Analysis Overview
SHA256
9be97149e812fa9082eb7362c8e7e45edf06170b73b0cd70042d13c469b6910a
Threat Level: Shows suspicious behavior
The file dbabc231576ccb7c0b6ad0d335133aa7 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry class
Suspicious use of WriteProcessMemory
System policy modification
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 12:52
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 12:52
Reported
2024-03-21 12:55
Platform
win7-20240221-en
Max time kernel
120s
Max time network
132s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} = "1" | C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe
"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe
.\setup.exe /s
Network
Files
\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\settings.ini
| MD5 | 77a81c0d5a6a48d0eab6368ae62e8424 |
| SHA1 | 1ccf201d4adde8fa4c0dcb6283740cd211396615 |
| SHA256 | 4b525d1fdb106f603369d0c4f30097f7dbddd568963928587bdfbf4cad2166ac |
| SHA512 | 2b8f77947c2da820191076f49aff93c11fbef182e1a0a8ce32a91f062243f2cddfd90a62989b3c1856fc7e5cea86c760948c5a890363bc764fba6e11a8ac8523 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\chrome.manifest
| MD5 | 33c15c5d8645488247580f48553a4dac |
| SHA1 | 907d75117e012023484dd13d8292a8e2bfb9121d |
| SHA256 | 03cd4487c1972e7c93acab254c6153a09f014a8e6b45f206e20d4c0d3f9ecf97 |
| SHA512 | 9cbc9901ad9e4ab3599eebfb664802bb12ba8c7fad6ad637f3b5f9c240ef3ebc691b297e1b2dfbce5a7abe221ea966c28517c27f487be88c64c13b8afc7bf749 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\install.rdf
| MD5 | 682e5d5db010d2d653f7e9e7911460a0 |
| SHA1 | 6e1f504a6d31ddbc7a88e4c8b372d9c431b80a37 |
| SHA256 | d0c1c270a6716d8eaccedb9718fef081e43aab6119617c86576240586d037e1b |
| SHA512 | e7f5df7b07b3054f2e7b44e686a7a70ad990211b49efad6ca21c4e21817c17f5b61b187a56f5f2562d49969fcb4fd87102b718e06f5042b5cc01259a084fd397 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\indexeddb.js
| MD5 | 68a6bef08e9f274a00cf4955e995d4e1 |
| SHA1 | 1bdba16ba99acee9985b31c1acd85bc76059a9af |
| SHA256 | 72a4ee736f80585f65c959388cbe930c2fde20e2536c78b357d05fc195567b1a |
| SHA512 | ce4672506c7c64396bdba8d830cbf00122e76389fee64dc443633611fccfc7d6763cc9796981848da863bb700195c1b7e23fbc05ee641999f234385defa59430 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\jsext.js
| MD5 | 9b15c7c37e348d9e7bdbc3702ba5cd2d |
| SHA1 | 9c4d2f246d14d66c0f4bf13264b35feed1a2b70a |
| SHA256 | 95ae115a3d9d34ff9ded5c32b8a09db7ac0d91cf36aeb374c6b1262ebadb891d |
| SHA512 | 960d5e00f059f59c62bb7ca261299a6de54d4cc78a1b9c52ae77e5bbd36d987126f242719c5608131a65d11cdd7a555ca40a97718e331fb3f7954d09e07b8e51 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\lsdb.js
| MD5 | b4e5037dbef3ca965343ee5cb81e8116 |
| SHA1 | 64b4efdae708bf7935104184f912b9cebece0d27 |
| SHA256 | f38ea32b10393864f04312115fdde3c920f8ae5af5c9235b1bf344b8247404ff |
| SHA512 | 3f30146afa0d6e466f7b01b8d8a74bab6d9a33e5cc240e7457b29bc3f5d1dd2a552637ce7e6b3963d2d3aa027f7fd2697189e42c6655f7795b09545df981df03 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\sqlite.js
| MD5 | c192f40af50a3a07469c2cccbde6180a |
| SHA1 | 220121844988f76bce87af423cf3ca0998d0f046 |
| SHA256 | 3b2c991174fc1b490659011cadd4ab21f11c7ba8b18908ba4b47ce116b8c7645 |
| SHA512 | 1a84152644c824814ad8b759fcdf3b7b00cb47de1f9c1a35111c75fa9de99253da9dee538de72e6d07ed3a38ee424eb438adf4fc0adb35b3213166fa7afb5753 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\prfdb.js
| MD5 | 8d9260f0dc3dd495c1ab2d2eb43e027b |
| SHA1 | 3b2f703a8b6467a5a4c3fb0724905da92b298e2a |
| SHA256 | 9d36809d4dc86118b057400083e6853c6c0e02c93236b11d4ba9f75bbd7ea344 |
| SHA512 | 04028599c078f2a34a54e712d6551c7268e5d9089658178086202441a12539f238d9ac316162c038786439037312ce6e9ca0fd311ba3cc2d0ce99d34dd7532f9 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\[email protected]\content\wx.xul
| MD5 | 4953546eed26c1f4b3254e4aa461aa37 |
| SHA1 | cb86024826493c26e2a1befc87d1eaa36848bc96 |
| SHA256 | 92de0bb720f8110cfb1ce49af09dd958959714d4919e3b557095ce8bb1d94707 |
| SHA512 | b9b99a64f7fd63c0cc31e8e1e6f83e32291dff700b1c4af33193d837d9c56e3af2246f5566328bdc14c9dcbf1d510bdfdd78c266749675d92d3f836337fe7cc2 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\mhmiflodoaengponimbfgoaklodmlmdg.crx
| MD5 | 07bf88469c9e5a3f16bf7005d5360693 |
| SHA1 | 60cd4ae64028de0662da3b92e56836124ad15801 |
| SHA256 | 27c33e2e0414f1b1dcec831edee5445c756df5f924a3c9cae4e007d97ce42f0e |
| SHA512 | 8f498b2c9140ca9539f8ff743390c87fab7c0607532a0a5bca8c853adb76c5ba62ac7c5229aa4ea96ffd9a203683b289a051090cdd45e5fe6d7c0f355272beab |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\background.html
| MD5 | 70ef0a59208f4ef1f444211a777f0796 |
| SHA1 | 990f3523c128a6cc131c98259da419d4ede630bf |
| SHA256 | 362efc2bf7093153dbc6dade8f4ec3d33afc179080882e81d5a6743867c3fa73 |
| SHA512 | 3953fb52096dfe8b7db2794c8d08564b02d20a4c37af74f9b365a9dd21a0e0902c5005a1a40360dae9df41046eccfe2938effee31b24e7dbb00cdbcb29972d2f |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\content.js
| MD5 | 73ca4184cdd270c4c19ced2a26b0d799 |
| SHA1 | 1d20d3c360760d75ed3e5d88f1dedcbc08cc28e0 |
| SHA256 | fed1184e04312ea495103c7c5b17c55da205609899239249f36dd3923230578f |
| SHA512 | a829d71c37d402db8400d23330234ea71a0af5ce1960a069588c4aaff25398cf98e8ea8ff84d84004cfaba31716006ada70869d45e969084738c59a54bc71968 |
C:\Users\Admin\AppData\Local\Temp\7zS6D73.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 12:52
Reported
2024-03-21 12:55
Platform
win10v2004-20240226-en
Max time kernel
144s
Max time network
157s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\NoExplorer = "1" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\ = "Injector 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ = "ILocalStorage" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ = "C:\\ProgramData\\Bcool\\bhoclass.dll" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\ = "{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\VersionIndependentProgID\ = "bhoclass.bho" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ProgID\ = "bhoclass.bho.1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CurVer | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C2CF0D01-7657-48AA-98C9-AE5E64757FCC}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\ = "Bcool" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\Programmable | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\ = "Bcool Class" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho.1.0\CLSID\ = "{FE712EC4-5BC2-9B5C-6B89-2709438C6080}" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\bhoclass.bho.bhoclass.bho\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D2F39980-399F-492E-8D88-5FF7CCB3B47F}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\ = "IInjectorBHO" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB} | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BBA74401-6D6F-4BBD-9F65-E8623814F3BB}\TypeLib | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3016 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe |
| PID 3016 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe |
| PID 3016 wrote to memory of 1556 | N/A | C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe |
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{FE712EC4-5BC2-9B5C-6B89-2709438C6080} = "1" | C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe
"C:\Users\Admin\AppData\Local\Temp\dbabc231576ccb7c0b6ad0d335133aa7.exe"
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe
.\setup.exe /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 128.227.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 122.10.44.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\setup.exe
| MD5 | 201d2311011ffdf6c762fd46cdeb52ab |
| SHA1 | 65c474ca42a337745e288be0e21f43ceaafd5efe |
| SHA256 | 15c0e4fd6091cda70fa308ea5ee956996f6eb23d24e44700bd5c74bf111cf2aa |
| SHA512 | 235d70114f391d9e7a319d94bdfc49665d147723379de7487ef76cfc968f7faa3191153b32ba1ab466caeeeeef4852381529a168c3acca9a8d5a26dfe0436f6b |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\settings.ini
| MD5 | 77a81c0d5a6a48d0eab6368ae62e8424 |
| SHA1 | 1ccf201d4adde8fa4c0dcb6283740cd211396615 |
| SHA256 | 4b525d1fdb106f603369d0c4f30097f7dbddd568963928587bdfbf4cad2166ac |
| SHA512 | 2b8f77947c2da820191076f49aff93c11fbef182e1a0a8ce32a91f062243f2cddfd90a62989b3c1856fc7e5cea86c760948c5a890363bc764fba6e11a8ac8523 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\chrome.manifest
| MD5 | 33c15c5d8645488247580f48553a4dac |
| SHA1 | 907d75117e012023484dd13d8292a8e2bfb9121d |
| SHA256 | 03cd4487c1972e7c93acab254c6153a09f014a8e6b45f206e20d4c0d3f9ecf97 |
| SHA512 | 9cbc9901ad9e4ab3599eebfb664802bb12ba8c7fad6ad637f3b5f9c240ef3ebc691b297e1b2dfbce5a7abe221ea966c28517c27f487be88c64c13b8afc7bf749 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\install.rdf
| MD5 | 682e5d5db010d2d653f7e9e7911460a0 |
| SHA1 | 6e1f504a6d31ddbc7a88e4c8b372d9c431b80a37 |
| SHA256 | d0c1c270a6716d8eaccedb9718fef081e43aab6119617c86576240586d037e1b |
| SHA512 | e7f5df7b07b3054f2e7b44e686a7a70ad990211b49efad6ca21c4e21817c17f5b61b187a56f5f2562d49969fcb4fd87102b718e06f5042b5cc01259a084fd397 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\indexeddb.js
| MD5 | 68a6bef08e9f274a00cf4955e995d4e1 |
| SHA1 | 1bdba16ba99acee9985b31c1acd85bc76059a9af |
| SHA256 | 72a4ee736f80585f65c959388cbe930c2fde20e2536c78b357d05fc195567b1a |
| SHA512 | ce4672506c7c64396bdba8d830cbf00122e76389fee64dc443633611fccfc7d6763cc9796981848da863bb700195c1b7e23fbc05ee641999f234385defa59430 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\lsdb.js
| MD5 | b4e5037dbef3ca965343ee5cb81e8116 |
| SHA1 | 64b4efdae708bf7935104184f912b9cebece0d27 |
| SHA256 | f38ea32b10393864f04312115fdde3c920f8ae5af5c9235b1bf344b8247404ff |
| SHA512 | 3f30146afa0d6e466f7b01b8d8a74bab6d9a33e5cc240e7457b29bc3f5d1dd2a552637ce7e6b3963d2d3aa027f7fd2697189e42c6655f7795b09545df981df03 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\jsext.js
| MD5 | 9b15c7c37e348d9e7bdbc3702ba5cd2d |
| SHA1 | 9c4d2f246d14d66c0f4bf13264b35feed1a2b70a |
| SHA256 | 95ae115a3d9d34ff9ded5c32b8a09db7ac0d91cf36aeb374c6b1262ebadb891d |
| SHA512 | 960d5e00f059f59c62bb7ca261299a6de54d4cc78a1b9c52ae77e5bbd36d987126f242719c5608131a65d11cdd7a555ca40a97718e331fb3f7954d09e07b8e51 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\jquery.js
| MD5 | 4bab8348a52d17428f684ad1ec3a427e |
| SHA1 | 56c912a8c8561070aee7b9808c5f3b2abec40063 |
| SHA256 | 3739b485ac39b157caa066b883e4d9d3f74c50beff0b86cd8a24ce407b179a23 |
| SHA512 | a693069c66d8316d73a3c01ed9e6a4553c9b92d98b294f0e170cc9f9f5502c814255f5f92b93aeb07e0d6fe4613f9a1d511e1bfd965634f04e6cf18f191a7480 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\prfdb.js
| MD5 | 8d9260f0dc3dd495c1ab2d2eb43e027b |
| SHA1 | 3b2f703a8b6467a5a4c3fb0724905da92b298e2a |
| SHA256 | 9d36809d4dc86118b057400083e6853c6c0e02c93236b11d4ba9f75bbd7ea344 |
| SHA512 | 04028599c078f2a34a54e712d6551c7268e5d9089658178086202441a12539f238d9ac316162c038786439037312ce6e9ca0fd311ba3cc2d0ce99d34dd7532f9 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\sqlite.js
| MD5 | c192f40af50a3a07469c2cccbde6180a |
| SHA1 | 220121844988f76bce87af423cf3ca0998d0f046 |
| SHA256 | 3b2c991174fc1b490659011cadd4ab21f11c7ba8b18908ba4b47ce116b8c7645 |
| SHA512 | 1a84152644c824814ad8b759fcdf3b7b00cb47de1f9c1a35111c75fa9de99253da9dee538de72e6d07ed3a38ee424eb438adf4fc0adb35b3213166fa7afb5753 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\[email protected]\content\wx.xul
| MD5 | 4953546eed26c1f4b3254e4aa461aa37 |
| SHA1 | cb86024826493c26e2a1befc87d1eaa36848bc96 |
| SHA256 | 92de0bb720f8110cfb1ce49af09dd958959714d4919e3b557095ce8bb1d94707 |
| SHA512 | b9b99a64f7fd63c0cc31e8e1e6f83e32291dff700b1c4af33193d837d9c56e3af2246f5566328bdc14c9dcbf1d510bdfdd78c266749675d92d3f836337fe7cc2 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\mhmiflodoaengponimbfgoaklodmlmdg.crx
| MD5 | 07bf88469c9e5a3f16bf7005d5360693 |
| SHA1 | 60cd4ae64028de0662da3b92e56836124ad15801 |
| SHA256 | 27c33e2e0414f1b1dcec831edee5445c756df5f924a3c9cae4e007d97ce42f0e |
| SHA512 | 8f498b2c9140ca9539f8ff743390c87fab7c0607532a0a5bca8c853adb76c5ba62ac7c5229aa4ea96ffd9a203683b289a051090cdd45e5fe6d7c0f355272beab |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\background.html
| MD5 | 70ef0a59208f4ef1f444211a777f0796 |
| SHA1 | 990f3523c128a6cc131c98259da419d4ede630bf |
| SHA256 | 362efc2bf7093153dbc6dade8f4ec3d33afc179080882e81d5a6743867c3fa73 |
| SHA512 | 3953fb52096dfe8b7db2794c8d08564b02d20a4c37af74f9b365a9dd21a0e0902c5005a1a40360dae9df41046eccfe2938effee31b24e7dbb00cdbcb29972d2f |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\content.js
| MD5 | 73ca4184cdd270c4c19ced2a26b0d799 |
| SHA1 | 1d20d3c360760d75ed3e5d88f1dedcbc08cc28e0 |
| SHA256 | fed1184e04312ea495103c7c5b17c55da205609899239249f36dd3923230578f |
| SHA512 | a829d71c37d402db8400d23330234ea71a0af5ce1960a069588c4aaff25398cf98e8ea8ff84d84004cfaba31716006ada70869d45e969084738c59a54bc71968 |
C:\Users\Admin\AppData\Local\Temp\7zSBCE7.tmp\bhoclass.dll
| MD5 | ac13c733379328f86568f6e514c2f7f8 |
| SHA1 | 338901240fedcef4e3892fd4c723c89154f4de05 |
| SHA256 | 7bf09b5c2a9b6348227199c1b3951b57907ca6a5c215a04ad8d5e43232f5b562 |
| SHA512 | 35f69a82694a2ea4268a3dde7940af6bd1c87a32d93a72723464f90e4e818805be9e80872469d1cc29150a9aac872fc78613a584baa1327dfa8478c2de5672c4 |
C:\ProgramData\Bcool\uninstall.exe
| MD5 | 2628f4240552cc3b2ba04ee51078ae0c |
| SHA1 | 5b0cca662149240d1fd4354beac1338e97e334ea |
| SHA256 | 03c965d0bd9827a978ef4080139533573aa800c9803599c0ce91da48506ad8f6 |
| SHA512 | 6ecfcc97126373e82f1edab47020979d7706fc2be39ca792e8f30595133cd762cd4a65a246bee9180713e40e61efa373ecfb5eb72501ee18b38f13e32e61793b |