512 9cbc9901ad9e4ab3599eebfb664802bb12ba8c7fad6ad637f3b5f9c240ef3ebc691b297e1b2dfbce5a7abe221ea966c28517c27f487be88c64c13b8afc7bf749

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\install.rdf

MD5 682e5d5db010d2d653f7e9e7911460a0
SHA1 6e1f504a6d31ddbc7a88e4c8b372d9c431b80a37
SHA256 d0c1c270a6716d8eaccedb9718fef081e43aab6119617c86576240586d037e1b
SHA512 e7f5df7b07b3054f2e7b44e686a7a70ad990211b49efad6ca21c4e21817c17f5b61b187a56f5f2562d49969fcb4fd87102b718e06f5042b5cc01259a084fd397

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\indexeddb.js

MD5 68a6bef08e9f274a00cf4955e995d4e1
SHA1 1bdba16ba99acee9985b31c1acd85bc76059a9af
SHA256 72a4ee736f80585f65c959388cbe930c2fde20e2536c78b357d05fc195567b1a
SHA512 ce4672506c7c64396bdba8d830cbf00122e76389fee64dc443633611fccfc7d6763cc9796981848da863bb700195c1b7e23fbc05ee641999f234385defa59430

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\lsdb.js

MD5 b4e5037dbef3ca965343ee5cb81e8116
SHA1 64b4efdae708bf7935104184f912b9cebece0d27
SHA256 f38ea32b10393864f04312115fdde3c920f8ae5af5c9235b1bf344b8247404ff
SHA512 3f30146afa0d6e466f7b01b8d8a74bab6d9a33e5cc240e7457b29bc3f5d1dd2a552637ce7e6b3963d2d3aa027f7fd2697189e42c6655f7795b09545df981df03

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\jsext.js

MD5 9b15c7c37e348d9e7bdbc3702ba5cd2d
SHA1 9c4d2f246d14d66c0f4bf13264b35feed1a2b70a
SHA256 95ae115a3d9d34ff9ded5c32b8a09db7ac0d91cf36aeb374c6b1262ebadb891d
SHA512 960d5e00f059f59c62bb7ca261299a6de54d4cc78a1b9c52ae77e5bbd36d987126f242719c5608131a65d11cdd7a555ca40a97718e331fb3f7954d09e07b8e51

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\jquery.js

MD5 4bab8348a52d17428f684ad1ec3a427e
SHA1 56c912a8c8561070aee7b9808c5f3b2abec40063
SHA256 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23
SHA512 a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\prfdb.js

MD5 8d9260f0dc3dd495c1ab2d2eb43e027b
SHA1 3b2f703a8b6467a5a4c3fb0724905da92b298e2a
SHA256 9d36809d4dc86118b057400083e6853c6c0e02c93236b11d4ba9f75bbd7ea344
SHA512 04028599c078f2a34a54e712d6551c7268e5d9089658178086202441a12539f238d9ac316162c038786439037312ce6e9ca0fd311ba3cc2d0ce99d34dd7532f9

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\sqlite.js

MD5 c192f40af50a3a07469c2cccbde6180a
SHA1 220121844988f76bce87af423cf3ca0998d0f046
SHA256 3b2c991174fc1b490659011cadd4ab21f11c7ba8b18908ba4b47ce116b8c7645
SHA512 1a84152644c824814ad8b759fcdf3b7b00cb47de1f9c1a35111c75fa9de99253da9dee538de72e6d07ed3a38ee424eb438adf4fc0adb35b3213166fa7afb5753

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\wx.xul

MD5 4953546eed26c1f4b3254e4aa461aa37
SHA1 cb86024826493c26e2a1befc87d1eaa36848bc96
SHA256 92de0bb720f8110cfb1ce49af09dd958959714d4919e3b557095ce8bb1d94707
SHA512 b9b99a64f7fd63c0cc31e8e1e6f83e32291dff700b1c4af33193d837d9c56e3af2246f5566328bdc14c9dcbf1d510bdfdd78c266749675d92d3f836337fe7cc2

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\mhmiflodoaengponimbfgoaklodmlmdg.crx

MD5 07bf88469c9e5a3f16bf7005d5360693
SHA1 60cd4ae64028de0662da3b92e56836124ad15801
SHA256 27c33e2e0414f1b1dcec831edee5445c756df5f924a3c9cae4e007d97ce42f0e
SHA512 8f498b2c9140ca9539f8ff743390c87fab7c0607532a0a5bca8c853adb76c5ba62ac7c5229aa4ea96ffd9a203683b289a051090cdd45e5fe6d7c0f355272beab

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\background.html

MD5 70ef0a59208f4ef1f444211a777f0796
SHA1 990f3523c128a6cc131c98259da419d4ede630bf
SHA256 362efc2bf7093153dbc6dade8f4ec3d33afc179080882e81d5a6743867c3fa73
SHA512 3953fb52096dfe8b7db2794c8d08564b02d20a4c37af74f9b365a9dd21a0e0902c5005a1a40360dae9df41046eccfe2938effee31b24e7dbb00cdbcb29972d2f

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\content.js

MD5 73ca4184cdd270c4c19ced2a26b0d799
SHA1 1d20d3c360760d75ed3e5d88f1dedcbc08cc28e0
SHA256 fed1184e04312ea495103c7c5b17c55da205609899239249f36dd3923230578f
SHA512 a829d71c37d402db8400d23330234ea71a0af5ce1960a069588c4aaff25398cf98e8ea8ff84d84004cfaba31716006ada70869d45e969084738c59a54bc71968

C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\bhoclass.dll

MD5 ac13c733379328f86568f6e514c2f7f8
SHA1 338901240fedcef4e3892fd4c723c89154f4de05
SHA256 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562
SHA512 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4

C:\ProgramData\Bcool\uninstall.exe

MD5 2628f4240552cc3b2ba04ee51078ae0c
SHA1 5b0cca662149240d1fd4354beac1338e97e334ea
SHA256 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6
SHA512 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b