Malware Analysis Report

2025-03-15 04:30

Sample ID 241025-19vndawhrn
Target 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N
SHA256 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25
Tags
discovery adware evasion persistence privilege_escalation spyware stealer upx
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25

Threat Level: Likely malicious

The file 1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N was found to be: Likely malicious.

Malicious Activity Summary

discovery adware evasion persistence privilege_escalation spyware stealer upx

Checks for common network interception software

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Event Triggered Execution: Component Object Model Hijacking

Installs/modifies Browser Helper Object

Checks installed software on the system

UPX packed file

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Program crash

System Location Discovery: System Language Discovery

NSIS installer

System policy modification

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-25 22:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win10v2004-20241007-en

Max time kernel

134s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 4080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 4080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3632 wrote to memory of 4080 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4080 -ip 4080

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4080 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 103.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2168 wrote to memory of 3968 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3968 -ip 3968

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3968 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 68.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win7-20241010-en

Max time kernel

121s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2352 -s 224

Network

N/A

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win7-20240903-en

Max time kernel

122s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1644 -s 224

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win10v2004-20241007-en

Max time kernel

135s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1916 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1916 wrote to memory of 1984 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\WrapperUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1984 -ip 1984

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 210.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 110.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

Signatures

Checks for common network interception software

evasion

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Installer.log C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\utils.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\background.html C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\37928.xpi C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EBE436A0-ED1B-421E-846A-8CFC6118531D}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28393C46-5B51-44B1-B23-55ABD687C4A3}\AppName = "Hello-Notifier-enabler.exe-helper.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28393C46-5B51-44B1-B23-55ABD687C4A3}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28393C46-5B51-44B1-B23-55ABD687C4A3}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4652AA2-F8-4E28-BE1A-9A2C646672DD}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EBE436A0-ED1B-421E-846A-8CFC6118531D}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2CC577A8-E05C-406A-849A-BB5ABAA5EEF3}\AppName = "Hello-Notifier-enabler.exe-buttonutil64.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EBE436A0-ED1B-421E-846A-8CFC6118531D}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION\Hello-Notifier-bg.exe = "8000" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{28393C46-5B51-44B1-B23-55ABD687C4A3} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{D4652AA2-F8-4E28-BE1A-9A2C646672DD}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Isolation = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{EBE436A0-ED1B-421E-846A-8CFC6118531D} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{2CC577A8-E05C-406A-849A-BB5ABAA5EEF3} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\Policy = "1" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CurVer\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\ C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ProgID\ = "CrossriderApp0037928.BHO.1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID\ = "CrossriderApp0037928.Sandbox.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID\ = "CrossriderApp0037928.Sandbox" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Hello-Notifier" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{55555555-5555-5555-5555-550355795528}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\ProgID\ = "CrossriderApp0037928.Sandbox.1" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win64\ = "C:\\Program Files (x86)\\Hello-Notifier\\Hello-Notifier-bho64.dll" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CurVer\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\Implemented Categories\{59fb2056-d625-48d0-a944-1a85b5ab2640} C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{66666666-6666-6666-6666-660366796628} C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe
PID 2420 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 2872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2872 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1552 wrote to memory of 524 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 2872 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2872 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2872 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 2872 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 876 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 876 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 876 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe
PID 876 wrote to memory of 2432 N/A C:\Windows\system32\taskeng.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe

"C:\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=C8E2DCC5A6CF4FF7B42DD370EFA11E57IE /verifier=4a528f6bf10fd500734c482f8f5dcc48 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894892 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=C8E2DCC5A6CF4FF7B42DD370EFA11E57IE /verifier=4a528f6bf10fd500734c482f8f5dcc48 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894892 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\extensionData'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=C8E2DCC5A6CF4FF7B42DD370EFA11E57IE /verifier=4a528f6bf10fd500734c482f8f5dcc48 /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894892 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log'

C:\Windows\system32\taskeng.exe

taskeng.exe {8F976A78-70AC-4D7A-AD29-17858635C0E5} S-1-5-18:NT AUTHORITY\System:Service:

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=C8E2DCC5A6CF4FF7B42DD370EFA11E57IE /verifier=4a528f6bf10fd500734c482f8f5dcc48 /installerversion=1_34_1_29 /installationtime=1729894892 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.srvstatsdata.com udp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
US 8.8.8.8:53 errors.srvstatsdata.com udp
SG 13.251.16.150:80 errors.srvstatsdata.com tcp
US 8.8.8.8:53 stats.srvstatsdata.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 stats.mstatsserv.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 app-static.crossrider.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp

Files

\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\WrapperUtils.dll

MD5 7a18f06f0935a9e98a14d47d77064573
SHA1 58b12858557fb39cf876b6e76e585cf581b53590
SHA256 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f
SHA512 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6

\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

\Users\Admin\AppData\Local\Temp\nsd9CDD.tmp\Ewfmukuhwkg.exe

MD5 a4c3e2148c1e6f2298ca76e998d32efb
SHA1 309b580cf1386e24eba522c79c4d7ce2d1fd84a9
SHA256 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4
SHA512 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1

memory/2872-37-0x0000000000640000-0x0000000000650000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log

MD5 11467b17877f37da0d7e205dfd76213d
SHA1 5ec477481e5cf3cb32742869d998ee86fea30326
SHA256 78b9b5e02734dd52f7f1c72bf81e3d41fe6af479f7ffe701f65bd37ebfe8028d
SHA512 3f7ad1790af8ed001e9d961e4dd47ddcb675442fbbb57c74f3420cc8a16dc1af02f92c71bbe5d6305fdc0ac040c9d5cdb5a1eb30cac03ea9e2d476ca2db2fb36

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\InstallerUtils2.dll

MD5 8c17aa401cdc9bfe61b57f4d4bfec362
SHA1 8c580457b636bc30bedb476cebb9a50d9f02651d
SHA256 dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19
SHA512 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881

memory/2872-126-0x0000000000680000-0x0000000000690000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log

MD5 f5cb4a4d194303a2ea2aaa035885ee99
SHA1 9390f909a48f6d215e668b937a5efe341a871328
SHA256 fd91a22976f010dc90dde293ecdd44ed6b4049cb70c0b4d44e62e07374cc8286
SHA512 57c6b9501177e7a677e9ebd8f29140cb7182e49f8e2f2535cb2899fe69f9498e7a4296df4363df6590aaa2b335d1cfff49474b190c44664879ed9cb88ca959bb

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log

MD5 e7700cfab5f523991b4797253f4c8687
SHA1 efb419bdd0d4ae456c3e6169ab6240f7bf0ec7d0
SHA256 f9f5b858ecbbdacf1a47fc4b13725847e44583d07a6f59ec1a40c9df8feac722
SHA512 f1f81de95429d18b4e5b2ae75457905a327dc96e8a6dc94ca2eaa4b8324e335e251ec18a55b87acf009b075d36a30d8e5219bb11164c3c03535dd4541cf2bac9

memory/2872-235-0x0000000000680000-0x0000000000689000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\InstallerUtils.dll

MD5 895bc798fb0d31e5d3e584ae5701925b
SHA1 d5184d234c1768d3fe671be1512bb58688b37698
SHA256 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99
SHA512 b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 064d2a2851c44f039fa89e24672ec065
SHA1 2b6a7e3b294a73c63d8d013541bd70617dfb026a
SHA256 f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07
SHA512 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397

memory/2872-443-0x0000000003230000-0x0000000003240000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894892.log

MD5 81a8a8fe1e45d0eaed81781ad35d7cc5
SHA1 a04307c523839a46d0f83e46fc3744ac77b2501a
SHA256 aa123826d3f2e6fcafcefe6125de059c717cf195aed97bf6592b952c04922675
SHA512 2f2143487cc147c7439c8671074050a98f402181db40462694fc1a56b9c73831b8c1fb31b3a775a5519972b47fdb4d7e5cbeafa2a7994778585e75f446b67b31

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 6d586d990046caa6363e0cfcf654f198
SHA1 b2bac57dfd1fca1fdfe8c233febcb6486c54fa16
SHA256 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1
SHA512 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 4cf2227b60c543ab53e2e4bc710700f4
SHA1 c1811d55523373c6144f165f48fec686cd31e7d1
SHA256 fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf
SHA512 d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bs4a8d8y.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 e6d0a9a8cb734bc1f13d57c730e129fa
SHA1 e5065caded5b9f4f7f38a6120d4b84b8aca33bfd
SHA256 f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0
SHA512 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

memory/2872-1744-0x0000000000680000-0x0000000000689000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 333d5ced229832b138268ff54d3ae8c5
SHA1 0e1be1479ff70bf2220299618b297932d3426a2a
SHA256 beefa3144e2830a09be1cc8ee3ce6835df5c93708a0b962c8321c3acbad99ac2
SHA512 4810791890abe1e95a597b9bfaa9fdf8c6864e880b8cb26be90b858624a33f95972c6cd4272a3ec93578c95a50d0246c043a469774c0b17b17d349c2937e60aa

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 f5857c9cafcb470ca552b4184c7b6cbd
SHA1 1a47a2bca92db842bb5b75778f45114417fb35c6
SHA256 f41fbc17dc072134987aef8a91b45b896a18dcbc42bce0191f6cab24873b8199
SHA512 c5866f518079e9af6df5ada1b2aafcb39be032b0b1a87c35ad6ba51e725fe8084d9ee761f38a54a73c7f52ec7e2921e0bb3d2dd661fe65d6dca0c4390dbffe29

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 5d63f77328c34a31259218b0411293b0
SHA1 fe367236de21f4251831c2f37916134b98841a8a
SHA256 a7a33dd0cc2d9cdc4a0a66630f52621cdf08b2498a0832e491411893804dcf58
SHA512 594fe90286f402f5744da0cda0ff770a7df45e46138d592b14ee7bfd2c7ec27dcfc739ed28f8a88f6683d107fbdf2f821cac236d14ca94fd9ce660f5af21f2d0

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 6a6653d172238dec2ff28b8b755e504c
SHA1 eb65446878e74bf5061402aa8e35bb1658cc7d07
SHA256 edc53b6902099c6716cf3e8bece2fd43faafdd49118f9e5db2b7d7c3caed6bb8
SHA512 a9f5cda9d7783b516a0830a1ef04fbfd8ba2fe86ec5e9c79c66de37a5df36ef7c62879d6f1aac7fda452bf9d4f75dabdac0bc58e6a2d8888f89ace41f7ae1c58

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 77d5b0d8c2009f6bc8798a8d1001c6ec
SHA1 42b423e5358d59dd9e931411e6b5ac5b54bb2b95
SHA256 3a13144df92f8922461e2cb47f912811123883c7bfcb04dcbf085a85b4216c19
SHA512 06849bbb8a9e46445dc30f19fec6d6de0325d0981468ed5c9032b8c74d95252067af71913f67c8d86796d6f97df5784e81a526fcee77e4aa688645d62ad22594

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 b67172dc03787059255910a04e503c1f
SHA1 c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6
SHA256 a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0
SHA512 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 e3e7b6547cbc72cd52dba5012113cbaf
SHA1 1c6f747cccd7034b81cf4907f236cbd098fd030b
SHA256 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd
SHA512 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 1e1a99d240ed5b18da059b516f339f99
SHA1 48aa01a58ba7e98b3e080f7ada1c5697c198298b
SHA256 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3
SHA512 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 24e88dfa25d52544039eed843dec878d
SHA1 a4a49a2ad1fca719e48ca91ec2690effe46c362f
SHA256 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765
SHA512 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822

C:\Users\Admin\AppData\Local\Temp\nsdA1BD.tmp\temp_file_after.tmp

MD5 9a294e54b99b6ce9d3903bfb7354f88e
SHA1 82a5811657bd9fe992269f140d0e64281500f098
SHA256 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7
SHA512 c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

Signatures

Checks for common network interception software

evasion

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Component Object Model Hijacking

persistence privilege_escalation

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128}\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Hello-Notifier\background.html C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\utils.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-helper.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Installer.log C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\37928.xpi C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.dll C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-updater.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier.ico C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-codedownloader.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\temp_Hello-Notifier-enabler.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-updater.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File created C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
File opened for modification C:\Windows\Tasks\Hello-Notifier-firefoxinstaller.job C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\regsvr32.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B880924A-6F7C-410D-9563-DDE81EB4F53}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{57643B2C-186B-4D80-8530-20BFD2876F97}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4094F52-AA70-4E12-88E5-68A3F8862066} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4094F52-AA70-4E12-88E5-68A3F8862066}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{57643B2C-186B-4D80-8530-20BFD2876F97}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B880924A-6F7C-410D-9563-DDE81EB4F53}\AppName = "Hello-Notifier-enabler.exe-helper.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{57643B2C-186B-4D80-8530-20BFD2876F97}\AppName = "Hello-Notifier-enabler.exe-buttonutil.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F50395C7-B0F5-4897-84EE-B52923E466F9}\Policy = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{B880924A-6F7C-410D-9563-DDE81EB4F53}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppName = "Hello-Notifier-bg.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\DefaultValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{12835ba8-ee00-4d15-b54a-a933332b83e4}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0} C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{A4094F52-AA70-4E12-88E5-68A3F8862066}\AppName = "Hello-Notifier-enabler.exe-codedownloader.exe" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{F50395C7-B0F5-4897-84EE-B52923E466F9} C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppName = "Hello-Notifier-codedownloader.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{7e5bffe2-2164-4778-8938-2ec4e833d3e0}\AppPath = "C:\\Program Files (x86)\\Hello-Notifier" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\Policy = "3" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{d0007729-ce2c-4588-ad99-017a0258ae89}\AppName = "Hello-Notifier-buttonutil64.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Approved Extensions C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\AdvancedOptions\CRYPTO\PROTECTEDMODESECURITY\CheckedValue = "PMIL" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{cbc148be-08f7-4781-8fc7-fd545f7678f0}\AppName = "Hello-Notifier-helper.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{8e0202ae-cd8e-4894-b24e-f2cd7839a7f0}\AppName = "Hello-Notifier-buttonutil.exe" C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Code\AppJavaScript = " /************************************************************************************\n This is your Page Code. The appAPI.ready() code block will be executed on every page load.\n For more information please visit our docs site: http://docs.crossrider.com\n*************************************************************************************/\n\nappAPI.ready(function($) {\n\n // Place your code here (you can also define new functions above this scope)\n // The $ object is the extension's jQuery object\n\n // alert(\"My new Crossrider extension works! The current page is: \" + document.location.href);\n\n});\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\43\Version = "5" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\105 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\104\Name = "jollywallet_m" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\9 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\22\Version = "5" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528}\ = "ICrossriderBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\HomePageUrl = "NA" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\JavaScript = "\n//------------------ PLUGIN superfish_no_coupons_m START ------------------\nif(typeof appAPI.internal.monetization===\"undefined\"){appAPI.internal.monetization={};}if(typeof appAPI.internal.monetization.plugins===\"undefined\"){appAPI.internal.monetization.plugins={};}appAPI.internal.monetization.plugins[93]=function(){if(typeof appAPI.internal.monetization.verticals!==\"undefined\"){if(!appAPI.internal.monetization.verticals.shopping){return;}}try{if(!appAPI.dom.isHttps()){appAPI.dom.addRemoteJS({url:\"http://www.superfish.com/ws/sf_main.jsp?dlsource=hhvzmikw&userId=abc&CTID=\"+appAPI.internal.monetization.getSubId()});}}catch(a){throw new Error(\"something_went_wrong_in_superfish_\"+a.message);}};\n//------------------ PLUGIN superfish_no_coupons_m END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\22\JavaScript = "\n//------------------ PLUGIN resources START ------------------\n(function(a){appAPI.queueManager={queue:[],register:function(b){this.queue.push(b);}};appAPI.ready=function(c,b){a.when.apply(null,appAPI.queueManager.queue).then(function(){a.when(appAPI.initializerPlugin.isReady(b)).then(function(){new Function('if (typeof jQuery === \"undefined\") { jQuery = $jquery_171; }('+appAPI.resources.parseIncludeJS(c.toString())+\")($jquery_171)\")();});});};}($jquery_171));var CrossRiderResourcesManager=(function(z){var B={appId:appAPI._cr_config.appID(),url:appAPI._cr_config.resources,env:appAPI.appInfo.environment===\"staging\"?\"staging\":\"production\",saveResource:appAPI.time.daysFromNow(90),nextCheck:360,DBNamespace:\"Resources_\",isDebug:appAPI.debugManager.isDebug()&&appAPI.debugManager.getResourcesPath(),isIE7:z.browser.msie&&z.browser.version*1==7},x=new z.Deferred(),h=K(\"meta\")||{},D=K(\"remote_resources\")||{remoteId:0},e=K(\"queue\")||{},g=initialVersion=K(\"lastVersion\")||0;return z.Class.extend({init:function(){appAPI.queueManager.register(x.promise());if(B.isDebug){x.resolve();}else{z.when(C()).then(function(N){if(N){j();}else{x.resolve();}});}},get:function(N){return t(z.trim(N),\"string\");},getRemote:function(O,N){return k(z.trim(O),N);},getImage:function(N){return t(z.trim(N),\"image\");},parseIncludeJS:function(N){return p(N);},includeCSS:function(O,N){r(z.trim(O),N);},addInlineJS:function(N){d(z.trim(N));},parseTemplate:function(N,O){return b(z.trim(N),O);},createImage:function(N){return E(N);},getJQuery:function(N){return L(N);},getJQueryUI:function(N,O){return q(N,O);},getFolderContent:function(N){return o(N);},requestReload:function(){A(\"nextCheck\",false);},openURL:function(O,N){return f(O,N);},setResourceIcon:function(N){return F(N);},setPopup:function(P){if(typeof P.resourcePath===\"string\"){var O=P.resourcePath;if(!B.isDebug){var N=t(O,\"string\");N=N.replace(/appAPI\\.resources\\.includeJS\\((.*?)\\)/g,\"eval(appAPI.resources.get($1))\");P.html=N;appAPI.pageAction.setPopupHTML(P);}else{if(B.isDebug){var Q=appAPI.internal.db.get(\"debug_resources_path\")+O;appAPI.request.get(Q,function(R){P.html=R;appAPI.pageAction.setPopupHTML(P);},function(R){if(R==404){alert(\"Crossrider - missing resource: \"+O);}});}}}else{if(typeof P.html===\"string\"){appAPI.pageAction.setPopupHTML(P);}}},setPages:function(N){if(typeof N.iconResourcePath!==\"undefined\"){N.imageData=t(N.iconResourcePath,\"image\");}if(typeof N.popupResourcePath!==\"undefined\"){N.html=t(N.popupResourcePath,\"string\");}appAPI.pageAction.innerSetPages(N);}});function C(){var N=new z.Deferred(),P=K(\"nextCheck\"),O=K(\"appVer\");if(P&&appAPI.appInfo.version==O){N.resolve(false);}else{appAPI.request.get(w(B.url.base[B.env]+B.url.update.replace(\"{appId}\",B.appId).replace(\"{lastVersion}\",g)),function(Q){var R=G(z.parseJSON(Q));N.resolve(R);});a();}return N.promise();}function G(N){var O=appAPI.time.minutesFromNow(N.nextCheck||B.nextCheck);g=N.lastVersion;if(N.resources){z.each(N.resources,function(P,Q){I(\"resource_\"+Q.id);delete h[J(Q.id)];delete e[J(Q.id)];if(Q.status==1){h[Q.name]=e[Q.name]=Q;}else{if(Q.status==2){}}});}A(\"meta\",h);A(\"queue\",e);A(\"nextCheck\",true,O);A(\"lastVersion\",g);A(\"appVer\",appAPI.appInfo.version);return N.resources;}function j(){var N=[];z.each(e,function(O,P){N.push(u(P));});z.when.apply(null,N).then(function(){n();});}function u(P){var N=new z.Deferred(),O=i(P);if(B.isIE7&&s(P)){N.resolve();}else{appAPI.request.get(O,function(Q){delete e[P.name];A(\"resource_\"+P.id,Q,B.saveResource);A(\"queue\",e);N.resolve();});}return N.promise();}function n(){if(initialVersion>0){appAPI.internal.forceUpdate();setTimeout(x.resolve,3000);}else{x.resolve();}}function M(P){var N=i(P),O=appAPI.request.sync.get(N);A(\"resource_\"+P.id,O,B.saveResource);return O;}function t(N,P){N=N.replace(/^\\//,\"\");var R=h[N],O=H(N),Q=\"\";if(B.isDebug){Q=m(N,P);}else{if(B.isIE7&&P==\"image\"){Q=y(R.url);}else{if(R){Q=K(\"resource_\"+R.id);if(Q){v(\"resource_\"+R.id,B.saveResource);}else{Q=M(R);}}}}return Q&&P==\"string\"&&O==\"js\"?p(Q):Q;}function k(O,N){var Q=D[O],P;if(!N){P=appAPI.request.sync.get(O);}else{if(!Q){Q=D[O]=++D.remoteId;A(\"remote_resources\",D);}P=K(\"resource_remote_\"+Q);if(!P){P=appAPI.request.sync.get(O);A(\"resource_remote_\"+Q,P,N);}}return p(P);}function L(N){if(z.trim(N)){var O=B.url.jQuery.url.replace(\"{version}\",z.trim(N));return k(O,appAPI.time.daysFromNow(B.url.jQuery.cacheTime))+\";var jQuery = $ = window.jQuery.noConflict(true); appAPI.internal.initBaseCrossriderJQueryPlugins(jQuery);\";}else{return\"\";}}function q(N,Q){if(z.trim(N)){var O=B.url.jQueryUI.url.replace(\"{version}\",z.trim(N)),P;if(Q){P=B.url.jQueryUI.theme.replace(\"{version}\",z.trim(N)).replace(\"{theme}\",z.trim(Q));appAPI.dom.addRemoteCSS(P);}return k(O,appAPI.time.daysFromNow(B.url.jQuery.cacheTime));}else{return\"\";}}function o(P){var O={path:\"\",fileType:\"\",deep:false};var Q=z.extend({},O,P);var N=[];Q.path=Q.path.replace(/^\\//,\"\");z.each(h,function(R,S){if(S.name.indexOf(Q.path)===0){var T=S.name.replace(Q.path,\"\");var U=(T.split(\"/\").length-1);if(T&&((Q.deep===false&&((Q.path.length>0&&U===1)||(U===0&&Q.path.length===0)))||Q.deep===true)){if(!Q.fileType||(new RegExp(\"\\\\.\"+Q.fileType+\"$\")).test(S.name)){N.push(S.name);}}}});return N;}function a(){z.each(D,function(N,O){if(N!=\"remoteId\"){if(!K(\"resource_remote_\"+O)){delete D[N];}}});A(\"remote_resources\",D);}function m(N,P){var Q=appAPI.debugManager.getResourcesPath(),O=P==\"string\"?appAPI.internal.file.get(w(Q+N)).file_content:w(Q+N);if(P==\"string\"&&O==-1){alert(\"Crossrider - missing resource: \"+N);O=\"\";}return O;}function p(N){return N.replace(/appAPI\\.resources\\.includeJS\\((.*?)\\)/g,\"eval(appAPI.resources.get($1))\").replace(/appAPI\\.resources\\.includeRemoteJS\\((.*?)\\)/g,\"eval(appAPI.resources.getRemote($1))\").replace(/appAPI\\.resources\\.jQuery\\((.*?)\\)/g,\"eval(appAPI.resources.getJQuery($1))\").replace(/appAPI\\.resources\\.jQueryUI\\((.*?)\\)/g,\"eval(appAPI.resources.getJQueryUI($1))\");}function d(N){var O=t(N,\"string\");appAPI.dom.addInlineJS(O);}function r(O,N){var P=t(O,\"string\");z('<style type=\"text/css\">'+c(l(P,N))+\"</style>\").appendTo(\"head\");}function c(O){var P=/(resource(?:\\-image)?)\\:\\/\\/(.*?)(\\\"|\\'|\\)|\\;|\\ |\\n|\\r|\\t|$)/gi,N=(/\\@import(?:.*?)url(?:.*?)(resource\\:\\/\\/(?:.*?))(?:\\\"|\\')?\\) ?\\;?/gi);return O.toString().replace(N,\"$1\").replace(P,function(R,Q,T,S){return t(T,/image/.test(Q)?\"image\":\"string\")+S;});}function l(O,N){var N=N||{};N[\"app-id\"]=B.appId;z.each(N,function(P,Q){O=O.replace(new RegExp(\"\\\\{\\\\{\"+P+\"\\\\}\\\\}\",\"g\"),Q);});return O;}function E(N){return z(c(N));}function F(Q){var N=Q.resourcePath;if(!B.isDebug||appAPI.platform==\"IE\"){appAPI.pageAction.setIcon(t(N,\"image\"));}else{if(B.isDebug){var P=appAPI.internal.db.get(\"debug_resources_path\")+N,O=N.replace(/.*\\.([^\\.]+?)$/,\"$1\");appAPI.request.getBinary({url:P,base64:true,successCallback:function(R){appAPI.pageAction.setIcon(\"data:image/\"+O+\";base64,\"+R);},failureCallback:function(R){if(R==404){alert(\"Crossrider - missing resource: \"+N);}else{if(R==-2){alert(\"Crossrider - Your browser does not support for appAPI.resources.setBrowserIcon in DEBUG mode\");}}}});}}}function s(N){return/\\.(?:gif|jpe?g|png)$/.test(N.name);}function i(N){return y(N.url+(s(N)?\".base64\":\"\"));}function H(N){return N.substring(N.lastIndexOf(\".\")+1);}function J(O){var N;z.each(h,function(P,Q){if(h[P].id==O){N=P;}});return N;}function A(N,O,P){appAPI.internal.db.set(B.DBNamespace+N,O,P);}function K(N){return appAPI.internal.db.get(B.DBNamespace+N);}function I(N){return appAPI.internal.db.remove(B.DBNamespace+N);}function v(N,O){appAPI.internal.db.updateExpiration(B.DBNamespace+N,O);}function w(N){return N+\"?r=\"+Math.random();}function y(N){return N+\"?ver=\"+g;}function b(N,Q){var O=t(N,\"string\");var P=new Function(\"obj\",\"var p=[],print=function(){p.push.apply(p,arguments);};with(obj){p.push('\"+O.replace(/[\\r\\t\\n]/g,\" \").replace(/'(?=[^%]*%>)/g,\"\\t\").split(\"'\").join(\"\\\\'\").split(\"\\t\").join(\"'\").replace(/<%=(.+?)%>/g,\"',$1,'\").split(\"<%\").join(\"');\").split(\"%>\").join(\"p.push('\")+\"');}return p.join('');\");return P(Q);}function f(P,N){if(typeof P===\"object\"&&typeof P.resourcePath===\"string\"&&typeof N===\"undefined\"){if(typeof P.resourcePath===\"string\"){var O=P.resourcePath;if(!B.isDebug){var R=t(O,\"string\");R=R.replace(/appAPI\\.resources\\.includeJS\\((.*?)\\)/g,\"eval(appAPI.resources.get($1))\");P.resourceContent=R;appAPI.innerOpenURL(P,N);}else{if(B.isDebug){var Q=appAPI.internal.db.get(\"debug_resources_path\")+O;appAPI.request.get(Q,function(S){P.resourceContent=S;appAPI.innerOpenURL(P,N);},function(S){if(S==404){alert(\"Crossrider - missing resource: \"+O);}});}}}}else{appAPI.innerOpenURL(P,N);}}}($jquery_171));(function(a){appAPI.resources=new CrossRiderResourcesManager();if(typeof appAPI.innerOpenURL!==\"undefined\"){appAPI.openURL=appAPI.resources.openURL;}if(typeof appAPI.pageAction!==\"undefined\"){appAPI.pageAction.setResourceIcon=appAPI.resources.setResourceIcon;appAPI.pageAction.setPopup=appAPI.resources.setPopup;appAPI.pageAction.setPages=appAPI.resources.setPages;}}($jquery_171));\n//------------------ PLUGIN resources END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\3\Name = "ie8_fix_2" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\CLSID\ = "{11111111-1111-1111-1111-110311791128}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\VersionIndependentProgID C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\94\Version = "2" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\37\JavaScript = "\n//------------------ PLUGIN IEBrowserEvents START ------------------\nif(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.callbacks===\"undefined\"){appAPI.internal.callbacks={};}appAPI.internal.browserEventCode=true;window.console.log=appAPI.internal.console.log;console.log=window.console.log;window.console.info=appAPI.internal.console.info;console.info=window.console.info;window.console.warn=appAPI.internal.console.warn;console.warn=window.console.warn;window.console.error=appAPI.internal.console.error;console.error=window.console.error;appAPI.internal.callbacks.setEventHandler(\"openURL\",function(b){if(appAPI.isActiveTab()){var a={url:b.url,where:b.where,focus:(typeof b.focus===\"boolean\"?b.focus:true),height:(typeof b.height===\"number\"?b.height:750),width:(typeof b.width===\"number\"?b.width:750),top:(typeof b.top===\"number\"?b.top:100),left:(typeof b.left===\"number\"?b.left:100)};appAPI.openURL(a);}});appAPI.internal.callbacks.setEventHandler(\"runHelper\",function(b){if(appAPI.isActiveTab()){var a=b;appAPIinternal.run(a);}});(function(){function a(e){var c=appAPI.internal.prefs.getChar(e,\"Crossrider\\\\onBeforeNavigate\");if(typeof c!==\"string\"){return 0;}if(c.length===0){return 0;}c=appAPI.JSON.parse(c);if(typeof c!==\"object\"){return 0;}var d=0;for(var b in c){d++;appAPI.internal.callbacks.addListener(\"onBeforeNavigate\",function(h,g){var k=appAPI.internal.callbacks.onBeforeNavigate.listenersAdditionalData[g];if(typeof k.code!==\"string\"){return;}var j={};var i;if(typeof k.value===\"undefined\"){i=undefined;}else{if(k.value===null){i=null;}else{i=appAPI.JSON.parse(k.value);}}j.pageUrl=h;var f=new Function(\"return (\"+k.code+\").apply(this, arguments)\")(j,i);if(typeof f!==\"undefined\"&&f){if(typeof f.redirectTo===\"string\"){if(f.redirectTo){appAPIinternal.blockNavigation();appAPI.openURL(f.redirectTo,\"current\");return false;}}else{if(typeof f.cancel===\"boolean\"){if(f.cancel){appAPIinternal.blockNavigation();return false;}}}}},c[b]);}return d;}appAPI.internal.callbacks.setEventHandler(\"onBeforeNavigate\",function(b){appAPI.internal.callbacks.removeListener(\"onBeforeNavigate\");a(appAPI.appInfo.id);});})();appAPI.internal.callbacks.setEventHandler(\"onRefresh\",function(a){});appAPI.internal.callbacks.setEventHandler(\"onNavigateComplete\",function(a){});appAPI.internal.callbacks.setEventHandler(\"onNavigateError\",function(a){});appAPI.internal.callbacks.setEventHandler(\"onTranslate\",function(a){});appAPI.internal.callbacks.setEventHandler(\"onFirstDocumetComplete\",function(b){var a=b;appAPI.internal.message.send({eventName:\"onTabCreated\",eventContent:{tabId:appAPI.tabId,tabUrl:a}});});appAPI.internal.callbacks.setEventHandler(\"onBhoUnloading\",function(b){var a=b;appAPI.internal.message.send({eventName:\"onTabClosed\",eventContent:{tabId:appAPI.tabId,tabUrl:a}});});\n//------------------ PLUGIN IEBrowserEvents END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\125 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\2\JavaScript = "\n//------------------ PLUGIN ie8_fix_1 START ------------------\n(function(){var b=\"dummy so this plugin won't be empty\";})();\n//------------------ PLUGIN ie8_fix_1 END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128}\VersionIndependentProgID\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{11111111-1111-1111-1111-110311791128} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\94 C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\105\Version = "3" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\91\JavaScript = "\n//------------------ PLUGIN monetizationLoader.js START ------------------\n(function(i){if(!appAPI.isBackground&&appAPI.dom&&appAPI.dom.isIframe()){return;}var q=appAPI.utils.MD5;if(!q||!q.encode){q={};q.encode=function(E){return E;};}if(typeof appAPI.internal.monetization===\"undefined\"){appAPI.internal.monetization={};}var z=appAPI.utils;var C={DBNamespace:\"monetization_plugin_\",RULS_JSON_NAMESPACE:\" rules_\",MONETIZATION_PLUGINS_IDS:\"monetization_plugins_ids\",IS_INSTALL_REPORTED:\"is_install_reported_\",STATS_NAMESPACE:\"stats_\",PLUGINS_VERSION:\"plugins_version_\",GEO_URL:\"http://ipgeoapi.com/\",BASE_DATE:new Date(2013,0,1),updateInterval:1000*60*60*6,rulesJsonHostUrl:\"http://app.webstaticserv.com/monetization_campaigns/\",statsHostUrl:\"http://stats.mstatsserv.com/monetization.gif?\",errorHostUrl:\"http://errors.myappsync.com/monetization-error.gif?\",countryName:\"\",reportQueryString:\"\",subID:\"000000000000000000\",reportEvents:{installEventId:0,dailyEventId:1,vertical:2,runningPlugins:6,installVertical:13,impressionsEventId:31,policyAppDefualtInstallEventId:50,policyAppDefualtDailyEventId:51},MIN_PAGE_VIEW:50,PAGE_VIEW:\"monetization_page_view\",pageViewCount:0,PLUGINS_DELAY:\"monetization_plugins_delay\",installationTime:appAPI.installer.getUnixTime()*1000,hoursToMilisec:60*60*1000,DEFUALT_SOURCE_ID:99999,categories:{\"1\":[\"d908e50170d7cb46a92fdbff0d73bb5d\",\"0a64c81275732dcf0eb51fc0fdecfaa7\",\"edb18644366c10cc24c58f6fb14ca9f4\",\"15e39ed909ac8e17ae3cc3c91cd7ae9f\",\"dccefc9affe37ba60b49d0a4789ce042\",\"55a7d0f3833487778c3bdff8b2096e93\",\"0212ae9fc1eeb53f9f641335b804d75e\",\"d5e783fe22abe91aae7179d10a958497\",\"9c8a818246bc677ef54725340e9c5a98\",\"6871592501ed31709e241750c4363fce\",\"1c5e3f677b22b8257c1df15a70e7df26\",\"daf4c4488123ddadb30a7adaadb18b54\",\"11fbd0aa23a016619379552c438b081a\",\"fcaed5b82116cd700a0949772ad8ff49\",\"6ac10c5f77cf4309c731a1edca41f357\",\"5c83bc2a9fe11b248ee7a0577c7d8fdd\",\"b4724ce8e3ac8d971ea648c70f1f3a28\",\"5cfdb867e96374c7883b31d6928cc4cb\",\"5bc25469aea12b844db6b49146c3e0ed\",\"15830c2f3218394a63d70b23d235cc1c\",\"7f5e73ea77ef99619089c3857dafdcb4\",\"029c1c42a9160c3cf3db1a687f11ff72\",\"e84400c002083678aa69041045895fae\",\"da0239e7da0330fb26ef37dd1d940044\",\"993439d6f7a4548cae1381c9073cbee1\",\"24414caa6316a5694f77499fa604e5b1\",\"340d70f50a7a4507bc874c8108bb45bc\",\"2e44b2f1bf1b2b87d2be9f94ad2a2a35\",\"5484845885ffd608ebb0ad1ac39434d4\",\"96eb5194f361b233bf8fb9a80267f1de\",\"91e4f116b8a4f5258b982d3c10910bdf\",\"5638298177fc6af5190590244d6d8035\",\"7712b7ac7ec5d5966fb35b1425d0283f\",\"1080cee006e84c91858613ce7dde99fb\",\"428d0f3d623a15db6cacb689e86b4352\",\"8b25ca5c09e10312a1567fb3d7f82c07\",\"84dcb17eaafb9d32908759a607838c8b\",\"fcbed3a6b1e592c8efddf3f925b26b7f\",\"7eae142b683afcf5aee231291c679877\",\"9bcd814058bcf8f6497f0495e0a2fd71\",\"6bb8719fca4581212b3aa47da8755163\",\"adb2121658b69c9a701f270c8faba02f\",\"5694f231cd01d8222d59557c56cef9a7\",\"b7444e183caecfafbc083b01ac3b807f\",\"a7004282e7067fe073c99143415a62df\",\"75061a1f0c82f0f1baefee188478ed1b\",\"7e184fc24f5050abd21b2c6243df3a12\",\"4d1bdc23c5d49f2b5348b4d204776ebd\",\"6f9304b76556b918e7689b49233ea133\",\"9786652fec772cd9bfef720283da5d6a\",\"01bb6f8040640453d2bc9070ec620993\",\"237a4a166d93b46dcdd3abd285efd1d6\",\"06bec2811b138d6a9cf42dcfecfd42ce\",\"4cb50af38589bbb19f348983b678001e\",\"e9a2f50ff9e05ca83dfcf1502e118696\",\"357d9095a866605243d674a4f3106179\",\"3aaafa62954e4babf8db469344db3dfc\",\"da25b0e1d883ac63dbb72560aa315606\",\"3066962d891e0c6e119697ae1dcf13a5\",\"4711d4c71b93bb3c47ed1128fb541cc4\",\"dac440339a2965b7eca2546dcb36d6b7\",\"52acea241dc9383e17cf0d0ccb0bc278\",\"f151ee9ab3003bd4186849cb69779326\",\"89e55d4f580dd044088b9a003110b37a\",\"9e75d000ea21122cfcb747105bd1daf8\",\"1451eff4384f083524051ee2696b49ac\",\"d1d83b46c34e546d582102f66103e99b\",\"ad1fe84a23ac2a3d83c1d64f602d49e7\",\"2a7b33d11c2910114797dde0cab5fc34\",\"b5d69e59a048e0b5337d9ee71e5c7876\",\"73f5305614375cb15a3279d7003befa3\",\"2c383062328b7897878c2548bd00be54\",\"e41e3b6ff9906a18b358c8beaff745f3\",\"b48789ebdc5aae08cd1065712685af97\",\"cdd888a76665e83f1ea37da24002486b\",\"840bfbd391545b58dc45740c583dd40f\",\"68474bccd77385d9f625abf45ab56f2b\",\"3c3662bcb661d6de679c636744c66b62\",\"1518a63e3cf66be91d3f392ce39c8cfa\",\"8e137f109d4a2818bda650c5a770be57\",\"ec565413ae6e986d2ef40b6679e1e638\",\"70294ed8222b491fb4e0920689dc7895\",\"c7d33d7e3e0919b97455ab4a60785e2a\",\"ac837973c3648dd268f71246d9410865\",\"cc6af1446fc1e4074fe31e8afe000fe0\",\"c7bf8de669d196501187e13733085c11\",\"dbb88a6eab427f1e258ab0cea833eda8\",\"eddd9ad5e56ce3607d0b8d7655db5de7\",\"77140fa536e038f17579701236eaf6d3\",\"c63661247ee0dc906018ee337c0ae04d\",\"5f22caf6994b0c6b1a02cb972d8db01f\",\"b228c5c1ebb8f65d5b233dd1ace0e4de\",\"04ed17c7cbd545a609bf85e8df1de83a\",\"7b83d3f08fa392b79e3f553b585971cd\",\"0f6784e8964bfe8bb43990fcdf688218\",\"c5b68fcfbacadcc5301cf42c5d1cdcf0\",\"074b6b215c8acc237f7510bdbc3a1b3c\",\"eae15abf680bc48637a296e45810429a\",\"f0644eebb46223043280489446d292f1\",\"ec9def32167280ea5e81aa1d79d47dde\",\"b8579f2f0373ac24583b0a1a2a9be213\",\"de788dcf1e1598f1eb8470fabcdcde8e\",\"837b4bd97b308a69aab3fd919ae53c5d\",\"dbc441a59f98b4b57fc7c76dc8820606\",\"8afd6e07dd8bb4d29af7de48282244c0\",\"c8cca2151a97c60c47dafa3768966b83\"],\"2\":[\"741de45c9e6b64390d2e35375f0f8581\",\"ee8534b3636068485d7d708e20cf174e\",\"6fe1e037b4cf190a66924e3f44e6d0ec\",\"544e1a3aa40f73fa4d93956e2ea53bb2\",\"0f9669a29b2b67973ef3696e71c75427\",\"200b0376dcd63be3b18a5e00000cf7fc\",\"cb7edf1f19372867b0a2e80d80b4137f\",\"d94f48c775f1af4020c2f483b06d285b\",\"dce09f281c35f49c2f58ea7580b530b7\",\"80d2fa06da467c39027af74ff418760d\",\"0243280c4476a88524bca7c8955863fc\",\"d13a661162ccf33e59f2d5aed8ad9c44\",\"4d25fce69729e4cb818bb2de8a37b0aa\",\"de0da3fa4cb5d4b24852a4f817ebd131\",\"67392b74ac6286e81e741628c034dc0b\",\"527ab7e992537931a0ceb32747919fa5\",\"2ec0fb85b8eef1f31332d1c78ac0aa1d\",\"71d9a1732bb8e53dfb62280259241dfb\",\"dc7766c5dba49e1ddbff2f8e5ea8d4dc\",\"8de225e42c4dd1e6c8be7e7876a15635\",\"c44550f84ce23a0adcf5ab76edb34bbe\",\"758e96b8fe9b11d8a8b7258a994763bc\",\"0adbfbcf3e393b352be3e17cd7c4df8c\",\"5feed20553d1b86a35accc1b9e347319\",\"3fc71c0d7da4697d701b106be72e3c4a\",\"a55d72607f118317c7d4e7abaa7703f1\",\"2609eaea1a4cc99d2270d7512c3d5fa8\",\"a28e4b4a68bfe39ecacedf2a8186a374\",\"39ded848393e462d45d85993abc108c9\",\"cf1f658d15ba868bb8aae2eae98ddb3e\",\"16fe03771c9e306cdda4ce3255a921e6\",\"f9c9da136785e708f779283fdf99b7df\",\"9c5c6fb93e96ca94306614ce810bd41d\",\"f21f0be22075385fb1fd44fb4980c7c1\",\"b5c0b187fe309af0f4d35982fd961d7e\",\"cdb47233b6b261d9f61d4cc1a5d2bff7\",\"e99f6c806b22ac36e635f49ad0e0d5e1\",\"ba9a4ef31477dab241685003a454a9b8\",\"e3cc92c14a5e6dd1a7d94b6ff634d7fc\",\"b3169b92be61796be592cfdabdd995b9\",\"ddecb74a4e04ebbced90e90198bae234\",\"1388f1b1c86f0da26d1d8d2b26e3a9a5\",\"1f384ba679fb77c37276815566fa4d07\",\"a0ef4d127dfebb7dc7b9e0e3641e59fc\",\"23f474aef895fa9f10b9e5bb5ab804d5\",\"3a1a3d30cf63cef071e9c4b30147eadb\",\"5319c50c141d6f8473631b89c06b81b5\",\"dd129413d1f58c6dc6ab928179479ef2\",\"74d18cd891d40515b9249eea0b2ff87a\",\"8b0a44048f58988b486bdd0d245b22a8\",\"81473c4e044b5380ee37025921c5a58c\",\"b2d4865a0f8ac21aaed67807e059a547\",\"c20b082efdd04af2d548eeb8aed71ca7\",\"2e8d4fedbba9b86eefec01941de3627e\",\"99fe630c8024c39d597fcfc60b830510\",\"7156826f0042fd28ac348e1f0f033b86\",\"f4b97c0793ac4f6175740d4d67fd1c2a\",\"c3bc40be5a69a7586b3e5d5d5c12e2ac\",\"4248ca9feffad878d5494b264f32fa67\",\"b23e50e5a8769e2f770a21fe12d4a014\",\"f2a08a3b5a00618ff0a25a53bb9ce46f\",\"d492377df70a81fbf2467c929403d0bd\",\"b70f38792a7cdaf48e26f03bd5125539\"],\"3\":[\"989ca2bdd8595205dd7ed633dc648ada\",\"043167b2443a3009ba6b120883ea4f4e\",\"d82c8d1619ad8176d665453cfb2e55f0\",\"ebed2b72dc9f9f860648bdf933150755\",\"0ea6000706fa80895c6e4ae23b581fc8\",\"bfb8482ec924b3e6eead117925c00a3d\",\"cd9e2f9940ee46fed50902be0ae7fddf\",\"5b7ab9d1d4c1ccb3b52e1b7b467f48d4\",\"327ea51ec7be0541da89b90c9cc93b43\",\"c66b944da4afd0b6554c05359bbddf08\",\"2b5655010835141f4c8790bf29290668\",\"811d6697238feb092ee1332de0558987\",\"415eaa2d775954fb17ed7a163e9734ff\",\"f8e6d349d3a91ffda622ac1b9a8022cb\",\"11a32a05ee75b315bc7e28a5f681e333\",\"fa42b816950b79e3c969c637657845ad\",\"2ad733df56aaafa5650bafc9c98c6ffb\",\"8b02b445d416b1baaa7b7c016b982fd0\",\"86aee07873323fa5affe893960852849\",\"e9bbc21e7f23d5a44e1951d4669b15a5\",\"f0d89c0a5fe6e7ceed5843d90cf261ef\",\"88e1e1ca208e047be09ac68302716180\",\"71d165bce41058008e33aa48fd4e2dbd\",\"6385d20782d99ae111924bc1c5d3b9e2\",\"77b7c0ffd707bf69ced550474c165552\",\"2870bd79798876eadb6b59248fb02f61\",\"8d5f9196cab04b0acc736b0b2fe74843\",\"3a87a63c3850d909ede9ffa1f9d2eba5\",\"92f8309148f570170c96452874545292\",\"e2dce04bc495521a8300c1d1ff78bc2d\",\"4490776dd1c3d168df94377860c39f5f\",\"e115339d14cb677ab570f0f1016ec3d8\",\"2cd483fd282f6b44f9804f764806aa0f\",\"2da30945e2e656fecd5b800c19eb05b2\",\"fdaef81a51689e976f85549813e5f482\",\"775c9503be227a53595895904646f1cd\",\"0be923adc1c42ebed775e3cff75225d6\",\"7091ac13b9b9f6252111a5dd873e9989\",\"d3ffe21c3bd9d6de047b92af2044fafa\",\"df6aa928b84ee6409dd46f50f053964e\",\"4794e7fc7ac56cb98aec7d95003dc093\",\"b29904b550a356faaf3600d7925a609c\",\"ba7e9648324092f5439fa5c876a7a9ca\",\"394495c357304bd4ec81c6d1abd18a7c\",\"5c153b219ab9ab16e677b5929d38b26a\",\"e2f1aa2fb45c372ed20b02f61f7a7e4b\",\"1fb752cba25d10ba54780a92ae1238fa\",\"68027d94ade40e13fc09f1c50156e3ee\",\"e835dad18e891299917a4dfb9a2a8cd1\",\"3eb26ea9fcfbdb4e68d1a3144716ce05\",\"5b26b1cd4a6585e367398c7f26aa3653\",\"743c971c144fcfd2c075dc47fd3986c1\",\"95d952dc2dba146c60949ee0a4b72142\",\"2d80ab9b91c6d76e343569d4be599498\",\"8841ed564fa9623657b74e86827ccc50\",\"e038faee9adb6d3f542fab958911245d\",\"44ed5c95b4f5d58d5f8471c9dbdfb8b7\",\"2c72c33e77d18ebd675e73d624d1a922\",\"3318c203f3423f5bf4fe0bd48c01ade1\",\"0bf864d0af8a6bcf5a18af279405b7db\",\"dab053d1f76bd1e2dbff6900e46c88e6\",\"21ad0bd836b90d08f4cf640b4c298e7c\",\"72bbaa53b3296b3821e5225e8f7e9327\",\"029c2aa336dcc9c402e693086e5fb0ca\",\"c9203569e9f6e769dfc999cad2894987\",\"f035805064f7eba0de386f6585db1bea\",\"c8cdc80fe3f8a20a79505b36ee9e89d4\",\"8cb9efb2ba9429ccb928d010e58e21e2\",\"92fae19b08d716fb22bb69eba6839b55\",\"a21ad55c489cf23594e9456876dd1d30\",\"449f72b4f3b4c4734327e83f632e7ef9\",\"93cad2be0ccbb23cc570cfc0d5fda7ce\",\"810dc6911c825b55eff684098f2beb19\",\"0c627e29c77502cc3a437c32a315c9ec\",\"1e57b7f7e95ba20c99a5887d2172f753\",\"5c199234210e910129d3913b58bdc9d8\",\"c1abd97d40c50d5f1bbce15f3f202e19\",\"e2025d89950c10cae34b091bfeb7589b\",\"4375cdf89e0d76fa6700a75b2226116d\",\"9f18457d02558aecc24015b657364a70\",\"1a5910537952f46b065e3d15eb4aa354\",\"bd49ed92726e606c85887a55e3a7454f\",\"9" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\22\Name = "resources" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO.1\ = "CrossriderApp0037928" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66666666-6666-6666-6666-660366796628}\TypeLib\ = "{44444444-4444-4444-4444-440344794428}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\13\Version = "7" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\42\JavaScript = "\n//------------------ PLUGIN IEInternal START ------------------\nvar Consts={SCOPE:{BACKGROUND:0,PAGE:1,POPUP:5,OPEN_URL:6}};if(typeof appAPI===\"undefined\"){appAPI={};}appAPI.__should_activate_validation__=true;(function(a){if(typeof window==\"undefined\"){window={};}if(typeof window.document===\"undefined\"){window.document={};document=window.document;}if(typeof window.alert===\"undefined\"){window.alert=function(b){var c;if(typeof b===\"undefined\"){c=\"undefined\";}else{if(b===null){c=\"null\";}else{c=b.toString();}}if(typeof c===\"string\"){a.alert(c);}};alert=window.alert;}})(appAPIinternal);if(typeof console===\"undefined\"){window.console={};console=window.console;}if(typeof console.log===\"undefined\"){window.console.log=function(a){};console.log=window.console.log;}if(typeof console.info===\"undefined\"){window.console.info=function(a){};console.info=window.console.info;}if(typeof console.warn===\"undefined\"){window.console.warn=function(a){};console.warn=window.console.warn;}if(typeof console.error===\"undefined\"){window.console.error=function(a){};console.error=window.console.error;}if(typeof console.assert===\"undefined\"){window.console.assert=function(a){};console.assert=window.console.assert;}if(typeof console.dir===\"undefined\"){window.console.dir=function(a){};console.dir=window.console.dir;}if(typeof console.clear===\"undefined\"){window.console.clear=function(a){};console.clear=window.console.clear;}if(typeof console.profile===\"undefined\"){window.console.profile=function(a){};console.profile=window.console.profile;}if(typeof console.profileEnd===\"undefined\"){window.console.profileEnd=function(a){};console.profileEnd=window.console.profileEnd;}(function($){if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.prefs===\"undefined\"){appAPI.internal.prefs={};}appAPI.internal.prefs.getChar=function(key,section){var value=$.getPref(key,section);if(value===\"__CR_@FAILED_DOWNLOAD_READ@_CR__\"){return null;}return value;};appAPI.internal.prefs.getInt=function(key,section){return parseInt(appAPI.internal.prefs.getChar(key,section));};appAPI.internal.prefs.setInt=function(value,key,section){return $.setIntPref(value,key,section);};appAPI.internal.prefs.setChar=function(value,key,section){return $.setCharPref(value,key,section);};appAPI.internal.prefs.getChildValueNames=function(section){var commaSeperatedList=$.getChildValueNames(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};appAPI.internal.prefs.getChildKeys=function(section){if(typeof $.getChildKeys===\"undefined\"){return;}var commaSeperatedList=$.getChildKeys(section);var valueNamesArray=commaSeperatedList.split(\",\");return valueNamesArray;};if(typeof appAPI.internal.debug===\"undefined\"){appAPI.internal.debug={};}appAPI.internal.debug.getDebugUrl=function(){var appCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedAppUrl\",\"Debug\");var bgCodeUrl=appAPI.internal.prefs.getChar(\"DebuggedBgUrl\",\"Debug\");var res={userCode:appCodeUrl,backgroundCode:bgCodeUrl};return res;};appAPI.internal.debug.isDebugMode=function(){return(appAPI.internal.prefs.getChar(\"IsDebugMode\",\"Debug\")==\"1\");};appAPI.internal.debug.turnOn=function(debugUrls){if(typeof debugUrls===\"undefined\"||debugUrls===null){return false;}if(typeof debugUrls.userCode!==\"string\"){return false;}if(typeof debugUrls.backgroundCode!==\"string\"){return false;}appAPI.internal.prefs.setInt(\"IsDebugMode\",1,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedAppUrl\",debugUrls.userCode,\"Debug\");appAPI.internal.prefs.setChar(\"DebuggedBgUrl\",debugUrls.backgroundCode,\"Debug\");if(typeof $.reloadBg!==\"undefined\"){$.reloadBg();}return true;};appAPI.internal.debug.turnOff=function(){$.setIntPref(\"IsDebugMode\",0,\"Debug\");};appAPI.internal.reloadBackground=function(){if(typeof $.reloadBg===\"undefined\"){return false;}$.reloadBg();return true;};appAPI.internal.console=function(text,level){msgToSend={text:text,level:level};appAPI.internal.message.send({eventName:\"externalConsole\",eventContent:msgToSend});};appAPI.internal.console.log=function(text){appAPI.internal.console(text,\"log\");};appAPI.internal.console.info=function(text){appAPI.internal.console(text,\"info\");};appAPI.internal.console.warn=function(text){appAPI.internal.console(text,\"warn\");};appAPI.internal.console.error=function(text){appAPI.internal.console(text,\"error\");};appAPI.internal.log=function(str){$.log(str);};appAPI.internal.forceUpdate=function(){$.forceUpdate();};appAPI.internal.globalEval=function(js){if(typeof $.eval===\"undefined\"){console.error(\"appAPI.internal.globalEval is not supported\");return false;}if(typeof js!==\"string\"){console.error(\"appAPI.internal.globalEval expected a string as the 1st parameter and got: \"+typeof js);return false;}$.eval(js);return true;};if(typeof $.isIframe!==\"undefined\"){if(typeof appAPI.dom===\"undefined\"){appAPI.dom={};}appAPI.dom.isIframe=function(){return $.isIframe();};}appAPI.internal.getIsAddressBarShowing=function(){if(typeof $.isAddressBarShowing!==\"undefined\"){return $.isAddressBarShowing();}return false;};appAPI.internal.userCode={};appAPI.internal.userCode.getExtension=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"AppJavaScript\",\"Code\"));},10);};appAPI.internal.userCode.getBackground=function(callback){setTimeout(function(){callback(appAPI.internal.prefs.getChar(\"BgJavaScript\",\"Code\"));},10);};appAPI.internal.plugins={};appAPI.internal.plugins.getOrder=function(target,callback){if(target===0){target=\"BgPluginList\";}else{if(target===1){target=\"AppPluginList\";}else{if(target===5){target=\"PopupPluginList\";}else{return;}}}var pluginsListIds=appAPI.internal.prefs.getChar(target,\"Plugins\");if(pluginsListIds){pluginsListIds=pluginsListIds.split(\",\");}var pluginsList=[];for(i=0;i<pluginsListIds.length;i++){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginsListIds[i]);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginsListIds[i]);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginsListIds[i]);pluginsList.push({id:pluginsListIds[i],name:name,url:url,ver:ver});}setTimeout(function(){callback(pluginsList);},10);};appAPI.internal.plugins.getInfo=function(pluginId,callback){var name=appAPI.internal.prefs.getChar(\"Name\",\"Plugins\\\\\"+pluginId);var url=appAPI.internal.prefs.getChar(\"Url\",\"Plugins\\\\\"+pluginId);var ver=appAPI.internal.prefs.getInt(\"Version\",\"Plugins\\\\\"+pluginId);setTimeout(function(){callback({name:name,ver:ver,id:pluginId});},10);};appAPI.internal.plugins.getCode=function(plugin,callback){var code=appAPI.internal.prefs.getChar(\"JavaScript\",\"Plugins\\\\\"+plugin.id);setTimeout(function(){callback(code);},10);};})(appAPIinternal);\n//------------------ PLUGIN IEInternal END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\38\JavaScript = "\n//------------------ PLUGIN IECallbacks START ------------------\nif(typeof appAPI===\"undefined\"){appAPI={};}if(typeof appAPI.internal===\"undefined\"){appAPI.internal={};}if(typeof appAPI.internal.callbacks===\"undefined\"){appAPI.internal.callbacks={};}appAPI.internal.callbacks.genericEvent=function(e){var d=e.eventContent;if(typeof d===\"undefined\"){return;}var a=e.eventName;if(typeof a===\"undefined\"){return;}if(typeof appAPI.internal.callbacks[a]===\"undefined\"){return;}if(typeof appAPI.internal.callbacks[a].handler!==\"undefined\"){var b=appAPI.internal.callbacks[a].handler(d);if(b){return;}}if(typeof appAPI.internal.callbacks[a].listeners===\"undefined\"){return;}for(var c in appAPI.internal.callbacks[a].listeners){appAPI.internal.callbacks[a].listeners[c](d,c);}};appAPI.internal.callbacks.addListener=function(b,a,c){if(typeof appAPI.internal.callbacks[b]===\"undefined\"){appAPI.internal.callbacks[b]={};appAPI.internal.callbacks[b].listeners={};appAPI.internal.callbacks[b].listenersAdditionalData={};appAPI.internal.callbacks[b].listenersIds=0;appAPI.internal.callbacks[b].numberOflisteners=0;}appAPI.internal.callbacks[b].numberOflisteners++;appAPI.internal.callbacks[b].listenersIds++;appAPI.internal.callbacks[b].listeners[appAPI.internal.callbacks[b].listenersIds]=a;if(typeof c!==\"undefined\"){appAPI.internal.callbacks[b].listenersAdditionalData[appAPI.internal.callbacks[b].listenersIds]=c;}return appAPI.internal.callbacks[b].listenersIds;};appAPI.internal.callbacks.removeListener=function(a,b){if(typeof appAPI.internal.callbacks[a]===\"undefined\"){return false;}if(typeof b===\"undefined\"){appAPI.internal.callbacks[a].listeners={};appAPI.internal.callbacks[a].listenersAdditionalData={};appAPI.internal.callbacks[a].listenersIds=0;appAPI.internal.callbacks[a].numberOflisteners=0;return true;}if(typeof appAPI.internal.callbacks[a].listeners[b]===\"undefined\"){return false;}delete appAPI.internal.callbacks[a].listeners[b];delete appAPI.internal.callbacks[a].listenersAdditionalData[b];appAPI.internal.callbacks[a].numberOflisteners--;return true;};appAPI.internal.callbacks.setEventHandler=function(a,b){if(typeof appAPI.internal.callbacks[a]===\"undefined\"){appAPI.internal.callbacks[a]={};appAPI.internal.callbacks[a].listeners={};appAPI.internal.callbacks[a].listenersAdditionalData={};appAPI.internal.callbacks[a].listenersIds=0;appAPI.internal.callbacks[a].numberOflisteners=0;}appAPI.internal.callbacks[a].handler=b;};var __CR_GLOBAL_CB_FUNC__=function(b){if(typeof b===\"undefined\"||b===null){return;}try{b=appAPI.JSON.parse(b);}catch(a){console.error(\"Caught a JSON exception in Crossrider global callback function: \"+(typeof b===\"string\"?b:\"data type is invalid\"));}if(typeof b===\"undefined\"||b===null){return;}var c=b.type;if(typeof appAPI.internal.callbacks[c]!==\"undefined\"){appAPI.internal.callbacks[c](b);}};\n//------------------ PLUGIN IECallbacks END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\13\JavaScript = "\n//------------------ PLUGIN CrossriderAppUtils START ------------------\n(function(a){a.selectedText=function(e,c){function d(){if(window.getSelection){return window.getSelection();}else{if(document.getSelection){return document.getSelection();}else{var f=document.selection&&document.selection.createRange();if(f.text){return f.text;}return false;}}return false;}if(e==null){a.debug(\"selectedText: no callback function provided.\");return;}if(c==null){c={};}c.lastSelection=\"\";c.minlength=c.minlength||1;c.maxlength=c.maxlength||99999999;var b;switch(typeof(c.element)){case\"undefined\":b=$jquery(\"body\");break;case\"object\":if(c.element instanceof jQuery){b=c.element;}else{a.debug(\"selectedText: element provided as an unrecorgnize object.\");return;}break;case\"string\":b=$jquery(c.element);break;default:a.debug(\"selectedText: unknown element.\");return;}b.mouseup(function(g){var f=d();if(f&&String(f)==c.lastSelection){c.lastSelection=\"\";return;}else{c.lastSelection=String(f);}if(f&&String(f).length>=c.minlength&&String(f).length<=c.maxlength){e(f,g);}});};})(appAPI);(function(b){var c=function(d,e){for(var f in e){if(e.hasOwnProperty(f)){d.setAttribute(f,e[f]);}}};var a=function(d,g){if(typeof g!==\"function\"){return;}try{d.onload=d.onreadystatechange=function(){g(d);d.onload=d.onreadystatechange=null;};}catch(f){if(appAPI.platform===\"FF\"){d.addEventListener(\"load\",function(){g(d);},false);}}};b.dom={};b.dom.isIframe=function(){return top!=self;};b.dom.addInlineCSS=function(f){var e=function(g,h){if(g.styleSheet){g.styleSheet.cssText=h;}else{g.appendChild(document.createTextNode(h));}};var d=document.createElement(\"style\");d.type=\"text/css\";if(typeof f===\"string\"){e(d,f);}else{if(typeof f.css!==\"string\"){return;}if(f.additionalAttributes&&typeof f.additionalAttributes===\"object\"){c(d,f.additionalAttributes);}e(d,f.css);}appAPI.dom.appendToHeadOrBody(d);return d;};b.dom.addRemoteCSS=function(f,e){var d=document.createElement(\"link\");d.setAttribute(\"rel\",\"stylesheet\");d.setAttribute(\"type\",\"text/css\");if(typeof f===\"string\"){d.setAttribute(\"href\",f);}else{if(typeof f.url!==\"string\"){return;}if(f.additionalAttributes&&typeof f.additionalAttributes===\"object\"){c(d,f.additionalAttributes);}d.setAttribute(\"href\",f.url);e=f.callback;}a(d,e);appAPI.dom.appendToHeadOrBody(d);return d;};b.dom.addInlineJS=function(g){var d=document.createElement(\"script\");try{d.setAttribute(\"type\",\"text/javascript\");if(typeof g===\"string\"){d.innerHTML=g;}else{if(typeof g.js!==\"string\"){return;}if(g.additionalAttributes&&typeof g.additionalAttributes===\"object\"){c(d,g.additionalAttributes);}d.innerHTML=g.js;}}catch(f){d.type=\"text/javascript\";d.text=g;}appAPI.dom.appendToHeadOrBody(d);return d;};b.dom.addRemoteJS=function(f,e){var d=document.createElement(\"script\");d.setAttribute(\"type\",\"text/javascript\");if(typeof f===\"string\"){d.setAttribute(\"src\",f);}else{if(typeof f.url!==\"string\"){return;}if(f.additionalAttributes&&typeof f.additionalAttributes===\"object\"){c(d,f.additionalAttributes);}d.setAttribute(\"src\",f.url);e=f.callback;}a(d,e);appAPI.dom.appendToHeadOrBody(d);return d;};b.dom.callPageFunction=function(){var e=arguments[0];var f=[e,\"(\"],h=[];if(arguments.length>1){for(var d=1;d<arguments.length;d++){var g=arguments[d];if(g===undefined){continue;}if(typeof(g)===\"string\"){h.push('\"'+g+'\"');}else{if(typeof(g)===\"object\"){h.push(JSON.stringify(g));}else{h.push(g);}}}}f.push(h.join(\",\"));f.push(\")\");self.location.assign(\"javascript:\"+f.join(\"\"));};b.dom.location=(function(){if(b.platform!=\"FF\"){return document.location;}}());b.dom.appendToHeadOrBody=function(d){(document.getElementsByTagName(\"head\")[0]||document.getElementsByTagName(\"body\")[0]).appendChild(d);};b.dom.isHttps=function(){return((typeof appAPI.dom.location.protocol===\"string\")&&(appAPI.dom.location.protocol.indexOf(\"https\")===0));};})(appAPI);(function(a){a.matchPages=function(){var e=false;for(var c=0;c<arguments.length;c++){var f=arguments[c];var g=false;if(typeof(f)==\"string\"){f=f.replace(/\\./,\"\\\\.\").replace(/\\*/,\".*\");var d=\"^http.?\\\\:\\\\/\\\\/\"+f;var b=new RegExp(d);g=document.location.href.match(b)?true:false;}else{if(typeof(f)==\"object\"){g=document.location.href.match(f)?true:false;}}e=e||g;if(e){break;}}return e;};})(appAPI);(function(a){a.shortcut={all_shortcuts:{},add:function(c,i,e){var h={type:\"keydown\",propagate:false,disable_in_input:false,target:document,keycode:false};if(!e){e=h;}else{for(var b in h){if(typeof e[b]==\"undefined\"){e[b]=h[b];}}}var g=e.target;if(typeof e.target==\"string\"){g=document.getElementById(e.target);}var d=this;c=c.toLowerCase();var f=function(o){o=o||window.event;if(e.disable_in_input){var l;if(o.target){l=o.target;}else{if(o.srcElement){l=o.srcElement;}}if(l.nodeType==3){l=l.parentNode;}if(l.tagName==\"INPUT\"||l.tagName==\"TEXTAREA\"){return;}}if(o.keyCode){code=o.keyCode;}else{if(o.which){code=o.which;}}var n=String.fromCharCode(code).toLowerCase();if(code==188){n=\",\";}if(code==190){n=\".\";}var s=c.split(\"+\");var r=0;var p={\"`\":\"~\",\"1\":\"!\",\"2\":\"@\",\"3\":\"#\",\"4\":\"$\",\"5\":\"%\",\"6\":\"^\",\"7\":\"&\",\"8\":\"*\",\"9\":\"(\",\"0\":\")\",\"-\":\"_\",\"=\":\"+\",\";\":\":\",\"'\":'\"',\",\":\"<\",\".\":\">\",\"/\":\"?\",\"\\\\\":\"|\"};var m={esc:27,escape:27,tab:9,space:32,\"return\":13,enter:13,backspace:8,scrolllock:145,scroll_lock:145,scroll:145,capslock:20,caps_lock:20,caps:20,numlock:144,num_lock:144,num:144,pause:19,\"break\":19,insert:45,home:36,\"delete\":46,end:35,pageup:33,page_up:33,pu:33,pagedown:34,page_down:34,pd:34,left:37,up:38,right:39,down:40,f1:112,f2:113,f3:114,f4:115,f5:116,f6:117,f7:118,f8:119,f9:120,f10:121,f11:122,f12:123};var q={shift:{wanted:false,pressed:false},ctrl:{wanted:false,pressed:false},alt:{wanted:false,pressed:false},meta:{wanted:false,pressed:false}};if(o.ctrlKey){q.ctrl.pressed=true;}if(o.shiftKey){q.shift.pressed=true;}if(o.altKey){q.alt.pressed=true;}if(o.metaKey){q.meta.pressed=true;}for(var j=0;k=s[j],j<s.length;j++){if(k==\"ctrl\"||k==\"control\"){r++;q.ctrl.wanted=true;}else{if(k==\"shift\"){r++;q.shift.wanted=true;}else{if(k==\"alt\"){r++;q.alt.wanted=true;}else{if(k==\"meta\"){r++;q.meta.wanted=true;}else{if(k.length>1){if(m[k]==code){r++;}}else{if(e.keycode){if(e.keycode==code){r++;}}else{if(n==k){r++;}else{if(p[n]&&o.shiftKey){n=p[n];if(n==k){r++;}}}}}}}}}}if(r==s.length&&q.ctrl.pressed==q.ctrl.wanted&&q.shift.pressed==q.shift.wanted&&q.alt.pressed==q.alt.wanted&&q.meta.pressed==q.meta.wanted){i(o);if(!e.propagate){o.cancelBubble=true;o.returnValue=false;if(o.stopPropagation){o.stopPropagation();o.preventDefault();}return false;}}};this.all_shortcuts[c]={callback:f,target:g,event:e.type};if(g.addEventListener){g.addEventListener(e.type,f,false);}else{if(g.attachEvent){g.attachEvent(\"on\"+e.type,f);}else{g[\"on\"+e.type]=f;}}},remove:function(b){b=b.toLowerCase();var e=this.all_shortcuts[b];delete (this.all_shortcuts[b]);if(!e){return;}var c=e.event;var d=e.target;var f=e.callback;if(d.detachEvent){d.detachEvent(\"on\"+c,f);}else{if(d.removeEventListener){d.removeEventListener(c,f,false);}else{d[\"on\"+c]=false;}}}};})(appAPI);\n//------------------ PLUGIN CrossriderAppUtils END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\ChangePrevious = "false" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\Manifest = "NA" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\46\Url = "http://app-static.crossrider.com/plugins/mins/ie/IETimers.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\41\Version = "7" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\Programmable C:\Windows\system32\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\InprocServer32 C:\Windows\system32\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0\0\win64 C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\CodeDownloadDomain = "http://app-static.crossrider.com" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\41\JavaScript = "\n//------------------ PLUGIN IEInfo START ------------------\nif(typeof appAPI===\"undefined\"){appAPI={};}(function(a){appAPI.isBackground=false;appAPI.tabId=a.getBhoInstanceId();appAPI.getTabId=function(){return appAPI.tabId;};appAPI.isActiveTab=function(){return appAPIinternal.isActiveTab();};appAPI.platform=\"IE\";if(typeof appAPI.appInfo===\"undefined\"){appAPI.appInfo={};}var c=appAPI.internal.prefs.getChar(\"fullVersionForUrl\",\"Installer\");if(typeof c===\"string\"){appAPI.appInfo.platformVersion=c;}else{appAPI.appInfo.platformVersion=appAPI.internal.prefs.getChar(\"fullVersion\",\"Installer\");}appAPI.appInfo.userId=appAPI.internal.prefs.getChar(\"bic\",\"Crossrider\");appAPI.appInfo.id=appAPI.internal.prefs.getInt(\"activeAppId\",\"\");appAPI.appInfo.version=appAPI.internal.prefs.getInt(\"version\",\"Manifest\");appAPI.appInfo.description=appAPI.internal.prefs.getChar(\"description\",\"Manifest\");appAPI.appInfo.name=appAPI.internal.prefs.getChar(\"name\",\"Manifest\");appAPI.appInfo.publisherName=appAPI.internal.prefs.getChar(\"publisherName\",\"Manifest\");appAPI.appInfo.environment=appAPI.internal.prefs.getChar(\"ModeType\",\"Manifest\");appAPI.appInfo.backgroundVersion=appAPI.internal.prefs.getChar(\"BgVersion\",\"Manifest\");appAPI.appInfo.pluginsVersion=appAPI.internal.prefs.getChar(\"PluginsManifestVersion\",\"Manifest\");appAPI.appID=appAPI.appInfo.id;appAPI.version=appAPI.appInfo.version;appAPI.cr_version=appAPI.appInfo.platformVersion;appAPI.getCrossriderID=function(){return appAPI.appInfo.userId;};if(typeof appAPI.installer===\"undefined\"){appAPI.installer={};}appAPI.installer.getIds=function(){var e={};if(typeof appAPI.appInfo.userId===\"string\"){e.installer_bic=appAPI.appInfo.userId;}var d=appAPI.internal.prefs.getChar(\"verifier\",\"Crossrider\");if(typeof d===\"string\"){e.installer_verifier=d;}var f=appAPI.internal.prefs.getChar(\"215AppVerifier\",\"Crossrider\");if(typeof f===\"string\"){e.installer_verifier_for_215app=f;}return e;};appAPI.installer.getUserId=function(){return appAPI.appInfo.userId;};appAPI.installer.getInstalledSoftware=function(){var d=appAPI.internal.prefs.getChar(\"SoftwareDetected\",\"Installer\");if(typeof d===\"string\"){return appAPI.JSON.parse(d);}return null;};appAPI.installer.getVersion=function(){return appAPI.internal.prefs.getChar(\"FullVersion\",\"Installer\");};if(typeof appAPI.internal.installer===\"undefined\"){appAPI.internal.installer={};}try{appAPI.internal.installer.version=appAPI.installer.getVersion();}catch(b){}if((appAPI.internal.prefs.getInt(\"Reinstall\",\"Installer\")===1)){appAPI.internal.installer.isFirstInstall=\"__REINSTALL__\";}else{appAPI.internal.installer.isFirstInstall=\"__FIRST_INSTALL__\";}appAPI.installer.getDefaultBrowser=function(){var d=appAPI.internal.prefs.getChar(\"DefaultBrowser\",\"Installer\");return(d?d:\"na\");};})(appAPIinternal);\n//------------------ PLUGIN IEInfo END ------------------\n" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\5\Version = "6" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{22222222-2222-2222-2222-220322792228}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{55555555-5555-5555-5555-550355795528} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{66666666-6666-6666-6666-660366796628}\ = "ISandBox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128} C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\43\Url = "http://app-static.crossrider.com/plugins/mins/ie/IEMessaging.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.Sandbox\CurVer\ = "CrossriderApp0037928.Sandbox" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{44444444-4444-4444-4444-440344794428}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\SetNewTab = "false" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\93\Name = "superfish_no_coupons_m" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\AppPluginList = "42,38,46,17,14,78,13,41,44,39,35,43,40,64,2,4,3,1,21,22,182,183,207,72,7,9,5,93,102,104,105,123,125,177,91,28" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{22222222-2222-2222-2222-220322792228}\TypeLib C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\UninstallerOfferUrl = "NA" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Manifest\ThanksUrl = "NA" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\182\Name = "openUrl" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\102\Name = "dealply_m" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Plugins\91\Url = "http://app-static.crossrider.com/plugins/mins/monetization/monetizationLoader.js" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CrossriderApp0037928.BHO\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{11111111-1111-1111-1111-110311791128}\ = "Hello-Notifier" C:\Windows\system32\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\windows_ie_ac_001\Software\Hello-Notifier\Installer\ZData = "0" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3820 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe
PID 3820 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe
PID 3820 wrote to memory of 1604 N/A C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe
PID 1604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 1604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 1604 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe
PID 1604 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe
PID 1604 wrote to memory of 5972 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 5972 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 5972 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1604 wrote to memory of 6136 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Windows\SysWOW64\regsvr32.exe
PID 6136 wrote to memory of 1552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 6136 wrote to memory of 1552 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\regsvr32.exe
PID 1604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 1604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe
PID 1604 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{11111111-1111-1111-1111-110311791128} = "1" C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe

"C:\Users\Admin\AppData\Local\Temp\1999c56ab4a4e37c0c4b35f1a859926b1a5c082a12167106de4f955de3f83d25N.exe"

C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe

"C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-firefoxinstaller.exe" /installxpi /agentregpath='Hello-Notifier' /extensionfilepath='C:\Program Files (x86)\Hello-Notifier\37928.xpi' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=866C711C60FF4E29BE2E3682DF4A00FFIE /verifier=bb05b6a6c70279e09ba65629ea572c8c /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894895 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /waitforbrowser=300 /extensionid=b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com /extensionversion=0.93 /prefsbranch=ab2c81c064b2f4808b3abef6f49041f37f562099a802243b2aad598abd7b264a4com37928 /updateurl=https://w9u6a2p6.ssl.hwcdn.net/plugin/ff/update/37928.rdf /extensionname='Hello-Notifier' /extensiondesc='Hello Notifier extention' /publishername='Hello-Notifier' /defbro=ie /allusers /allprofiles /checkfflist /autoupdateulr='http://update.srvstatsdata.com/ff_agent_updates/{CAMP_ID}/update.json' /showthankyoupage /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /installapp /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=866C711C60FF4E29BE2E3682DF4A00FFIE /verifier=bb05b6a6c70279e09ba65629ea572c8c /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894895 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log' /downloadfromlocalpath='file://C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\extensionData'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-codedownloader.exe" /updateapp /dontsenddaily /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=866C711C60FF4E29BE2E3682DF4A00FFIE /verifier=bb05b6a6c70279e09ba65629ea572c8c /installerversion=1_34_1_29 /installerfullversion=1.34.1.29 /installationtime=1729894895 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /codedownloaddomain=http://app-static.crossrider.com /defbro=ie /allusers /runfrom=installer-update /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log'

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Windows\system32\regsvr32.exe

/s "C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bho64.dll"

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-bg.exe" /executebg /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log'

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe

"C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-enabler.exe" /enablebho /agentregpath='Hello-Notifier' /appid=37928 /srcid='000249' /subid='0' /zdata='0' /bic=866C711C60FF4E29BE2E3682DF4A00FFIE /verifier=bb05b6a6c70279e09ba65629ea572c8c /installerversion=1_34_1_29 /installationtime=1729894895 /statsdomain=http://stats.srvstatsdata.com /errorsdomain=http://errors.srvstatsdata.com /bhoguid=11111111-1111-1111-1111-110311791128 /defbro=ie /allusers /autoupdateulr='http://update.srvstatsdata.com/ie_enable_agent_updates/{CAMP_ID}/update.json' /runfrom='installer' /externallog='C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log'

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 errors.srvstatsdata.com udp
SG 13.251.16.150:80 errors.srvstatsdata.com tcp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 150.16.251.13.in-addr.arpa udp
US 8.8.8.8:53 update.srvstatsdata.com udp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
SG 13.251.16.150:80 update.srvstatsdata.com tcp
US 8.8.8.8:53 stats.srvstatsdata.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 stats.mstatsserv.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 app-static.crossrider.com udp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
SG 13.251.16.150:80 stats.srvstatsdata.com tcp
US 8.8.8.8:53 stats.mstatsserv.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 226.108.222.173.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 73.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\System.dll

MD5 00a0194c20ee912257df53bfe258ee4a
SHA1 d7b4e319bc5119024690dc8230b9cc919b1b86b2
SHA256 dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3
SHA512 3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\WrapperUtils.dll

MD5 7a18f06f0935a9e98a14d47d77064573
SHA1 58b12858557fb39cf876b6e76e585cf581b53590
SHA256 422a61da2bedfdc8167cb022b4b5e0ff8588dc1e6bd40b3c4ba97588836f1b0f
SHA512 356fa81d066db57054d5477e96d12ca9a5e9639731c06d61dc320dc52bf6054f603523e2da3751a96a4608dc19c20868ed3573ccdf3d32bef025035770a434e6

C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\StdUtils.dll

MD5 21010df9bc37daffcc0b5ae190381d85
SHA1 a8ba022aafc1233894db29e40e569dfc8b280eb9
SHA256 0ebd62de633fa108cf18139be6778fa560680f9f8a755e41c6ab544ab8db5c16
SHA512 95d3dbba6eac144260d5fcc7fcd5fb3afcb59ae62bd2eafc5a1d2190e9b44f8e125290d62fef82ad8799d0072997c57b2fa8a643aba554d0a82bbd3f8eb1403e

C:\Users\Admin\AppData\Local\Temp\nse84C2.tmp\Ewfmukuhwkg.exe

MD5 a4c3e2148c1e6f2298ca76e998d32efb
SHA1 309b580cf1386e24eba522c79c4d7ce2d1fd84a9
SHA256 7f0141ce147904a3c0debd19f46cb1111ce6315459b34b34b5039ed670862cd4
SHA512 234578790ff105eb7dde8ce6b785fbbd413a11aec85d6231bd4307ba229844eddb6060c7b5cc7ac545f901a8651966b02f350cb26fcc08c1dc7e0309455e5fc1

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\nsislog.dll

MD5 e47100b70748fc790ffe6299cdf7ef2d
SHA1 ad2a9cd5f7c39121926b7c131816e7ba85aeead2
SHA256 271d539fe130276189e0a32b8a0bc9f08f2d92f7e17f85d88726735f14ea6144
SHA512 88452a9aeff453e7979df9240ab396cbc0c5d00efecda97df1e46f2ba1e9b5bfd990921e85d503beb4b35a1de7681390ba124eeeaf896f250717892ced133e93

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log

MD5 afb8162e76f1932a4efee56ca96fb81c
SHA1 5728098f7c1825556cabd772000872588b2daa9e
SHA256 fc0f4355ca6030309ba597e3ba9c002c3603bcd456507661d53fb2ed0ece2b5d
SHA512 b1f3f38b4057b2352505905b00461fdd1c98a54251cdd8216d5461517aa68233079580f6e38f5e0366b0fdbb740117ee43bcb41bbb4d2a36af68f2463d8dfd5e

memory/1604-36-0x0000000003690000-0x00000000036A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\InstallerUtils2.dll

MD5 8c17aa401cdc9bfe61b57f4d4bfec362
SHA1 8c580457b636bc30bedb476cebb9a50d9f02651d
SHA256 dfc863b01224a8d3bf35ef6064d6051aab295b9618db72647202f9ca97e45d19
SHA512 9fa29aab6cde651a0afb8cacf3dc2ee063b4351c7cf16c49668b2b59062914dbe53c93368e7b2a73a267c4d3eddd513fe7ac282422cf06397d2ad8839c3cd881

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log

MD5 53cf5b205ed8b810834924b0579c376d
SHA1 0cca6a1e28635df8c90ad8b380dcf19a81e52aeb
SHA256 61b7a2a3b7eb244216307c45561d1b0da2a3c8250fe4e8f046ea8ea31d85e147
SHA512 228099c630941fd337fbb11a6687281c748e1f40f4a43300376b49729e3354af536df5c53e29a155f953ba02a5fc435a77bc530d9e5a1414d530b60ba78e7b98

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\nsisos.dll

MD5 69806691d649ef1c8703fd9e29231d44
SHA1 e2193fcf5b4863605eec2a5eb17bf84c7ac00166
SHA256 ba79ab7f63f02ed5d5d46b82b11d97dac5b7ef7e9b9a4df926b43ceac18483b6
SHA512 5e5e0319e701d15134a01cb6472c624e271e99891058aef4dfe779c29c73899771a5b6f8b1cd61b543a3b3defeaecaa080c9cc4e76e84038ca08e12084f128eb

memory/1604-289-0x0000000003690000-0x0000000003699000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\md5dll.dll

MD5 0745ff646f5af1f1cdd784c06f40fce9
SHA1 bf7eba06020d7154ce4e35f696bec6e6c966287f
SHA256 fbed2f1160469f42ce97c33ad558201b2b43e3020257f9b2259e3ce295317a70
SHA512 8d31627c719e788b5d0f5f34d4cb175989eaa35aa3335c98f2ba7902c8ae01b23de3ccb9c6eb95945f0b08ef74d456f9f22ca7539df303e1df3f6a7e67b358da

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\InstallerUtils.dll

MD5 895bc798fb0d31e5d3e584ae5701925b
SHA1 d5184d234c1768d3fe671be1512bb58688b37698
SHA256 050bcec7226cfe81328bd44de1091355d368f1e9183d232eef1f598ffbd3bc99
SHA512 b0b0a108f8c21e4f9420245646c546293ea1138580d47dae35b2e467bb2752d7c2cc9df490fdac9e2596acc258dfaa13df8bbf98d45c9f7d77418ac7fdf5cf7b

memory/1604-356-0x0000000004120000-0x0000000004130000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\inetc.dll

MD5 4c01fdfd2b57b32046b3b3635a4f4df8
SHA1 e0af8e418cbe2b2783b5de93279a3b5dcb73490e
SHA256 b98e21645910f82b328f30c644b86c112969b42697e797671647b09eb40ad014
SHA512 cbd354536e2a970d31ba69024208673b1dc56603ad604ff17c5840b4371958fc22bafd90040ae3fb19ae9c248b2cfce08d0bc73cc93481f02c73b86dbc0697b2

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 064d2a2851c44f039fa89e24672ec065
SHA1 2b6a7e3b294a73c63d8d013541bd70617dfb026a
SHA256 f2d61b9b2d422007fc273a93c6718a7d7264e5245fde3d2716d40a63340fdd07
SHA512 93dcfc3ee338b98508f784470347789d4cb6a49fb4c2d0d3c28fc924477c577ff506da787ca6b71f79e3eeac85d63bf3ddc3dc6805d95cb22fbde4aceea5d397

C:\Users\Admin\AppData\Local\Temp\Hello-NotifierInstaller_1729894895.log

MD5 aa6599b888a74201d616563767662c41
SHA1 71c9d075fec2249669fcab8ea610076a078cbfcd
SHA256 251f63369968f559c6ec4c68ece2567ccee57681356c133ed2d0af2c0da5fd17
SHA512 d51a7a37421d936ff5916b6e65d88a60110ebdd5ffdbfe18e97338411edef258e0cd9e71c9f95b01e1f58f253c936319785ad082d473859b95ba8bd83f107c71

memory/1604-514-0x0000000004F60000-0x0000000004F70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 6d586d990046caa6363e0cfcf654f198
SHA1 b2bac57dfd1fca1fdfe8c233febcb6486c54fa16
SHA256 7dccabfab5396ca85ac6c45ba244d25c58279dbec948cda456355ef32e7ca0a1
SHA512 199ea6c9c050c1182736adc04aa6b021a7ebf9afe486fdc551f3bf2191e102fb8e61aefa4d850d6714e24cd3cd109b172bcbd857601513bdcfa1095eea252b68

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 4cf2227b60c543ab53e2e4bc710700f4
SHA1 c1811d55523373c6144f165f48fec686cd31e7d1
SHA256 fdd5b3df83a9e8a15114785a58e8c65cbf0c577d2ea124db12646c587daca1cf
SHA512 d862d1d373820d03e6da4b19a4cfaa08c4bf213eec1059c3c08606eea393e31b04b1a135b58ef0e41dd8ac5a1a40777902423e41cfe0a6f02220f72e574caeea

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1ckv2sw8.Admin\extensions\b2c81c06-4b2f-4808-b3ab-ef6f49041f37@f562099a-8022-43b2-aad5-98abd7b264a4.com\skin\crossrider_statusbar.png

MD5 8b1eb9cb80417ec0022d278a44ab1dc7
SHA1 c49eb73f79e70b8ed96d91ef62f0bc344e41219a
SHA256 e358d97ba4c51b987fe73ea0ac0f14f9b2375e299f3e859fc37c21ab8b051ee6
SHA512 0324f2785d09f04c5be9ee77f1cb80a7afe06d66672baa862f63ec8ac59a2ae58199db91bb28e18409e918b222dcf09269013a270284213473ffa974d842c7d7

memory/1604-821-0x0000000003690000-0x0000000003699000-memory.dmp

memory/1604-820-0x0000000003690000-0x0000000003699000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 e6d0a9a8cb734bc1f13d57c730e129fa
SHA1 e5065caded5b9f4f7f38a6120d4b84b8aca33bfd
SHA256 f966a16b792a66563a303797075aa68ea471adbd7fcf0c9491604554c7224ee0
SHA512 802864ae5a1d50b0ad1e0acd5d922b116d68213c1792e7462fd0f1d314d2cfd1237d970e3e6577507180d6a2af947746a61798264602c19c292f89eaddf84485

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\ExecDos.dll

MD5 ebcf9f71d804abab3c2e5ce4c17dc22e
SHA1 17d13084e75cbfa5fbfdd0025e9a0ee5772ae765
SHA256 d387b725afbd2a6f9b44999278d21025fae55b391e45f7751b88dfb13511a993
SHA512 5576396c2d885c039668d7f401eeee583eb4de39e8497c3aaec32d47f4417a522fe6786c111d50a5fba7570f50e84144ef3a8aea42677d170e79114343c3a4a1

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 59a99d75c0356cdb9f3f9821bfacf427
SHA1 13998462996032907704621dae07cf9f15426030
SHA256 3606178199b32771953a12387351192f36ea1320bfb351d2d1aba27cc513b423
SHA512 5f48a569f7eee4e147f94e4aecfff8d7fef6648df452499509c5ca9598ec00365db33f1c216c6c0324f64a9fcf2ae6e8ec3c2266d5c05e3dcfc4883fa3b8d449

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil.exe

MD5 0038eee3ef38e361affee24de52d7fa7
SHA1 27c0f9557899fbf642a558b26f70890cfca94724
SHA256 db98f86a332e2dfab8fce26769a2f2631f52aa0ce7c6e15522b202d28358ef28
SHA512 1926e9153243182db1f43b3542d3cca07277987632df1ea0bff0f0bcbf499fdec5eda4da4ee1dd003658fcb0fba1ef8f8c01dca0d8c39b196095a4e4197d0be9

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 5d63f77328c34a31259218b0411293b0
SHA1 fe367236de21f4251831c2f37916134b98841a8a
SHA256 a7a33dd0cc2d9cdc4a0a66630f52621cdf08b2498a0832e491411893804dcf58
SHA512 594fe90286f402f5744da0cda0ff770a7df45e46138d592b14ee7bfd2c7ec27dcfc739ed28f8a88f6683d107fbdf2f821cac236d14ca94fd9ce660f5af21f2d0

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 bc0f5fd9bd14d6c2190455d54f9ca9c2
SHA1 83f6cec2993f14478e3f85cd9cfb96bbdbc5a2fa
SHA256 8e055415ba9dca79652d0600332ac9c1f715ef36622cff22f99eb82c2bb395f8
SHA512 64c1b1cf7a6ba448bf5f865fc4968f277f4aa65aef60f855aab6a544555924384cd579c8c7915dfc6bf9d6da49a68801658b602573179878a11b0f7ead39bdfd

C:\Program Files (x86)\Hello-Notifier\Hello-Notifier-buttonutil64.dll

MD5 77d5b0d8c2009f6bc8798a8d1001c6ec
SHA1 42b423e5358d59dd9e931411e6b5ac5b54bb2b95
SHA256 3a13144df92f8922461e2cb47f912811123883c7bfcb04dcbf085a85b4216c19
SHA512 06849bbb8a9e46445dc30f19fec6d6de0325d0981468ed5c9032b8c74d95252067af71913f67c8d86796d6f97df5784e81a526fcee77e4aa688645d62ad22594

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 b67172dc03787059255910a04e503c1f
SHA1 c5fa607ce7f49ea21be99e85c81e08b48ff6e6a6
SHA256 a5d9296206bb705d8ea2caa0296ea45b2534f7c0d306a7253f20e90a999f70e0
SHA512 835b1672a22466de661a78577f0234bc4ad941a2787acdf695589d1d68d7607328edf9f33f747f6d945b54b9a81fe0893d6af1671c8af054208450a17c61f7b3

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 e3e7b6547cbc72cd52dba5012113cbaf
SHA1 1c6f747cccd7034b81cf4907f236cbd098fd030b
SHA256 7333697624997e5b91986eed05d29c24e871c689ccf38aec78b1173936c628bd
SHA512 7fb9e707afc16da8e0d11dfd8244a345db58f59c6b8b9fc2eba3ba580432164805f715da797c93c7e1d4f9f3bc51cfb5afb3c740abc6901ecf56a6699d01e43f

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 1e1a99d240ed5b18da059b516f339f99
SHA1 48aa01a58ba7e98b3e080f7ada1c5697c198298b
SHA256 9a4fce8f4f6f6697f795220a9889a0063e4496ff568121ef98e2652eec323ad3
SHA512 8f1d26b539da067fa3f4cb616b8b165a0f0abd6e923ecf20a68039ab5c0ff139df236703f5b42ebc20b4c6c9d7e2385430ebef61a5c20e22311880b14c3f7634

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 24e88dfa25d52544039eed843dec878d
SHA1 a4a49a2ad1fca719e48ca91ec2690effe46c362f
SHA256 759ef12969121dbd07092c62b7d529584c4115e4690d736bdb5e82f7d41ee765
SHA512 7f3888685fd776f36941556c645aee0c692d447d75baad7600c2d36a47e0853f17c178f1e865b3ccde78634c2551eb0c08bb8db586afb42aedec9ccadd6b0822

C:\Users\Admin\AppData\Local\Temp\nsh8ADD.tmp\temp_file_after.tmp

MD5 9a294e54b99b6ce9d3903bfb7354f88e
SHA1 82a5811657bd9fe992269f140d0e64281500f098
SHA256 72c1270892564c368832db8c464c20b8982191a5f9f634cc6c5f4954c47126b7
SHA512 c0ac7cc9d90c35c980a533cef369d819da91eaeeae6569e04bf0c40fb9397aa263890a5a2570f3dca4e162d6e62afd56956dc3037e63909fc83e0c798a13d49e

Analysis: behavioral3

Detonation Overview

Submitted

2024-10-25 22:21

Reported

2024-10-25 22:24

Platform

win7-20240903-en

Max time kernel

119s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\StdUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1372 -s 220

Network

N/A

Files

N/A