Malware Analysis Report

2024-10-19 10:48

Sample ID 240620-gyc5eaxfjj
Target 0387e36e8a64e5e6e925bed6fbdcd18f_JaffaCakes118
SHA256 9d5520d7e7b6f9a5939f393ae52d0c5023a668c2ab0178c7fcfd6ea6ace87297
Tags
adware stealer evasion persistence discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral25

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral26

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9d5520d7e7b6f9a5939f393ae52d0c5023a668c2ab0178c7fcfd6ea6ace87297

Threat Level: Known bad

The file 0387e36e8a64e5e6e925bed6fbdcd18f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

adware stealer evasion persistence discovery

Modifies firewall policy service

Drops file in Drivers directory

Deletes itself

Executes dropped EXE

Loads dropped DLL

Installs/modifies Browser Helper Object

Enumerates connected drives

Adds Run key to start application

Checks installed software on the system

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Program crash

NSIS installer

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 06:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2160 wrote to memory of 264 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 264 -ip 264

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 264 -s 600

Network

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StartMenu.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1684 -s 224

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240419-en

Max time kernel

117s

Max time network

118s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2324 -s 224

Network

N/A

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe

"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\Splash.dll

MD5 e07ad0d2f86ddf926911e3d2dbc2021e
SHA1 370c93de8c9ba9549b0a646b329cb8d2fc7c91f8
SHA256 2ada4d9531a62772ddd7eeb0737fe91925982c543990d9c0d4faaadde12b7ed0
SHA512 c13747e3cb2d6712f3bf19bfe1bbbab47763239a4e21bbe685edbedae98bda9c7b8e4e06c22e8b7737752a3c3129e07c91c00b6e90ac741e891bc1bfa966fdae

\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\System.dll

MD5 10c44246d99a1c2e5f5e6b52b111a63d
SHA1 0f41da79c3e789f4ae38738e3a5d73c538f8af4f
SHA256 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8
SHA512 e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3

C:\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\ioSpecial.ini

MD5 91d05ee2b502afa9ad649342837f3807
SHA1 8a4979325ba1c12587ab699e70046d77acd82817
SHA256 bff27e9f1e011b95459026b3de91138b4c8ee2d926bf73a633fe7ebd93ffa208
SHA512 e987114da585960a13287b1610f95d9e7a7e4abf0edc984115671e19dd6661836c101d4a69966cf9b056d520d31d608695ec8bebffd12f25ad2550a816652973

\Users\Admin\AppData\Local\Temp\nsi1D9F.tmp\InstallOptions.dll

MD5 1e8f2fefe3ce893b117b26948b8978cb
SHA1 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab
SHA256 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519
SHA512 b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c

Analysis: behavioral16

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240611-en

Max time kernel

138s

Max time network

123s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4480 wrote to memory of 1828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 1828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4480 wrote to memory of 1828 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 52.111.227.13:443 tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Assist\3721\Coolbar\1.bmp

MD5 797a7955e4869d421f672cd2e5fb6bde
SHA1 4120908d501ad837286cafedc8cd8096dc2b6364
SHA256 f251946827b8ed34e1cf1909b1a0a68ab8a6a378a2043753c93b9156a781908e
SHA512 5aaaa681d6bf2aa88224c4884c739a325ba6d5d4cc2e668fe85910c5db1ab58bafceafc8478c050084c90a5c7d3a58e81939c1bb3aa18ffd4512a0ff3cb84002

Analysis: behavioral19

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240220-en

Max time kernel

120s

Max time network

120s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Windows\hh.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"

Network

N/A

Files

memory/3036-21-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral22

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:15

Platform

win10v2004-20240611-en

Max time kernel

139s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe

"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 DVD.Identifier.CDfreaks.com udp
US 172.67.170.122:80 DVD.Identifier.CDfreaks.com tcp
US 172.67.170.122:80 DVD.Identifier.CDfreaks.com tcp
US 172.67.170.122:80 DVD.Identifier.CDfreaks.com tcp
US 8.8.8.8:53 122.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/4160-0-0x0000000000400000-0x00000000005C8000-memory.dmp

memory/4160-1-0x0000000000D50000-0x0000000000D51000-memory.dmp

memory/4160-2-0x0000000000400000-0x00000000005C8000-memory.dmp

memory/4160-3-0x0000000000D50000-0x0000000000D51000-memory.dmp

Analysis: behavioral25

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240611-en

Max time kernel

122s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A

Analysis: behavioral26

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

51s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4664 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4664 wrote to memory of 2964 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2964 -ip 2964

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2964 -s 600

Network

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4016 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4016 wrote to memory of 4232 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4232 -ip 4232

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4232 -s 624

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 213.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

Signatures

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Assist\\$R0.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\ = "ÉÏÍøÖúÊÖ" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2068 wrote to memory of 2012 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Assist\$R0.dll

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\Assist\Coolbar\custom.bmp

MD5 5574db264ea5ce3078abb52030ffebff
SHA1 efcaeb05e5e40f24b12c346ef1ec14268465ef9d
SHA256 5ab9d0bfbf2b8141ab316f1f4697e38e20b2b5da912df5b6e1e2f03d4b30e6ee
SHA512 986cc36d7f1e8f40748002e0d31b1d4e743df3b21cca018cecc9917c3d85ab4fc64f2da4c47b135d61be5d28733c1eb841bc89c7d20d8fbc118a78411c27e559

Analysis: behavioral17

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

117s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\DDD_Install_Program.job C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"

C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\remotesetup.exe

MD5 431f73f47db54f39affaf01d059ddc19
SHA1 494a98579d991201f79bc62138f3614eba7a6bf4
SHA256 432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281
SHA512 94d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b

Analysis: behavioral10

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240611-en

Max time kernel

135s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2948 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2948 wrote to memory of 3116 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3116 -ip 3116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3116 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240611-en

Max time kernel

120s

Max time network

121s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~2\3721\3721\Helper.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\PROGRA~2\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\Helper.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\autolive.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\i3721res.dat C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 636 wrote to memory of 2112 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2112 wrote to memory of 2704 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32

Network

N/A

Files

\PROGRA~2\3721\autolive.dll

MD5 7ff63507a1ea33dc677c1f0a838fadf6
SHA1 c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA256 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512 cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

memory/2112-15-0x0000000000190000-0x00000000001B3000-memory.dmp

C:\PROGRA~2\3721\helper.dll

MD5 49ae58008fc003af6f952a82c33aa3dd
SHA1 330630c95b6be9b61398d5952be9ee1f45799606
SHA256 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512 bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3

Analysis: behavioral14

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\SysWOW64\regsvr32.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~2\3721\autolive.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\i3721res.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\3721\Helper.dll C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\PROGRA~2\3721\cns01.dat C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\PROGRA~2\3721\Helper.dll C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\autolive.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\PROGRA~2\\3721\\autolive.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2232 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3012 wrote to memory of 2232 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3012 wrote to memory of 2232 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2232 wrote to memory of 1000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2232 wrote to memory of 1000 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\$R0.dll

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

C:\PROGRA~2\3721\3721\cns01.dat

MD5 af759437bb010b6312207e76a40a8878
SHA1 39db4bb04d290e80fc231ac9220ba71aac4b4751
SHA256 f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f
SHA512 1eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af

C:\Program Files (x86)\3721\autolive.dll

MD5 7ff63507a1ea33dc677c1f0a838fadf6
SHA1 c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA256 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512 cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

memory/2232-19-0x0000000000710000-0x0000000000733000-memory.dmp

C:\PROGRA~2\3721\Helper.dll

MD5 49ae58008fc003af6f952a82c33aa3dd
SHA1 330630c95b6be9b61398d5952be9ee1f45799606
SHA256 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512 bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3

Analysis: behavioral20

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

53s

Command Line

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\hh.exe N/A
N/A N/A C:\Windows\hh.exe N/A

Processes

C:\Windows\hh.exe

"C:\Windows\hh.exe" "C:\Users\Admin\AppData\Local\Temp\DVD Identifier.chm"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20231129-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe

"C:\Users\Admin\AppData\Local\Temp\DVD Identifier.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 DVD.Identifier.CDfreaks.com udp
US 104.21.87.174:80 DVD.Identifier.CDfreaks.com tcp
US 104.21.87.174:80 DVD.Identifier.CDfreaks.com tcp
US 104.21.87.174:80 DVD.Identifier.CDfreaks.com tcp

Files

memory/2392-0-0x0000000000400000-0x00000000005C8000-memory.dmp

memory/2392-1-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2392-2-0x0000000000400000-0x00000000005C8000-memory.dmp

memory/2392-3-0x0000000000240000-0x0000000000241000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

118s

Max time network

119s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\InstallOptions.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2988 -s 244

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240220-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\3.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\7.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\profile.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\4.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\2.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\8.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\9.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\prodef.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\10.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\5.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\custom.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\AutoLive.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\11.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\2.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\6.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\7.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\Logo.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\Logo.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\Assist\asbar.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\11.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\4.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\6.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\3.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\5.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\8.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\profile.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Helper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\custom.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File opened for modification C:\PROGRA~2\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\10.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\1.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\9.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\prodef.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\Assist\assist.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\coolbar.cab C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\3721\Helper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\1.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\i3721res.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\ = "assist" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\ = "{19069804-2CF0-4357-B696-BA6E9AAD99EF}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\AutoLive.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\Assist\\assist.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\3721\\Assist\\" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\ = "AutoLive" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32\ = "C:\\Program Files (x86)\\3721\\Assist\\asbar.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID\ = "CoolBar.CoolBarObj.1" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer\ = "AutoLive.Live.1" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\ = "Assist 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CurVer C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\ = "AutoLive 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID\ = "CoolBar.CoolBarObj" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\ = "EasyAssist Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsiFDA2.tmp\System.dll

MD5 b21538d9f049d3e3e8b666744d7ca36d
SHA1 b97fc58f9aa238758a7574a2e32dac4e97392f47
SHA256 9dbe958fd425903ffc2197a112bec4fa597284f9637fe8fd5685016f32e21334
SHA512 05d2c660a43519fd35daa3b4310419b33e61ce8557bde55942315ca59c3b9cb9fdeaea42c403ad78a54fa9923eaa712bcf5a10dea83619a18c4ef0c451e6d533

\Users\Admin\AppData\Local\Temp\nsiFDA2.tmp\wmpns.dll

MD5 67a76be36af407f74a340515312da5f8
SHA1 e1bf0b505629ccbbf2e0ec86b30e31ac1f7f835d
SHA256 eff43f4fd70798e1ad53302b38f14c8f905eacb404a650f82f61f7a222863571
SHA512 35b6821dc440ed8254a1a84c7ed002013d71321327a09e4e2144801651cb47c288fe9eef100fb09ccd43dfa5c562b6a8c3013059f0d46ff9d921585c217c17ac

\Program Files (x86)\3721\AutoLive.dll

MD5 7ff63507a1ea33dc677c1f0a838fadf6
SHA1 c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA256 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512 cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

C:\PROGRA~2\3721\helper.dll

MD5 49ae58008fc003af6f952a82c33aa3dd
SHA1 330630c95b6be9b61398d5952be9ee1f45799606
SHA256 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512 bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3

\Program Files (x86)\3721\Assist\asbar.dll

MD5 aaf5a6b61ca11868c31011a68d95a5ef
SHA1 d58bb83332af9e56758ff5cb1fcd3173567e6c4c
SHA256 a8cd1c0f58135ad104b0d2a3064d3d4b9792be5ff40a721aac7eb37e26708b36
SHA512 e6461950958a38089197932f6ba34b578a6d6932e1cf7412a2c93f5841e853468037c0cd2081d3ef5f744ab04df7b8b967113aa255066a1f22ae980dc6ceca3b

\Program Files (x86)\3721\Assist\assist.dll

MD5 a3cbf83f654e5cc90422f4cc7a44f339
SHA1 58d03194e3e7691e30294a19ba798005fe9eba0b
SHA256 985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060
SHA512 5f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76

Analysis: behavioral18

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\Users\Admin\AppData\Local\Temp\remotesetup.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\remotesetup.exe:*:Enabled:DuDuAcc" C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplica C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\DDD_Install_Program.job C:\Users\Admin\AppData\Local\Temp\remotesetup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\DUDU_HH.exe"

C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

C:\Users\Admin\AppData\Local\Temp\remotesetup.exe

MD5 431f73f47db54f39affaf01d059ddc19
SHA1 494a98579d991201f79bc62138f3614eba7a6bf4
SHA256 432ce523edf6eac5d01b085ebb8ccda80c16e72618ed4ef75312884b171fe281
SHA512 94d5f6d28dbb9934013b2908e95a69374fcb93384c8333807a7bcf437b6e3638bf1aad92e894fbb282c28eebdcbda770752f2e43d9c6c7ac9e892c647ccab79b

Analysis: behavioral5

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1932 -s 232

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5000 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5000 wrote to memory of 448 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Splash.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 448 -ip 448

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 448 -s 616

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

N/A

Analysis: behavioral24

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240611-en

Max time kernel

137s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2904,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=1416 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 3df27c497a8e36ba8da1fbe16d08c617
SHA1 eeba54b50da6c9e68e97327c8760f4bc3343485d
SHA256 a3cfb3fa37649c409e04023fcc0cf9c9d12ac69bd102294b966905ee850d1efd
SHA512 9fc28adfb87427f15f566790f7ef182190a03f2430721120fe628b4f5f5fe63fd1785f6c09f63494f911eb16d7228e37ca17c87d113a48196e66399b47eaead7

C:\Users\Admin\AppData\Local\Temp\nszEA32.tmp\LangDLL.dll

MD5 dbab668ce84d6b38824ed1c9b9121adb
SHA1 de8c80d7b0d01fafb750b2bded1f055d102aa3d0
SHA256 ede19cf9613ccbf2f4c731f6eb1460efe56484e97c8a0745a2a5460571e64f11
SHA512 5857680db3b642f14742ad55a3349cbe059c18c5dc58ae0def53886df5eb2c9abf5e444db1bc8449db779c33e940f8f2c4a7520ad8f374b9f2f01e57d6a2c953

Analysis: behavioral12

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240611-en

Max time kernel

140s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\helper.dll = "C:\\Windows\\system32\\rundll32.exe C:\\PROGRA~2\\3721\\helper.dll,Rundll32" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "AssistII" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\5.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\1.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\2.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\3721\Helper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\coolbar.cab C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\2.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\Logo.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\9.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\AutoLive.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Helper.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\10.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\6.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\6.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\Logo.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File opened for modification C:\PROGRA~2\3721\cns01.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\7.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\10.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\custom.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\4.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\5.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\7.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\custom.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\Assist\asbar.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\11.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\prodef.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\8.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\1.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\4.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\3.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\prodef.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\profile.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\Program Files (x86)\3721\Assist\assist.dll C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\11.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\Coolbar\3.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\i3721res.dat C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\8.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\9.bmp C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
File created C:\PROGRA~2\3721\Assist\3721\Coolbar\profile.ini C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\CustomizeSearch = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CFBFAE00-17A6-11D0-99CB-00C04FD64497} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "coolbar" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Search\SearchAssistant = "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Internet Explorer\URLSearchHooks C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{BB936323-19FA-4521-BA29-ECA6A121BC78} = "????" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ = "ÉÏÍøÖúÊÖ" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID\ = "{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\TypeLib C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\FLAGS C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR\ = "C:\\PROGRA~2\\3721\\Assist" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\ = "IEasyAssist" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CurVer\ = "CoolBar.CoolBarObj.1" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\ = "CoolBar 1.0 Type Library" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1\CLSID\ = "{BB936323-19FA-4521-BA29-ECA6A121BC78}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\Programmable C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\AutoLive.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ = "IToolBandObj" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\assist.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1\ = "Live Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\HELPDIR C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\ = "EasyAssist Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\ProgID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\TypeLib\ = "{D4839331-534D-4D0C-875F-D25AF6A10CCC}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7436DB12-1A7A-4D87-A4E0-713EC9D86050}\ProxyStubClsid32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\ = "{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\InprocServer32\ = "C:\\Program Files (x86)\\3721\\Assist\\asbar.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj.1 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1\CLSID\ = "{1B0E7716-898E-48cc-9690-4E338E8DE1D3}" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\AutoLive.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7CA83CF1-3AEA-42D0-A4E3-1594FC6E48B2}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\3721\\Assist\\" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CoolBar.CoolBarObj\ = "ÉÏÍøÖúÊÖ" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\CurVer C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\TypeLib\Version = "1.0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist.1 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Assist.EasyAssist\CLSID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live\ = "Live Class" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BB936323-19FA-4521-BA29-ECA6A121BC78}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{19069804-2CF0-4357-B696-BA6E9AAD99EF}\1.0\0\win32\ = "C:\\PROGRA~2\\3721\\Assist\\assist.dll" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE08F6BC-C3E6-4149-BEB1-CB449E1B372E}\ = "ILive" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{924F5B3A-7A27-484A-B873-E855C9708667} C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D4839331-534D-4D0C-875F-D25AF6A10CCC}\1.0\0\win32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{4158DB95-DE71-41FF-BEA1-2C3D1C679DF1}\1.0\FLAGS\ = "0" C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1B0E7716-898E-48CC-9690-4E338E8DE1D3}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AutoLive.Live.1 C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe

"C:\Users\Admin\AppData\Local\Temp\$TEMP\Assist_hanzify.exe"

C:\Windows\SysWOW64\rundll32.exe

C:\Windows\system32\rundll32.exe C:\PROGRA~2\3721\helper.dll,Rundll32

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 23.62.61.155:443 www.bing.com tcp
US 8.8.8.8:53 155.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsj5E7D.tmp\System.dll

MD5 b21538d9f049d3e3e8b666744d7ca36d
SHA1 b97fc58f9aa238758a7574a2e32dac4e97392f47
SHA256 9dbe958fd425903ffc2197a112bec4fa597284f9637fe8fd5685016f32e21334
SHA512 05d2c660a43519fd35daa3b4310419b33e61ce8557bde55942315ca59c3b9cb9fdeaea42c403ad78a54fa9923eaa712bcf5a10dea83619a18c4ef0c451e6d533

C:\Users\Admin\AppData\Local\Temp\nsj5E7D.tmp\wmpns.dll

MD5 67a76be36af407f74a340515312da5f8
SHA1 e1bf0b505629ccbbf2e0ec86b30e31ac1f7f835d
SHA256 eff43f4fd70798e1ad53302b38f14c8f905eacb404a650f82f61f7a222863571
SHA512 35b6821dc440ed8254a1a84c7ed002013d71321327a09e4e2144801651cb47c288fe9eef100fb09ccd43dfa5c562b6a8c3013059f0d46ff9d921585c217c17ac

C:\Program Files (x86)\3721\AutoLive.dll

MD5 7ff63507a1ea33dc677c1f0a838fadf6
SHA1 c35183495c7d90f22ad83970b4a86ca0c4b8b433
SHA256 68dbf3a7828473663ca275c6eef36d91ae0e620baa7c1583d0bbc4f780dbe5c3
SHA512 cdb8901c61e92894cf471fc305b0087f4849a71b8cb9f04eb6ddc6b53f90825532ceaaf57f6e5f98ff1f5a18ba20a0ecb6583a12e8777b5145704058582eb27d

C:\PROGRA~2\3721\3721\cns01.dat

MD5 af759437bb010b6312207e76a40a8878
SHA1 39db4bb04d290e80fc231ac9220ba71aac4b4751
SHA256 f94ca0f6a520ccfea930feb39e7b02c1c0b70ebd72ade0362a220965ea8eeb0f
SHA512 1eac5778935fc6728bdd1fb4d6c96265c75796eff31490246b80cd5b899e081797abd5fd7735c61756498006ac3007cc63805af8f6590b58582ad142c39ff2af

C:\PROGRA~2\3721\Helper.dll

MD5 49ae58008fc003af6f952a82c33aa3dd
SHA1 330630c95b6be9b61398d5952be9ee1f45799606
SHA256 8036ad2d2f302fafdef719836277834dd4f39289c326439543a86ac899384873
SHA512 bc9f20a02903452ecfa63fe290bfa550b10ce548247bb2452c3eb23bbca48d82144ab2fad22e4da7349465a3e0be5230b9cc0e2028a3318d7ea2990bca7ae8c3

C:\Program Files (x86)\3721\Assist\asbar.dll

MD5 aaf5a6b61ca11868c31011a68d95a5ef
SHA1 d58bb83332af9e56758ff5cb1fcd3173567e6c4c
SHA256 a8cd1c0f58135ad104b0d2a3064d3d4b9792be5ff40a721aac7eb37e26708b36
SHA512 e6461950958a38089197932f6ba34b578a6d6932e1cf7412a2c93f5841e853468037c0cd2081d3ef5f744ab04df7b8b967113aa255066a1f22ae980dc6ceca3b

C:\Program Files (x86)\3721\Assist\assist.dll

MD5 a3cbf83f654e5cc90422f4cc7a44f339
SHA1 58d03194e3e7691e30294a19ba798005fe9eba0b
SHA256 985815be546603778889135b8057ca9e43494993b21d880e7ad164659fff8060
SHA512 5f56d5dd8f4443ebaea493ae56f940fa68c1b384f045c8d01f64c92440cbcc10fc83f6a3cab924d258a90345c51bd5d1c481338a627b521a1384a570e2958d76

Analysis: behavioral23

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\uninst.exe

"C:\Users\Admin\AppData\Local\Temp\uninst.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

MD5 3df27c497a8e36ba8da1fbe16d08c617
SHA1 eeba54b50da6c9e68e97327c8760f4bc3343485d
SHA256 a3cfb3fa37649c409e04023fcc0cf9c9d12ac69bd102294b966905ee850d1efd
SHA512 9fc28adfb87427f15f566790f7ef182190a03f2430721120fe628b4f5f5fe63fd1785f6c09f63494f911eb16d7228e37ca17c87d113a48196e66399b47eaead7

\Users\Admin\AppData\Local\Temp\nsy21F3.tmp\LangDLL.dll

MD5 dbab668ce84d6b38824ed1c9b9121adb
SHA1 de8c80d7b0d01fafb750b2bded1f055d102aa3d0
SHA256 ede19cf9613ccbf2f4c731f6eb1460efe56484e97c8a0745a2a5460571e64f11
SHA512 5857680db3b642f14742ad55a3349cbe059c18c5dc58ae0def53886df5eb2c9abf5e444db1bc8449db779c33e940f8f2c4a7520ad8f374b9f2f01e57d6a2c953

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 06:12

Reported

2024-06-20 06:14

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe

"C:\Users\Admin\AppData\Local\Temp\HA_DVDIdentifier401_Fire.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x300 0x504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4008,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=4100 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.143.123.92.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\Splash.dll

MD5 e07ad0d2f86ddf926911e3d2dbc2021e
SHA1 370c93de8c9ba9549b0a646b329cb8d2fc7c91f8
SHA256 2ada4d9531a62772ddd7eeb0737fe91925982c543990d9c0d4faaadde12b7ed0
SHA512 c13747e3cb2d6712f3bf19bfe1bbbab47763239a4e21bbe685edbedae98bda9c7b8e4e06c22e8b7737752a3c3129e07c91c00b6e90ac741e891bc1bfa966fdae

C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\System.dll

MD5 10c44246d99a1c2e5f5e6b52b111a63d
SHA1 0f41da79c3e789f4ae38738e3a5d73c538f8af4f
SHA256 7a24883bdbf08ce90938094b6ab6f09a842af10b18b8ae4d70da2e6b806490b8
SHA512 e5b0fa27cd02a67be5eb9c63646621d3e9ccfada98659c50dee8310a58ce12e1a6a059788b85f0f440067ed7e281a0e1a526b9403993b9000f91a51bfbb50da3

C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\InstallOptions.dll

MD5 1e8f2fefe3ce893b117b26948b8978cb
SHA1 59cfc6c3f5716e91609e54ca80ae8b06c93ef8ab
SHA256 8203ae1589a50e6ff012e5d27bdd4f8ed7506077ca9b052827f5e90aaeb98519
SHA512 b3c36e1aa5d3ee5f482f4175a7d6fe10cf2bf3bd3423ab4266d11c4181cfbc7e3f66a30855034a8ec026a4d5987598f0116e98519b7445d9e5687bcbab2c0e5c

C:\Users\Admin\AppData\Local\Temp\nsaDFF1.tmp\ioSpecial.ini

MD5 c07d4cf5fbed5079e3fccabf4eaeaff6
SHA1 5126cc3fbdf21fffa773b5babaad909611b1ae27
SHA256 fd5e06256f7b45edd84bdc6a55ee6a79549ba8ea35e5c8b15f3dc86d7363e28b
SHA512 f2182cd7b4bb5b34648b88e9715500a6903808f072aebe068bc8f165a06c72d006d9ade3bafe264ae0e9056ab0c6261ac5ae28aad808656fb3d3aa17612dbe62