Malware Analysis Report

2025-01-18 21:12

Sample ID 240325-afx9asde7t
Target dcc22abb9b2e14591c21a099fbeea781
SHA256 20c575a4f4ada48670b5998b6e6e5497999848f444fb62fbd2119cf181d0359b
Tags
adware discovery spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

20c575a4f4ada48670b5998b6e6e5497999848f444fb62fbd2119cf181d0359b

Threat Level: Shows suspicious behavior

The file dcc22abb9b2e14591c21a099fbeea781 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery spyware stealer upx

UPX packed file

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Reads user/profile data of web browsers

Checks installed software on the system

Installs/modifies Browser Helper Object

Enumerates physical storage devices

Unsigned PE

NSIS installer

System policy modification

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-25 00:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-25 00:09

Reported

2024-03-25 00:12

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32\ = "C:\\ProgramData\\Bcool\\50e1076cc9858.dll" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\50e1076cc9858.tlb" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ProgID C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ProgID\ = "Bcool.1" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6} = "1" C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe

"C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe"

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe

.\50e1076cc981f.exe /s

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4144 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 170.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc981f.exe

MD5 ebcc3eb1a7021aaead55fb677465a717
SHA1 3c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA256 5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA512 0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\settings.ini

MD5 21d662443888162ba401f31d8724350c
SHA1 81fcdc7f7e172e9dde81051cdd4489647b8142c5
SHA256 6022251c0a6366a91468dd7f8938d1b3ec8cfc5ac42aa27d41c20c587c3726fe
SHA512 3b64dba5e8b1b2ee78d57f54f4a8836a9c0b3c068d5b454723ca4f5dec3e005459eae439da7821a247db29d3467cc974ec9ea272699f5ddcf4335334a065ef2d

C:\Users\Admin\AppData\Local\Temp\nsm953.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\[email protected]\bootstrap.js

MD5 22a88c085164865a40cd034ef1f71ce4
SHA1 e835ba300664493e48feba4bab0571d6ef038f6e
SHA256 16f4a341e8eac8761020fe17697295dae71fee73967ef61c55db7ddb1309b8a2
SHA512 9afde0a3f58f2bbde710fa2d96c0dafbc50ba6c259c4443b61dbde706797acef9f9340659f47512c075a9673914d0590dfca05638c1140f9775289ce61b694ae

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\[email protected]\chrome.manifest

MD5 3a49d280c23fb377e81cbcc4bc65c503
SHA1 be334bd06ecabc8b029d354332a6fe8bfb71de44
SHA256 3f7d880f652c8deeb4c8ade1e74ec82679aca2072ff7e415b15e637ad6df335e
SHA512 b94958f4ac60310ca1600d44645b6c27988464e2ba33cdc2f4624a6492d13d93311736a2a05d2438336adc906c50bcae74cadde25d642b0ca42a7409fc639e0f

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\[email protected]\install.rdf

MD5 9a44e26bda267d9845bd7e1290613867
SHA1 e109e0adcb11191599609bbb324d4a4ad67da10e
SHA256 2bb7ca3af3cf4c13b0e059e739d6a2d27819c2241309893b1ebacc2af45c492f
SHA512 2d8b549fa2ca5cc3bc7aca69dcd28e627bb7794ed83e5f79ddcc1d3357a6225700b4f4342e3f913144f9f184cb76d2f1aa8f8ea56d1143a280237562f1e55daf

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\[email protected]\content\bg.js

MD5 0760acbd163f5fd4d46251ccf180e200
SHA1 8e0d3f4a4cd36d9bd63bf9cd214e97c578a5387f
SHA256 2542892e15c3a42896fc250ff7eb747286aeddb6f0592bb4ef6f9523e8faa3e2
SHA512 e412a5ac465b435aaea90ada4d5b78f9b66b8e177498033483e0c637c17afa86dbb892751f9a860e65d17513fd3736224c69605ecee893237ad7dfdcf5d48acf

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\[email protected]\content\zy.xul

MD5 f8e8bca3b89f6efed7b5f13b0585db56
SHA1 477359e3b9caa7053162b41031fbff13c1049bd8
SHA256 8a2c197782904abed803b7e7cbf3e83a2b27ccb058df02e8593591707dd9249c
SHA512 407ba1604b0a9aa62f1dd5d9cfb35ea207289814adcc8bf53871dd8daedd9c79c8d127bcada8b69f57e80f1c3e0a8b4731ab5aefabfb99d325bcc8a6428086fc

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\ifjeacdnhbjddaafainebjenmfdeambe.crx

MD5 2c0fe65cbab35e42d5d02e31c6f6c392
SHA1 57745fedadf850001245cdf7e3dceedb4d10c407
SHA256 4bee66b7d2278c267dcb6d39c7493722e934319befc7f39f043a3b252222a4db
SHA512 1f809aaa9408de08f581112a6871b3927975f97194aba59bf3f010e848148b8e61405be5e9f390a3226aed2c54384fa3f2fcec6911dabd5b0b529ba8dc2d2bde

C:\Users\Admin\AppData\Local\Temp\nsm953.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/740-52-0x00000000749E0000-0x00000000749EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc9858.dll

MD5 6696822add17061dc0bb8ee5b42cc2d4
SHA1 d4622558ba366f2f94560da301a81c6c16f95a3c
SHA256 73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125
SHA512 0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

C:\Users\Admin\AppData\Local\Temp\7zSFEE2.tmp\50e1076cc9858.tlb

MD5 096a65b8a695249d5d554776f1eeace3
SHA1 2f2506b886a59b4408b23653d8734004ec2dda6d
SHA256 a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568
SHA512 6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

C:\ProgramData\Bcool\uninstall.exe

MD5 e9c9582996a23b2a49a058dcaa3b5525
SHA1 f527cc64e759f06c011e5eeffbd217d5249c04df
SHA256 43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9
SHA512 665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-25 00:09

Reported

2024-03-25 00:12

Platform

win7-20240221-en

Max time kernel

121s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\NoExplorer = "1" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0\win32\ = "C:\\ProgramData\\Bcool\\50e1076cc9858.tlb" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\ = "IEPluginLib" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ProgID C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR\ = "C:\\ProgramData\\Bcool" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ = "Bcool" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ = "IIEPluginMain" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ = "ILocalStorage" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\ProgID\ = "Bcool.1" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\0 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F} C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C66F0B7A-BD67-4982-AF71-C6CA6E7F016F}\TypeLib\ = "{E2343056-CC08-46AC-B898-BFC7ACF4E755}" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6}\InProcServer32\ = "C:\\ProgramData\\Bcool\\50e1076cc9858.dll" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{E2343056-CC08-46AC-B898-BFC7ACF4E755}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{31E3BC75-2A09-4CFF-9C92-8D0ED8D1DC0F}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A

System policy modification

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{D629A1ED-60D6-EAC1-910A-198481E52DA6} = "1" C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe

"C:\Users\Admin\AppData\Local\Temp\dcc22abb9b2e14591c21a099fbeea781.exe"

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe

.\50e1076cc981f.exe /s

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc981f.exe

MD5 ebcc3eb1a7021aaead55fb677465a717
SHA1 3c8347f0fd520ee423a4aafea1112a0b06f4b6c8
SHA256 5e74f0e710c067ad82301c7c14ed6afb138f974f351042cfe0ecd275cea2612c
SHA512 0f18c22e6eff8ec90ccc616e62f32701d046185311e01e5f506778fae0c31f35123c3ce756ff2c0eef6f23e06e280f870b80080d11dc6da3aa25901f5a92d995

\Users\Admin\AppData\Local\Temp\nsd7456.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\settings.ini

MD5 21d662443888162ba401f31d8724350c
SHA1 81fcdc7f7e172e9dde81051cdd4489647b8142c5
SHA256 6022251c0a6366a91468dd7f8938d1b3ec8cfc5ac42aa27d41c20c587c3726fe
SHA512 3b64dba5e8b1b2ee78d57f54f4a8836a9c0b3c068d5b454723ca4f5dec3e005459eae439da7821a247db29d3467cc974ec9ea272699f5ddcf4335334a065ef2d

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\[email protected]\bootstrap.js

MD5 22a88c085164865a40cd034ef1f71ce4
SHA1 e835ba300664493e48feba4bab0571d6ef038f6e
SHA256 16f4a341e8eac8761020fe17697295dae71fee73967ef61c55db7ddb1309b8a2
SHA512 9afde0a3f58f2bbde710fa2d96c0dafbc50ba6c259c4443b61dbde706797acef9f9340659f47512c075a9673914d0590dfca05638c1140f9775289ce61b694ae

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\[email protected]\chrome.manifest

MD5 3a49d280c23fb377e81cbcc4bc65c503
SHA1 be334bd06ecabc8b029d354332a6fe8bfb71de44
SHA256 3f7d880f652c8deeb4c8ade1e74ec82679aca2072ff7e415b15e637ad6df335e
SHA512 b94958f4ac60310ca1600d44645b6c27988464e2ba33cdc2f4624a6492d13d93311736a2a05d2438336adc906c50bcae74cadde25d642b0ca42a7409fc639e0f

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\[email protected]\install.rdf

MD5 9a44e26bda267d9845bd7e1290613867
SHA1 e109e0adcb11191599609bbb324d4a4ad67da10e
SHA256 2bb7ca3af3cf4c13b0e059e739d6a2d27819c2241309893b1ebacc2af45c492f
SHA512 2d8b549fa2ca5cc3bc7aca69dcd28e627bb7794ed83e5f79ddcc1d3357a6225700b4f4342e3f913144f9f184cb76d2f1aa8f8ea56d1143a280237562f1e55daf

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\[email protected]\content\bg.js

MD5 0760acbd163f5fd4d46251ccf180e200
SHA1 8e0d3f4a4cd36d9bd63bf9cd214e97c578a5387f
SHA256 2542892e15c3a42896fc250ff7eb747286aeddb6f0592bb4ef6f9523e8faa3e2
SHA512 e412a5ac465b435aaea90ada4d5b78f9b66b8e177498033483e0c637c17afa86dbb892751f9a860e65d17513fd3736224c69605ecee893237ad7dfdcf5d48acf

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\[email protected]\content\zy.xul

MD5 f8e8bca3b89f6efed7b5f13b0585db56
SHA1 477359e3b9caa7053162b41031fbff13c1049bd8
SHA256 8a2c197782904abed803b7e7cbf3e83a2b27ccb058df02e8593591707dd9249c
SHA512 407ba1604b0a9aa62f1dd5d9cfb35ea207289814adcc8bf53871dd8daedd9c79c8d127bcada8b69f57e80f1c3e0a8b4731ab5aefabfb99d325bcc8a6428086fc

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\ifjeacdnhbjddaafainebjenmfdeambe.crx

MD5 2c0fe65cbab35e42d5d02e31c6f6c392
SHA1 57745fedadf850001245cdf7e3dceedb4d10c407
SHA256 4bee66b7d2278c267dcb6d39c7493722e934319befc7f39f043a3b252222a4db
SHA512 1f809aaa9408de08f581112a6871b3927975f97194aba59bf3f010e848148b8e61405be5e9f390a3226aed2c54384fa3f2fcec6911dabd5b0b529ba8dc2d2bde

\Users\Admin\AppData\Local\Temp\nsd7456.tmp\nsJSON.dll

MD5 b9cd1b0fd3af89892348e5cc3108dce7
SHA1 f7bc59bf631303facfc970c0da67a73568e1dca6
SHA256 49b173504eb9cd07e42a3c4deb84c2cd3f3b49c7fb0858aee43ddfc64660e384
SHA512 fdcbdd21b831a92ca686aab5b240f073a89a08588e42439564747cad9160d79cfa8e3c103b6b4f2917684c1a591880203b4303418b85bc040f9f00b6658b0c90

memory/2612-54-0x0000000074640000-0x000000007464A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc9858.dll

MD5 6696822add17061dc0bb8ee5b42cc2d4
SHA1 d4622558ba366f2f94560da301a81c6c16f95a3c
SHA256 73c44d8943947e3cf9ecabdeea4d9a37652614f5490a1f972816be4123795125
SHA512 0f1946ce002441d010f67156f67b9d18e01ba35edfeb66ce8096467d3126b547e5040032253275b173f2dba9bce983775f360d83ec026986b55cb85e4b63f099

C:\Users\Admin\AppData\Local\Temp\7zS72B0.tmp\50e1076cc9858.tlb

MD5 096a65b8a695249d5d554776f1eeace3
SHA1 2f2506b886a59b4408b23653d8734004ec2dda6d
SHA256 a602c790bcf424c154a082a88a495b256dd5456f627943568c358c74f606c568
SHA512 6e832caff1951b4fdb489997af5736fdbafa1de5573f629fc6798666bffd0ca0715311ce6590202cc970cce4492d94994a588547bb579bf70bc264683bc45cdc

C:\ProgramData\Bcool\uninstall.exe

MD5 e9c9582996a23b2a49a058dcaa3b5525
SHA1 f527cc64e759f06c011e5eeffbd217d5249c04df
SHA256 43c3e8d7aa00a299f084db17e384aa96de508565f82264ee88bd9c7647fa9fc9
SHA512 665613fc7f20e2c4ea40b7a8f39b4c2ea2a24c5119ee86ef072bbe29f606cd78a43081aa0a89b678a46d34e470e1ed10e31d590d3cb5447e1231707fea8e490f