Analysis Overview
SHA256
9d5520d7e7b6f9a5939f393ae52d0c5023a668c2ab0178c7fcfd6ea6ace87297
Threat Level: Known bad
The file 0387e36e8a64e5e6e925bed6fbdcd18f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Drops file in Drivers directory
Deletes itself
Executes dropped EXE
Loads dropped DLL
Installs/modifies Browser Helper Object
Enumerates connected drives
Adds Run key to start application
Checks installed software on the system
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
Program crash
NSIS installer
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 06:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2160 wrote to memory of 264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2160 wrote to memory of 264 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 264 -ip 264
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 600
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 224
Network
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240419-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe
"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\Splash.dll
| MD5 | e07ad0d2f86ddf926911e3d2dbc2021e |
| SHA1 | 370c93de8c9ba9549b0a646b329cb8d2fc7c91f8 |
| SHA256 | 2ada4d9531a62772ddd7eeb0737fe91925982c543990d9c0d4faaadde12b7ed0 |
| SHA512 | c13747e3cb2d6712f3bf19bfe1bbbab47763239a4e21bbe685edbedae98bda9c7b8e4e06c22e8b7737752a3c3129e07c91c00b6e90ac741e891bc1bfa966fdae |
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\System.dll
| MD5 | 10c44246d99a1c2e5f5e6b52b111a63d |
| SHA1 | 0f41da79c3e789f4ae38738e3a5d73c538f8af4f |
| SHA256 | 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8 |
| SHA512 | e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3 |
C:\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\ioSpecial.ini
| MD5 | 91d05ee2b502afa9ad649342837f3807 |
| SHA1 | 8a4979325ba1c12587ab699e70046d77acd82817 |
| SHA256 | bff27e9f1e011b95459026b3de91138b4c8ee2d926bf73a633fe7ebd93ffa208 |
| SHA512 | e987114da585960a13287b1610f95d9e7a7e4abf0edc984115671e19dd6661836c101d4a69966cf9b056d520d31d608695ec8bebffd12f25ad2550a816652973 |
\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\InstallOptions.dll
| MD5 | 1e8f2fefe3ce893b117b26948b8978cb |
| SHA1 | 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab |
| SHA256 | 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519 |
| SHA512 | b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c |
Analysis: behavioral16
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240611-en
Max time kernel
138s
Max time network
123s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4480 wrote to memory of 1828 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4480 wrote to memory of 1828 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 4480 wrote to memory of 1828 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.129:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 129.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 52.111.227.13:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\Assist\3721\Coolbar\1.bmp
| MD5 | 797a7955e4869d421f672cd2e5fb6bde |
| SHA1 | 4120908d501ad837286cafedc8cd8096dc2b6364 |
| SHA256 | f251946827b8ed34e1cf1909b1a0a68ab8a6a378a2043753c93b9156a781908e |
| SHA512 | 5aaaa681d6bf2aa88224c4884c739a325ba6d5d4cc2e668fe85910c5db1ab58bafceafc8478c050084c90a5c7d3a58e81939c1bb3aa18ffd4512a0ff3cb84002 |
Analysis: behavioral19
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240220-en
Max time kernel
120s
Max time network
120s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\hh.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"
Network
Files
memory/3036-21-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp
Analysis: behavioral22
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:15
Platform
win10v2004-20240611-en
Max time kernel
139s
Max time network
125s
Command Line
Signatures
Enumerates connected drives
Processes
C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe
"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | DVD.Identifier.CDfreaks.com | udp |
| US | 172.67.170.122:80 | DVD.Identifier.CDfreaks.com | tcp |
| US | 172.67.170.122:80 | DVD.Identifier.CDfreaks.com | tcp |
| US | 172.67.170.122:80 | DVD.Identifier.CDfreaks.com | tcp |
| US | 8.8.8.8:53 | 122.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
memory/4160-0-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/4160-1-0x0000000000D50000-0x0000000000D51000-memory.dmp
memory/4160-2-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/4160-3-0x0000000000D50000-0x0000000000D51000-memory.dmp
Analysis: behavioral25
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240611-en
Max time kernel
122s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224
Network
Files
Analysis: behavioral26
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
51s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4664 wrote to memory of 2964 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 600
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240611-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4016 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4016 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4016 wrote to memory of 4232 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.140.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\ = "ÉÏÍøÖúÊÖ" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2068 wrote to memory of 2012 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll
Network
Files
C:\Users\Admin\AppData\Local\Temp\Assist\Coolbar\custom.bmp
| MD5 | 5574db264ea5ce3078abb52030ffebff |
| SHA1 | efcaeb05e5e40f24b12c346ef1ec14268465ef9d |
| SHA256 | 5ab9d0bfbf2b8141ab316f1f4697e38e20b2b5da912df5b6e1e2f03d4b30e6ee |
| SHA512 | 986cc36d7f1e8f40748002e0d31b1d4e743df3b21cca018cecc9917c3d85ab4fc64f2da4c47b135d61be5d28733c1eb841bc89c7d20d8fbc118a78411c27e559 |
Analysis: behavioral17
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\DDD_Install_Program.job | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"
C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
Network
Files
\Users\Admin\AppData\Local\Temp\remotesetup.exe
| MD5 | 431f73f47db54f39affaf01d059ddc19 |
| SHA1 | 494a98579d991201f79bc62138f3614eba7a6bf4 |
| SHA256 | 432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281 |
| SHA512 | 94d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b |
Analysis: behavioral10
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240611-en
Max time kernel
135s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2948 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2948 wrote to memory of 3116 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3116 -ip 3116
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240611-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~2\3721\3721\Helper.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\PROGRA~2\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\Helper.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\autolive.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\i3721res.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
Network
Files
\PROGRA~2\3721\autolive.dll
| MD5 | 7ff63507a1ea33dc677c1f0a838fadf6 |
| SHA1 | c35183495c7d90f22ad83970b4a86ca0c4b8b433 |
| SHA256 | 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3 |
| SHA512 | cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d |
memory/2112-15-0x0000000000190000-0x00000000001B3000-memory.dmp
C:\PROGRA~2\3721\helper.dll
| MD5 | 49ae58008fc003af6f952a82c33aa3dd |
| SHA1 | 330630c95b6be9b61398d5952be9ee1f45799606 |
| SHA256 | 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873 |
| SHA512 | bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3 |
Analysis: behavioral14
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
52s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~2\3721\autolive.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\i3721res.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\Helper.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File opened for modification | C:\PROGRA~2\3721\cns01.dat | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| File created | C:\PROGRA~2\3721\Helper.dll | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3012 wrote to memory of 2232 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3012 wrote to memory of 2232 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3012 wrote to memory of 2232 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2232 wrote to memory of 1000 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 1000 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2232 wrote to memory of 1000 | N/A | C:\Windows\SysWOW64\regsvr32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\$R0.dll
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
C:\PROGRA~2\3721\3721\cns01.dat
| MD5 | af759437bb010b6312207e76a40a8878 |
| SHA1 | 39db4bb04d290e80fc231ac9220ba71aac4b4751 |
| SHA256 | f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f |
| SHA512 | 1eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af |
C:\Program Files (x86)\3721\autolive.dll
| MD5 | 7ff63507a1ea33dc677c1f0a838fadf6 |
| SHA1 | c35183495c7d90f22ad83970b4a86ca0c4b8b433 |
| SHA256 | 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3 |
| SHA512 | cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d |
memory/2232-19-0x0000000000710000-0x0000000000733000-memory.dmp
C:\PROGRA~2\3721\Helper.dll
| MD5 | 49ae58008fc003af6f952a82c33aa3dd |
| SHA1 | 330630c95b6be9b61398d5952be9ee1f45799606 |
| SHA256 | 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873 |
| SHA512 | bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3 |
Analysis: behavioral20
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
51s
Max time network
53s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\hh.exe | N/A |
| N/A | N/A | C:\Windows\hh.exe | N/A |
Processes
C:\Windows\hh.exe
"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20231129-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Enumerates connected drives
Processes
C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe
"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | DVD.Identifier.CDfreaks.com | udp |
| US | 104.21.87.174:80 | DVD.Identifier.CDfreaks.com | tcp |
| US | 104.21.87.174:80 | DVD.Identifier.CDfreaks.com | tcp |
| US | 104.21.87.174:80 | DVD.Identifier.CDfreaks.com | tcp |
Files
memory/2392-0-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2392-1-0x0000000000240000-0x0000000000241000-memory.dmp
memory/2392-2-0x0000000000400000-0x00000000005C8000-memory.dmp
memory/2392-3-0x0000000000240000-0x0000000000241000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
118s
Max time network
119s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 244
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240220-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\3.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\7.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\profile.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\4.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\2.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\8.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\9.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\prodef.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\10.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\5.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\custom.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\AutoLive.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\11.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\2.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\6.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\7.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\Logo.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\Logo.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\Assist\asbar.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\11.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\4.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\6.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\3.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\5.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\8.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\profile.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Helper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\custom.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File opened for modification | C:\PROGRA~2\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\10.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\1.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\9.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\prodef.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\Assist\assist.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\coolbar.cab | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\Helper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\1.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\i3721res.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\ = "assist" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\ = "{19069804-2CF0-4357-B696-BA6E9AAD99EF}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\AutoLive.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\Assist\\assist.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\3721\\Assist\\" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Program Files (x86)\\3721\\Assist\\asbar.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\ = "Assist 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CurVer | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\ = "EasyAssist Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2924 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
Network
Files
\Users\Admin\AppData\Local\Temp\nsiFDA2.tmp\System.dll
| MD5 | b21538d9f049d3e3e8b666744d7ca36d |
| SHA1 | b97fc58f9aa238758a7574a2e32dac4e97392f47 |
| SHA256 | 9dbe958fd425903ffc2197a112bec4fa597284f9637fe8fd5685016f32e21334 |
| SHA512 | 05d2c660a43519fd35daa3b4310419b33e61ce8557bde55942315ca59c3b9cb9fdeaea42c403ad78a54fa9923eaa712bcf5a10dea83619a18c4ef0c451e6d533 |
\Users\Admin\AppData\Local\Temp\nsiFDA2.tmp\wmpns.dll
| MD5 | 67a76be36af407f74a340515312da5f8 |
| SHA1 | e1bf0b505629ccbbf2e0ec86b30e31ac1f7f835d |
| SHA256 | eff43f4fd70798e1ad53302b38f14c8f905eacb404a650f82f61f7a222863571 |
| SHA512 | 35b6821dc440ed8254a1a84c7ed002013d71321327a09e4e2144801651cb47c288fe9eef100fb09ccd43dfa5c562b6a8c3013059f0d46ff9d921585c217c17ac |
\Program Files (x86)\3721\AutoLive.dll
| MD5 | 7ff63507a1ea33dc677c1f0a838fadf6 |
| SHA1 | c35183495c7d90f22ad83970b4a86ca0c4b8b433 |
| SHA256 | 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3 |
| SHA512 | cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d |
C:\PROGRA~2\3721\helper.dll
| MD5 | 49ae58008fc003af6f952a82c33aa3dd |
| SHA1 | 330630c95b6be9b61398d5952be9ee1f45799606 |
| SHA256 | 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873 |
| SHA512 | bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3 |
\Program Files (x86)\3721\Assist\asbar.dll
| MD5 | aaf5a6b61ca11868c31011a68d95a5ef |
| SHA1 | d58bb83332af9e56758ff5cb1fcd3173567e6c4c |
| SHA256 | a8cd1c0f58135ad104b0d2a3064d3d4b9792be5ff40a721aac7eb37e26708b36 |
| SHA512 | e6461950958a38089197932f6ba34b578a6d6932e1cf7412a2c93f5841e853468037c0cd2081d3ef5f744ab04df7b8b967113aa255066a1f22ae980dc6ceca3b |
\Program Files (x86)\3721\Assist\assist.dll
| MD5 | a3cbf83f654e5cc90422f4cc7a44f339 |
| SHA1 | 58d03194e3e7691e30294a19ba798005fe9eba0b |
| SHA256 | 985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060 |
| SHA512 | 5f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76 |
Analysis: behavioral18
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\DDD_Install_Program.job | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3604 wrote to memory of 4072 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe |
| PID 3604 wrote to memory of 4072 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe |
| PID 3604 wrote to memory of 4072 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe | C:\Users\Admin\AppData\Local\Temp\remotesetup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"
C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
Network
| Country | Destination | Domain | Proto |
| US | 23.53.113.159:80 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\remotesetup.exe
| MD5 | 431f73f47db54f39affaf01d059ddc19 |
| SHA1 | 494a98579d991201f79bc62138f3614eba7a6bf4 |
| SHA256 | 432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281 |
| SHA512 | 94d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b |
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240508-en
Max time kernel
119s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 232
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
151s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5000 wrote to memory of 448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5000 wrote to memory of 448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5000 wrote to memory of 448 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 448
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 616
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240611-en
Max time kernel
137s
Max time network
127s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3896 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3896 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3896 wrote to memory of 4308 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2904,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=1416 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 3df27c497a8e36ba8da1fbe16d08c617 |
| SHA1 | eeba54b50da6c9e68e97327c8760f4bc3343485d |
| SHA256 | a3cfb3fa37649c409e04023fcc0cf9c9d12ac69bd102294b966905ee850d1efd |
| SHA512 | 9fc28adfb87427f15f566790f7ef182190a03f2430721120fe628b4f5f5fe63fd1785f6c09f63494f911eb16d7228e37ca17c87d113a48196e66399b47eaead7 |
C:\Users\Admin\AppData\Local\Temp\nszEA32.tmp\LangDLL.dll
| MD5 | dbab668ce84d6b38824ed1c9b9121adb |
| SHA1 | de8c80d7b0d01fafb750b2bded1f055d102aa3d0 |
| SHA256 | ede19cf9613ccbf2f4c731f6eb1460efe56484e97c8a0745a2a5460571e64f11 |
| SHA512 | 5857680db3b642f14742ad55a3349cbe059c18c5dc58ae0def53886df5eb2c9abf5e444db1bc8449db779c33e940f8f2c4a7520ad8f374b9f2f01e57d6a2c953 |
Analysis: behavioral12
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240611-en
Max time kernel
140s
Max time network
124s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\5.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\1.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\2.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\Helper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\coolbar.cab | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\2.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\Logo.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\9.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\AutoLive.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Helper.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\10.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\6.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\6.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\Logo.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File opened for modification | C:\PROGRA~2\3721\cns01.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\7.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\10.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\custom.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\4.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\5.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\7.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\custom.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\Assist\asbar.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\11.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\prodef.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\8.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\1.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\4.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\3.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\prodef.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\profile.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\Program Files (x86)\3721\Assist\assist.dll | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\11.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\Coolbar\3.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\i3721res.dat | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\8.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\9.bmp | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| File created | C:\PROGRA~2\3721\Assist\3721\Coolbar\profile.ini | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\URLSearchHooks | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721\\Assist" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ = "IEasyAssist" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\AutoLive.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\ = "EasyAssist Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\asbar.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\AutoLive.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\3721\\Assist\\" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\Assist\\assist.dll" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4048 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4048 wrote to memory of 4848 | N/A | C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe
"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| NL | 23.62.61.155:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 155.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsj5E7D.tmp\System.dll
| MD5 | b21538d9f049d3e3e8b666744d7ca36d |
| SHA1 | b97fc58f9aa238758a7574a2e32dac4e97392f47 |
| SHA256 | 9dbe958fd425903ffc2197a112bec4fa597284f9637fe8fd5685016f32e21334 |
| SHA512 | 05d2c660a43519fd35daa3b4310419b33e61ce8557bde55942315ca59c3b9cb9fdeaea42c403ad78a54fa9923eaa712bcf5a10dea83619a18c4ef0c451e6d533 |
C:\Users\Admin\AppData\Local\Temp\nsj5E7D.tmp\wmpns.dll
| MD5 | 67a76be36af407f74a340515312da5f8 |
| SHA1 | e1bf0b505629ccbbf2e0ec86b30e31ac1f7f835d |
| SHA256 | eff43f4fd70798e1ad53302b38f14c8f905eacb404a650f82f61f7a222863571 |
| SHA512 | 35b6821dc440ed8254a1a84c7ed002013d71321327a09e4e2144801651cb47c288fe9eef100fb09ccd43dfa5c562b6a8c3013059f0d46ff9d921585c217c17ac |
C:\Program Files (x86)\3721\AutoLive.dll
| MD5 | 7ff63507a1ea33dc677c1f0a838fadf6 |
| SHA1 | c35183495c7d90f22ad83970b4a86ca0c4b8b433 |
| SHA256 | 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3 |
| SHA512 | cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d |
C:\PROGRA~2\3721\3721\cns01.dat
| MD5 | af759437bb010b6312207e76a40a8878 |
| SHA1 | 39db4bb04d290e80fc231ac9220ba71aac4b4751 |
| SHA256 | f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f |
| SHA512 | 1eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af |
C:\PROGRA~2\3721\Helper.dll
| MD5 | 49ae58008fc003af6f952a82c33aa3dd |
| SHA1 | 330630c95b6be9b61398d5952be9ee1f45799606 |
| SHA256 | 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873 |
| SHA512 | bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3 |
C:\Program Files (x86)\3721\Assist\asbar.dll
| MD5 | aaf5a6b61ca11868c31011a68d95a5ef |
| SHA1 | d58bb83332af9e56758ff5cb1fcd3173567e6c4c |
| SHA256 | a8cd1c0f58135ad104b0d2a3064d3d4b9792be5ff40a721aac7eb37e26708b36 |
| SHA512 | e6461950958a38089197932f6ba34b578a6d6932e1cf7412a2c93f5841e853468037c0cd2081d3ef5f744ab04df7b8b967113aa255066a1f22ae980dc6ceca3b |
C:\Program Files (x86)\3721\Assist\assist.dll
| MD5 | a3cbf83f654e5cc90422f4cc7a44f339 |
| SHA1 | 58d03194e3e7691e30294a19ba798005fe9eba0b |
| SHA256 | 985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060 |
| SHA512 | 5f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76 |
Analysis: behavioral23
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win7-20240221-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
| PID 3024 wrote to memory of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\uninst.exe | C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\uninst.exe
"C:\Users\Admin\AppData\Local\Temp\uninst.exe"
C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\
Network
Files
\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
| MD5 | 3df27c497a8e36ba8da1fbe16d08c617 |
| SHA1 | eeba54b50da6c9e68e97327c8760f4bc3343485d |
| SHA256 | a3cfb3fa37649c409e04023fcc0cf9c9d12ac69bd102294b966905ee850d1efd |
| SHA512 | 9fc28adfb87427f15f566790f7ef182190a03f2430721120fe628b4f5f5fe63fd1785f6c09f63494f911eb16d7228e37ca17c87d113a48196e66399b47eaead7 |
\Users\Admin\AppData\Local\Temp\nsy21F3.tmp\LangDLL.dll
| MD5 | dbab668ce84d6b38824ed1c9b9121adb |
| SHA1 | de8c80d7b0d01fafb750b2bded1f055d102aa3d0 |
| SHA256 | ede19cf9613ccbf2f4c731f6eb1460efe56484e97c8a0745a2a5460571e64f11 |
| SHA512 | 5857680db3b642f14742ad55a3349cbe059c18c5dc58ae0def53886df5eb2c9abf5e444db1bc8449db779c33e940f8f2c4a7520ad8f374b9f2f01e57d6a2c953 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 06:12
Reported
2024-06-20 06:14
Platform
win10v2004-20240508-en
Max time kernel
125s
Max time network
127s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe
"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x504
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.143.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.90.14.23.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\Splash.dll
| MD5 | e07ad0d2f86ddf926911e3d2dbc2021e |
| SHA1 | 370c93de8c9ba9549b0a646b329cb8d2fc7c91f8 |
| SHA256 | 2ada4d9531a62772ddd7eeb0737fe91925982c543990d9c0d4faaadde12b7ed0 |
| SHA512 | c13747e3cb2d6712f3bf19bfe1bbbab47763239a4e21bbe685edbedae98bda9c7b8e4e06c22e8b7737752a3c3129e07c91c00b6e90ac741e891bc1bfa966fdae |
C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\System.dll
| MD5 | 10c44246d99a1c2e5f5e6b52b111a63d |
| SHA1 | 0f41da79c3e789f4ae38738e3a5d73c538f8af4f |
| SHA256 | 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8 |
| SHA512 | e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3 |
C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\InstallOptions.dll
| MD5 | 1e8f2fefe3ce893b117b26948b8978cb |
| SHA1 | 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab |
| SHA256 | 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519 |
| SHA512 | b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c |
C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\ioSpecial.ini
| MD5 | c07d4cf5fbed5079e3fccabf4eaeaff6 |
| SHA1 | 5126cc3fbdf21fffa773b5babaad909611b1ae27 |
| SHA256 | fd5e06256f7b45edd84bdc6a55ee6a79549ba8ea35e5c8b15f3dc86d7363e28b |
| SHA512 | f2182cd7b4bb5b34648b88e9715500a6903808f072aebe068bc8f165a06c72d006d9ade3bafe264ae0e9056ab0c6261ac5ae28aad808656fb3d3aa17612dbe62 |