da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e

Analysis

max time kernel
148s
max time network
190s
platform
windows7_x64
resource
win7-20220414-en
submitted
20-05-2022 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
Size

15.8MB
MD5

7d0a83642db17ab6b57da5624dbf52ab
SHA1

c82ccc85a07dbc9a7b2e0e2ce3c3df0c3a649cbc
SHA256

da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e
SHA512

6973c12094ace46245f9e3f742ae12072d3e259988af67c1d0d281a592b511b7b9822c06d79ef634307bddd0e2ccc893ed9873915e977361895e752e15552787

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

Processes:

cmd.exeSmartDefrag.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	cmd.exe
File created	C:\Windows\system32\drivers\SmartDefragDriver.sys	SmartDefrag.exe

Executes dropped EXE 16 IoCs

Processes:

Patch.exelicense.exeConfig.exesmart-defrag-setup.exesmart-defrag-setup.tmpLocalLang.exeSmartDefrag.exeSetup.exeSmartDefrag.exeUninstallPromote.exeSmartDefrag.exeCleanTask.exeCareScan.exeCyberMania.exeAutoUpdate.exePubMonitor.exe

pid	process
336	Patch.exe
1796	license.exe
576	Config.exe
1296	smart-defrag-setup.exe
1748	smart-defrag-setup.tmp
880	LocalLang.exe
832	SmartDefrag.exe
1528	Setup.exe
968	SmartDefrag.exe
1808	UninstallPromote.exe
1788	SmartDefrag.exe
1320	CleanTask.exe
1072	CareScan.exe
1728	CyberMania.exe
1104	AutoUpdate.exe
1564	PubMonitor.exe

Loads dropped DLL 64 IoCs

Processes:

da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.execmd.exesmart-defrag-setup.exesmart-defrag-setup.tmpSmartDefrag.exeSmartDefrag.exeSmartDefrag.exeCareScan.exeUninstallPromote.exe

pid	process
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1492	cmd.exe
1492	cmd.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1296	smart-defrag-setup.exe
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
1748	smart-defrag-setup.tmp
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
1748	smart-defrag-setup.tmp
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
1788	SmartDefrag.exe
968	SmartDefrag.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
968	SmartDefrag.exe
1072	CareScan.exe
1072	CareScan.exe
1072	CareScan.exe
1808	UninstallPromote.exe
1808	UninstallPromote.exe
1808	UninstallPromote.exe
1808	UninstallPromote.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

SmartDefrag.exe

description	ioc	process
File opened (read-only)	\??\L:	SmartDefrag.exe
File opened (read-only)	\??\M:	SmartDefrag.exe
File opened (read-only)	\??\N:	SmartDefrag.exe
File opened (read-only)	\??\T:	SmartDefrag.exe
File opened (read-only)	\??\V:	SmartDefrag.exe
File opened (read-only)	\??\Y:	SmartDefrag.exe
File opened (read-only)	\??\E:	SmartDefrag.exe
File opened (read-only)	\??\G:	SmartDefrag.exe
File opened (read-only)	\??\W:	SmartDefrag.exe
File opened (read-only)	\??\F:	SmartDefrag.exe
File opened (read-only)	\??\H:	SmartDefrag.exe
File opened (read-only)	\??\I:	SmartDefrag.exe
File opened (read-only)	\??\K:	SmartDefrag.exe
File opened (read-only)	\??\O:	SmartDefrag.exe
File opened (read-only)	\??\P:	SmartDefrag.exe
File opened (read-only)	\??\Q:	SmartDefrag.exe
File opened (read-only)	\??\U:	SmartDefrag.exe
File opened (read-only)	\??\X:	SmartDefrag.exe
File opened (read-only)	\??\J:	SmartDefrag.exe
File opened (read-only)	\??\R:	SmartDefrag.exe
File opened (read-only)	\??\S:	SmartDefrag.exe
File opened (read-only)	\??\Z:	SmartDefrag.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

SmartDefrag.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SmartDefrag.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SmartDefrag.exe

Drops file in System32 directory 2 IoCs

Processes:

SmartDefrag.exe

description	ioc	process
File created	C:\Windows\system32\SmartDefragBootTime.exe	SmartDefrag.exe
File opened for modification	C:\Windows\system32\SmartDefragBootTime.exe	SmartDefrag.exe

Drops file in Program Files directory 64 IoCs

Processes:

smart-defrag-setup.tmpSmartDefrag.exeCareScan.exeSmartDefrag.exelicense.exeAutoUpdate.exe

description	ioc	process
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-DK3IE.tmp	smart-defrag-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\Smart Defrag\TaskApp.log	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-5LESM.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-LVP0U.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-BJIT2.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\win10_x86\is-K7ULR.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\StartupInfoBlack.db	CareScan.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-S27ET.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\win7_x86\is-LIAFV.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-O9T1T.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Update\is-AQ4T1.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\LatestNews\imagenews.tmp	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\skin\is-175RI.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-1JGB0.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\win8_x86\is-12GQ1.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\win8_x64\is-F3I1F.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-JKL08.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\DB\is-S2SHD.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Extension\is-HSB06.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\TaskApp.log	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\LatestNews\LatestNews.ini	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\startupSignature.db	CareScan.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\LatestNews\imagenews_B.tmp	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\DB\is-3A7PS.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-32JVO.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-LMONJ.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-Q3L91.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-3TMFA.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-S8UEE.tmp	smart-defrag-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\Smart Defrag\Update\Update.ini	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\Opt.dbd	CareScan.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-V08IF.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\DB\is-7MQ56.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-7P1U3.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-LV79R.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Update\is-N1OCP.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Update\Update_temp.ini	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\Reg.dbd	CareScan.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\license.dat	license.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-77BMO.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-QNBST.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\wlh_x86\is-FVSCU.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\startupBlack.db	CareScan.exe
File opened for modification	C:\Program Files (x86)\IObit\Smart Defrag\Lang.dat	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\unins000.dat	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-QO261.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-7ROSF.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-795S4.tmp	smart-defrag-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\Smart Defrag\Update\Update.ini	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\wlh_x64\is-GO3RG.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\drivers\win10_x64\is-C296G.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-1DEHO.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\database\StartupDRate.db	CareScan.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-2DILS.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\DB\is-MGSGE.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-O6PI6.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-4H67D.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-6E9S5.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\unins000.msg	smart-defrag-setup.tmp
File opened for modification	C:\Program Files (x86)\IObit\Smart Defrag\Lang.dat	SmartDefrag.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\Update\Update.ini	AutoUpdate.exe
File created	C:\Program Files (x86)\IObit\Smart Defrag\Database\is-Q3T07.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\Language\is-IU2T5.tmp	smart-defrag-setup.tmp
File created	C:\Program Files (x86)\IObit\Smart Defrag\is-AMNSA.tmp	smart-defrag-setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

632 taskkill.exe
860 taskkill.exe
944 taskkill.exe
1528 taskkill.exe

pid	process
632	taskkill.exe
860	taskkill.exe
944	taskkill.exe
1528	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

Processes:

IEXPLORE.EXEiexplore.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "70"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cybermania.ws\ = "44"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\cybermania.ws\Total = "44"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F6593500-D7FA-11EC-A0BC-6AE9FCDE30C7} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\cybermania.ws\Total = "70"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cybermania.ws\ = "70"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\cybermania.ws\Total = "15"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\cybermania.ws	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\cybermania.ws\NumberOfSubdomains = "1"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "15"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cybermania.ws	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "44"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.cybermania.ws\ = "15"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2277218442-1199762539-2004043321-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

SmartDefrag.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SmartDefrag.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	SmartDefrag.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	SmartDefrag.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

SmartDefrag.exeSmartDefrag.exeUninstallPromote.exeSmartDefrag.exeCareScan.exeAutoUpdate.exePubMonitor.exe

pid	process
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
832	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
1808	UninstallPromote.exe
1808	UninstallPromote.exe
968	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1788	SmartDefrag.exe
1808	UninstallPromote.exe
1808	UninstallPromote.exe
1072	CareScan.exe
1072	CareScan.exe
1808	UninstallPromote.exe
1104	AutoUpdate.exe
1104	AutoUpdate.exe
1564	PubMonitor.exe
1564	PubMonitor.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460

pid	process
460
460

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	632	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	944	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

smart-defrag-setup.tmpSetup.exeSmartDefrag.exeiexplore.exe

pid	process
1748	smart-defrag-setup.tmp
1528	Setup.exe
1528	Setup.exe
1528	Setup.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
1600	iexplore.exe

Suspicious use of SendNotifyMessage 9 IoCs

Processes:

Setup.exeSmartDefrag.exe

pid	process
1528	Setup.exe
1528	Setup.exe
1528	Setup.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe
968	SmartDefrag.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

UninstallPromote.exeiexplore.exeIEXPLORE.EXE

pid	process
1808	UninstallPromote.exe
1808	UninstallPromote.exe
1600	iexplore.exe
1600	iexplore.exe
960	IEXPLORE.EXE
960	IEXPLORE.EXE
960	IEXPLORE.EXE
960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exePatch.execmd.exe

description	pid	process	target process
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 1712 wrote to memory of 336	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	Patch.exe
PID 336 wrote to memory of 1492	336	Patch.exe	cmd.exe
PID 336 wrote to memory of 1492	336	Patch.exe	cmd.exe
PID 336 wrote to memory of 1492	336	Patch.exe	cmd.exe
PID 336 wrote to memory of 1492	336	Patch.exe	cmd.exe
PID 1492 wrote to memory of 1812	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 1812	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 1812	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 1812	1492	cmd.exe	attrib.exe
PID 1492 wrote to memory of 1768	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1768	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1768	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1768	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 860	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 860	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 860	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 860	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 520	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 520	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 520	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 520	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1472	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1472	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1472	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1472	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 944	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 944	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 944	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 944	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 548	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1372	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1372	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1372	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1372	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1528	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1528	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1528	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1528	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1384	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1384	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1384	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1384	1492	cmd.exe	find.exe
PID 1492 wrote to memory of 1796	1492	cmd.exe	license.exe
PID 1492 wrote to memory of 1796	1492	cmd.exe	license.exe
PID 1492 wrote to memory of 1796	1492	cmd.exe	license.exe
PID 1492 wrote to memory of 1796	1492	cmd.exe	license.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	Config.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	Config.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	Config.exe
PID 1492 wrote to memory of 576	1492	cmd.exe	Config.exe
PID 1712 wrote to memory of 1296	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	smart-defrag-setup.exe
PID 1712 wrote to memory of 1296	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	smart-defrag-setup.exe
PID 1712 wrote to memory of 1296	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	smart-defrag-setup.exe
PID 1712 wrote to memory of 1296	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	smart-defrag-setup.exe
PID 1712 wrote to memory of 1296	1712	da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe	smart-defrag-setup.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exe

pid process

1812 attrib.exe

pid	process
1812	attrib.exe

C:\Users\Admin\AppData\Local\Temp\da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe
"C:\Users\Admin\AppData\Local\Temp\da4925500fbf1b2ddb620a5e44339335e6499e51f0fed9bf93b897ff667e4c9e.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1712

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:336

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\000VTO24.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe" "
3⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1492

C:\Windows\SysWOW64\attrib.exe
attrib -s -h -r C:\Windows\System32\Drivers\etc\hosts
4⤵
- Views/modifies file attributes
PID:1812

C:\Windows\SysWOW64\find.exe
FIND /C /I "Smart Defrag Host Block" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:1768

C:\Windows\SysWOW64\find.exe
FIND /C /I "idb.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:860

C:\Windows\SysWOW64\find.exe
FIND /C /I "asc55.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:520

C:\Windows\SysWOW64\find.exe
FIND /C /I "is360.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:1472

C:\Windows\SysWOW64\find.exe
FIND /C /I "asc.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:944

C:\Windows\SysWOW64\find.exe
FIND /C /I "pf.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:548

C:\Windows\SysWOW64\find.exe
FIND /C /I "iunins.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:1372

C:\Windows\SysWOW64\find.exe
FIND /C /I "sd.iobit.com" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:1528

C:\Windows\SysWOW64\find.exe
FIND /C /I "Defrag Host Block Finish" C:\Windows\system32\drivers\etc\hosts
4⤵
PID:1384

C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\license.exe
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\license.exe
4⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:1796

C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\Config.exe
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\config.exe
4⤵
- Executes dropped EXE
PID:576

C:\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe" /sp- /silent /suppressmsgboxes /start
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1296

C:\Users\Admin\AppData\Local\Temp\is-B8S3G.tmp\smart-defrag-setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-B8S3G.tmp\smart-defrag-setup.tmp" /SL5="$2017C,15031166,137216,C:\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe" /sp- /silent /suppressmsgboxes /start
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
PID:1748

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" -f -im SmartDefrag.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" -f -im SDInit.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:860

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" -f -im sdproxy.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:944

C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\System32\taskkill.exe" -f -im AutoUpdate.exe
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Program Files (x86)\IObit\Smart Defrag\LocalLang.exe
"C:\Program Files (x86)\IObit\Smart Defrag\LocalLang.exe"
4⤵
- Executes dropped EXE
PID:880

C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
"C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe" /AFTERINSTALL
4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:832

C:\Program Files (x86)\IObit\Smart Defrag\Setup.exe
"C:\Program Files (x86)\IObit\Smart Defrag\Setup.exe" /SilenceCall
5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1528

C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
"C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe" /startup
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:968

C:\Program Files (x86)\IObit\Smart Defrag\CareScan.exe
"C:\Program Files (x86)\IObit\Smart Defrag\CareScan.exe" /SD
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1072

C:\Program Files (x86)\IObit\Smart Defrag\AutoUpdate.exe
"C:\Program Files (x86)\IObit\Smart Defrag\AutoUpdate.exe" /check
5⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Program Files (x86)\IObit\Smart Defrag\Pub\PubMonitor.exe
"C:\Program Files (x86)\IObit\Smart Defrag\Pub\PubMonitor.exe" /SD
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1564

C:\Program Files (x86)\IObit\Smart Defrag\UninstallPromote.exe
"C:\Program Files (x86)\IObit\Smart Defrag\UninstallPromote.exe" /install sd6
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1808

C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
"C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe" /CREATETOAST
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1788

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CleanTask.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CleanTask.exe"
2⤵
- Executes dropped EXE
PID:1320

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\800IDVMO.bat" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CleanTask.exe" "
3⤵
PID:1784

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1756

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "\SmartDefrag_Update" /f
4⤵
PID:640

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo y"
4⤵
PID:1108

C:\Windows\SysWOW64\schtasks.exe
schtasks /delete /tn "\IObitSelfCheckTask" /f
4⤵
PID:1440

C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.exe"
2⤵
- Executes dropped EXE
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c C:\Users\Admin\AppData\Local\Temp\bt2042.bat "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.exe"
3⤵
PID:1176

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.cybermania.ws/
4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1600

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
5⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Hidden Files and Directories

T1158

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Hidden Files and Directories

T1158

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\IObit\Smart Defrag\GameScaner.dll
Filesize
1.5MB

MD5
31536112714cf2281686ed18cb75194e

SHA1
ff9037e6596637c86536a37b56dcf6267ce47bd3

SHA256
389813cfb7b8621ffca020cbb3740c2ceaf1f186feb491ae477f670f1220028b

SHA512
bf2b59a5db89793f2adc2cfcf596db7e892d84a5a70cf02666079595ba52f3918e6ebdd8e08fab7eb55f8ce760466486381ab65d1de61f352e1bbf92362767eb

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\LocalLang.exe
Filesize
177KB

MD5
62f63cffd57880b2d09bf09a1e5157c2

SHA1
d2f318fb27a6e515f1b2fbf28a873f898cdd1b60

SHA256
9793afd3d18927b8dcbdd8d9082cef3d65074a064bd6283382eb4c8d47ec3b20

SHA512
cdd579b4973782f02748951e9a10132eff194c8d77789265a3853cb874bb1217912430bdcc84f081f7f8059f4d4f8e6d0de5a5e5840d4e96bec13da0470864f3

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\ProductStatistics.dll
Filesize
1.1MB

MD5
5266e1184dfe17cbafd9db2ced614d0f

SHA1
3c2b328ea26ec70c959f8e25c725162eda084a01

SHA256
2a80f1f875b6f605c5532f7322f77ba32469a5dec182ef4aaaca4102199f3ce1

SHA512
717c96dbab2fa519557476449f1f9700f531d35fe15cd8eadfc662e9172387d8aaca624264467c5b8d8b886b28c9cf172e6e639cd4241a0b073d5055e57e7c93

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\RegisterCom.dll
Filesize
1021KB

MD5
c23e5d330119dc4de38103bdba64d4a2

SHA1
be377c600209f6e0ef702b67d39767225570c2d0

SHA256
6a8e6c58adf040ea0884155aa8cc7a7497eae47ec1499ae70fc3dccef0942022

SHA512
0eaeea09412fc2d0f72873b7c340d2e92afa86ec0217f6036ec33d0819a2d267d0192d90c896e9bf5f536107b1fa2d826b6091ebb9776502f84887092b04bc7e

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\SDDriverMgr.dll
Filesize
83KB

MD5
aee39371634b755aa3d661baa74ba264

SHA1
552844208397f158f30d8824a6ecc0c8686e97a1

SHA256
9eab8185c5cc0eed5adaec9a179afab16e7a3048f45f219852f2dd6e7eb4ab7c

SHA512
798ed421e031ab0401de547bfbf2466a1e7bc5197a782efbe727dd532285efaea2126b26e19b330412bba5d49536e448376a991db951f0cf0d8c9aca2768a936

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
Filesize
5.5MB

MD5
73d85ec96a0fbb274e87f1dc5ae30838

SHA1
af9b0a90cb4afb35f9a152f94fd42767f51229aa

SHA256
74039d17d22e0390f577f6e57bcd288a97e2969f725466cdf18f3fc4996dddb8

SHA512
9af26c71bb7a93244fb1991792340413581218f90a9749e6e7fe06b80f71fa122e648b7a9220d329191be72acbce8c0c4a7e57a81a251e8b8b3dc87a0ebfbe61

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
Filesize
5.5MB

MD5
73d85ec96a0fbb274e87f1dc5ae30838

SHA1
af9b0a90cb4afb35f9a152f94fd42767f51229aa

SHA256
74039d17d22e0390f577f6e57bcd288a97e2969f725466cdf18f3fc4996dddb8

SHA512
9af26c71bb7a93244fb1991792340413581218f90a9749e6e7fe06b80f71fa122e648b7a9220d329191be72acbce8c0c4a7e57a81a251e8b8b3dc87a0ebfbe61

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\Update\Update.ini
Filesize
5KB

MD5
2cd92cbd869471f4b505ae16c1e42a51

SHA1
c44334c1dd0180de3368e510a2bce8a6feed5f02

SHA256
90138ea4df4d964fa89b1589d8e37617f8eb3f6febfa199fcd2aa58efa2bb2aa

SHA512
e29b099605c16c3054223fb37cc0da0b2ce8410282480ed9e9990b906e6b8e1ddb6eb3739c3d0124f17ec5c2b6a5290b6293828d914e9d875f3175fce9799998

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\dataexchange.dll
Filesize
73KB

MD5
cf370248212f07882e2d8468d2325f19

SHA1
86cb05c7bac9e47319291a1a972009d9ca318bd3

SHA256
0ed32b5fcd774fdf7c7dcdfb8f5e2ebd12979226bf20e1b80ba553dfd9c7875c

SHA512
70875e795b2028b695a67e7f32418f1c2d6ee8dc22abe2f3264bdcdf167ee13999eb283b1044bf1cfb3155bd9f40e01db2b7de431f63063317b60dd5b23cee62

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\rtl120.bpl
Filesize
1.1MB

MD5
0bb593d71d750ef578c0deb9bee3f6ab

SHA1
bdf4dd3f7f10e6049d49fa69f90a4adb8202878f

SHA256
581cc5a6f3cd6bffbbaa2647a1a81fb62cf3887dbb27084da8bf38920144fdaa

SHA512
b9d7edeecbe643bb2279ed3c986c7a30310d4897980d2e3be93e428b09884fd65fb5b962118813c406a13aa56770996f5fa27f7caf77c8369657330b7091305f

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\sdassist.dll
Filesize
198KB

MD5
d5b0f3283d4a86300a2f4acd9dc362c3

SHA1
bb789b4218261bdfb05640f44dcd0132099f8707

SHA256
d07457185e16a751a7aeff0e74c54fe66c8db345a027ee1b4793d5f4889e3623

SHA512
4cf3b923f8e2e9b62e94d00bb3329c493ebc3394ee109ad93f8fc37f9c0d3c5eb1cb7b80d1b72703207efa2efea669bb512f231dc0198ddd8e2a051ee6628364

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\sdcore.dll
Filesize
210KB

MD5
c982c324cef0bf7dff52d42e4fce0215

SHA1
8533a858a8639d72940ea806b8bcf91df806b65c

SHA256
7a363f084ff4f56c290ca5d27552232b5a2afc4ecc6c0bd5b8a281edfa2f6d0c

SHA512
8c0fea19f808ab990e92c553814c1343542522331b258bedcbf6ceaf6ae50aba7851b37d9f9e752c5b9e306c685564eeac0dbed9de6c3fa74ee4abf529ce359d

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\vcl120.bpl
Filesize
1.9MB

MD5
a74f501d75e780441b657c241ffb1975

SHA1
5b63178ef11f0afad87b1890f33cec64dfd70fb3

SHA256
6c7499006af181d5d4a619587723cb16f8c572ee0170b611c520f7e6dba2391f

SHA512
51336ff165e8d6dd9ce928b66ef1d0534cb6be3f3f67e8e7af63b7b64b7724c9be8b54329758b99e5936b9fd6e2a5901f40226710add053502d4aba8b7919722

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\vclx120.bpl
Filesize
217KB

MD5
bcb2d3ebc821f37b781df7862f53a199

SHA1
fb8a2bdd53b7bf7c139db20e32b698d4fc39deae

SHA256
c2002724a02549254618201db1a023f50bc0f09a107e08d7ef6185e78fa9e8bc

SHA512
a9d1f7fa9ac31a0ef386101aff61b5ddaf2b2e74616af83cae342fe1ad8d8f69a3953fb61b48d0f5872896bb11414fc8133d3dca1c2bd9ac359fdb0d70311605

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\webres.dll
Filesize
878KB

MD5
73ed8d10da94e13c4a62aaccbeceb88f

SHA1
666155fbfb0400a30071f93446162d25b3187f09

SHA256
0b40f5be83e058003e3f4f9b5a3f0bd7849faa69a812cc08dde49c94102ef8e5

SHA512
c3a85cc0e89b34a5898001551bab946b2af47c336b4281c480e5fdfa1d92c4da719459c182f836a12484a81a14f7e79815cf0ffcc95f6c2829a7fc4ddd0fae41

Download Submit
C:\Program Files (x86)\IObit\Smart Defrag\winid.dat
Filesize
697B

MD5
930118af6862af749ca83e8610635753

SHA1
4e86629bb7bf8d2d3e68305c24278cf7e50d47ad

SHA256
136bc03080c34ef2305c3f221832ada614d7e59c0afe16b5df9fb9aaf8e547f4

SHA512
0d565d14d737d09f79d725cbb918f1ce0cece1b86b5fd9f037ac7da4caba10bc8aa5fac640084164e7807b0a9b702f62fc5613066f8ee316f5bb677ee82f8f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\000VTO24.bat
Filesize
1KB

MD5
b9c17a48a3e579590c0afdbc06ceea3b

SHA1
e44276eede0b69f641df03a4681d3bb6c7dc0d13

SHA256
f9c22236aa4dea24feac70ae26abee974264fd39416071b268f6edd266fa2fa2

SHA512
4dbfe3352cbcbd337c2b5189b016dea31a72629d8733e444ad6d25791a52ee9693c9da2a00716198a3e25b3a7f79100f42af29160d8c656f8b47a70eaa38a21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
Filesize
1.1MB

MD5
18eb6378e1e21c3820f967e014aeb6b1

SHA1
828c51838633e09407b35e90f3b6fb32c69e05bd

SHA256
ed32d9f47d4fff72bf30fa271be48349729efd72053d5b6cb682f933064babe0

SHA512
e9345bf038c9e7d1d31eec0a2ac7629e296a1d686873a4d8b0d7bff4fa15bd1d4769c8074457f73c9ecb6095447dd7fd4be0db4c71a307ddfbb75ed90a975525

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B8S3G.tmp\smart-defrag-setup.tmp
Filesize
1.2MB

MD5
55accee2e490cee39e5545c17a961795

SHA1
73f81789c23e80a2d0730378793a02faa3e594c2

SHA256
02cc46584d2e30bb32b969dca8332dec5b8a2051f4e0fae235e152abfb6f9a76

SHA512
397780770974e13c4c7c9cd51f4b45fa4292b8871bf53d84d2b5405505dc669d527111465070360afbfa25d63eafaa6beca464ec3256eca376961fbf6628f5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-B8S3G.tmp\smart-defrag-setup.tmp
Filesize
1.2MB

MD5
55accee2e490cee39e5545c17a961795

SHA1
73f81789c23e80a2d0730378793a02faa3e594c2

SHA256
02cc46584d2e30bb32b969dca8332dec5b8a2051f4e0fae235e152abfb6f9a76

SHA512
397780770974e13c4c7c9cd51f4b45fa4292b8871bf53d84d2b5405505dc669d527111465070360afbfa25d63eafaa6beca464ec3256eca376961fbf6628f5ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\Config.exe
Filesize
374KB

MD5
ccbe3afbc45a336fbd85dd6253bf010f

SHA1
66404313b89d7e0c9e76c39f919a99153118b104

SHA256
49923ae54f6fb4cd944e303b9be1ccf97da1e927bd5338bf3a572302843bb996

SHA512
84c43e0c58027e632f672c7043269fd9babb7c36b2105c9fe86461ace21ef8136ac90721b4b4688b03b456b72139b3aba54c2216004cd33ae4d8a350698f1263

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\Config.exe
Filesize
374KB

MD5
ccbe3afbc45a336fbd85dd6253bf010f

SHA1
66404313b89d7e0c9e76c39f919a99153118b104

SHA256
49923ae54f6fb4cd944e303b9be1ccf97da1e927bd5338bf3a572302843bb996

SHA512
84c43e0c58027e632f672c7043269fd9babb7c36b2105c9fe86461ace21ef8136ac90721b4b4688b03b456b72139b3aba54c2216004cd33ae4d8a350698f1263

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\license.exe
Filesize
373KB

MD5
90a078498008102668441909b6c695c2

SHA1
fce5f386a2cfd476f5d151b8b628407dbb55d0a2

SHA256
c15813f091f6faad0f9b8fbfcda17403695819273cae426485177082609a8744

SHA512
a5b1ce3111882c5b80744753230a6151749e4947815bcc6c8db7a3cfdc65eaf1f903658ecf6a6d6885445a0b0321291962e4e16528eea2d858c363386437edf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\qb6C715A.F8\license.exe
Filesize
373KB

MD5
90a078498008102668441909b6c695c2

SHA1
fce5f386a2cfd476f5d151b8b628407dbb55d0a2

SHA256
c15813f091f6faad0f9b8fbfcda17403695819273cae426485177082609a8744

SHA512
a5b1ce3111882c5b80744753230a6151749e4947815bcc6c8db7a3cfdc65eaf1f903658ecf6a6d6885445a0b0321291962e4e16528eea2d858c363386437edf3

Download Submit
C:\Users\Admin\AppData\Roaming\IObit\Smart Defrag\Config.ini
Filesize
4KB

MD5
fdea0ee0206bd26e96627513014b3c1d

SHA1
9075e20cd8fea7ed0a0c15ad13214a0541324ecb

SHA256
783f765f872def68c1c487b075839c78b06557e91d369825c683864a7cd678b4

SHA512
40fa0ca94f8896745c46741c60dd91a5eec4390bf9f1e223f0d495e57f3743d889d16ef44025ada492c8ef2a1c5eac4c7f9375e97c68a5bd77ba5fdc2ed201ec

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
874B

MD5
be96ffe51835edc120c6785fdbb7b5e6

SHA1
906ba92ca053e3003d71cf828d502492bab420c1

SHA256
f15709f9b7c71f1f706156665b492a3278e6217a01ef4ecc7407fb356871375c

SHA512
fc6692d9a4619e8fa83e42526ec2a0f7cdb2d0cd4b1608aef0d32a52e4a02b8ffb84e0f0ace03f1e43f2e03aceb23efdc514fc47a4028a47cf12d544a887327e

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
897B

MD5
5920eee9412df220ab1199b5124a77b9

SHA1
bf3dc7cb9a9d121cf5800144520213398025206d

SHA256
8fcc20a0ea7a35584c8a2624fb18b2b644982220f77c385b858688c2f81121d0

SHA512
93a9c301488cbdaab229bc7de9c2a3c06b802e589cc9f3b3e5d1995f035c50a4fb7e6e8e91c15833de86f1d4846bf13adc655b76d87f430cc437ab771ab6b186

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
947B

MD5
5f7e7e049d6dd2b80caa7698c57c6bfe

SHA1
269fff9c6fbc16e296640b3bfc809bb38ca9e3e5

SHA256
19c63a3b18b012ba9df51b4748c06a71ed2a8c956485c1a5829a904c3618964d

SHA512
d51820a2fb7923124e50ae9eff9e739b3a588dade398682c01af5f0883bb297b4b7d723d8487d81d1cb305bb650b4cd1ca527df5339639054193ed5cd094aa83

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
947B

MD5
5f7e7e049d6dd2b80caa7698c57c6bfe

SHA1
269fff9c6fbc16e296640b3bfc809bb38ca9e3e5

SHA256
19c63a3b18b012ba9df51b4748c06a71ed2a8c956485c1a5829a904c3618964d

SHA512
d51820a2fb7923124e50ae9eff9e739b3a588dade398682c01af5f0883bb297b4b7d723d8487d81d1cb305bb650b4cd1ca527df5339639054193ed5cd094aa83

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
970B

MD5
d6497bd1af789fb6ab45b0011a0961c9

SHA1
9d0989906e35e2d217318a8e63938b9a29797203

SHA256
327842b1c8967370e2b8cd66e90f77557d9eddd58dbafdf705bf32844caf46c3

SHA512
3047b866f61e4ddedb1ecb10e280f0279a24e5f7141168fe23f05e2ea54ddeaecacd3305fe50801391a8f01b0a15e5cd7bdd9a241cff2df646bd585019583791

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
992B

MD5
2bde2fbb1f1f2987b750d497fab21940

SHA1
bd587fe686b5faf20f9d2d423b2170fcabf2cff6

SHA256
1831f775213fed7ddb686a6beb1d5a271998028fdb75f89843c895394c106333

SHA512
9064abfcccc7c9b7e1cf04c747d522fe2e510cf50937fe5c1119b1ea87232ac068a2f575e1ce42099f727eb7cf89dcb19cd0ab242a43ff7c1d75fc4876a89242

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1018B

MD5
2df39b6dca93fa8e93c84c3e6da9bb2e

SHA1
6a908f86fdb3295794e968640da4e1c3c7139c4f

SHA256
f1aa8dbdb6abca8c45479176462f57d850d2a50438988725ca60f1acaac99c68

SHA512
0ba63a062860cf52ad1a1b6dae6f4c4dbc7101aeca8b49d65911d5512a552704fd9fc70741745b5977e08e9faab7945baf293f1b0a40bfbca0163fe9dacff916

Download Submit
C:\Windows\system32\drivers\etc\hosts
Filesize
1KB

MD5
82678a7ef852268ea4e8773f6b669ffd

SHA1
17d0ed56b1ed177c436ffd2c5a5c651a5ef75abd

SHA256
1aa060e571e2e5adbff1cac4e0a5e3b0d8a6db22fda7c2ba25234ed2c15991cc

SHA512
d7835d598a8140881880f0553337f83af8f2b9c3cceaeccf31d007177b5b47baaced74f980489ba2bb3131bb4d18d02516a961f5e6bd2845e6773520538026b0

Download Submit
\Program Files (x86)\IObit\Smart Defrag\GameScaner.dll
Filesize
1.5MB

MD5
31536112714cf2281686ed18cb75194e

SHA1
ff9037e6596637c86536a37b56dcf6267ce47bd3

SHA256
389813cfb7b8621ffca020cbb3740c2ceaf1f186feb491ae477f670f1220028b

SHA512
bf2b59a5db89793f2adc2cfcf596db7e892d84a5a70cf02666079595ba52f3918e6ebdd8e08fab7eb55f8ce760466486381ab65d1de61f352e1bbf92362767eb

Download Submit
\Program Files (x86)\IObit\Smart Defrag\LocalLang.exe
Filesize
177KB

MD5
62f63cffd57880b2d09bf09a1e5157c2

SHA1
d2f318fb27a6e515f1b2fbf28a873f898cdd1b60

SHA256
9793afd3d18927b8dcbdd8d9082cef3d65074a064bd6283382eb4c8d47ec3b20

SHA512
cdd579b4973782f02748951e9a10132eff194c8d77789265a3853cb874bb1217912430bdcc84f081f7f8059f4d4f8e6d0de5a5e5840d4e96bec13da0470864f3

Download Submit
\Program Files (x86)\IObit\Smart Defrag\LocalLang.exe
Filesize
177KB

MD5
62f63cffd57880b2d09bf09a1e5157c2

SHA1
d2f318fb27a6e515f1b2fbf28a873f898cdd1b60

SHA256
9793afd3d18927b8dcbdd8d9082cef3d65074a064bd6283382eb4c8d47ec3b20

SHA512
cdd579b4973782f02748951e9a10132eff194c8d77789265a3853cb874bb1217912430bdcc84f081f7f8059f4d4f8e6d0de5a5e5840d4e96bec13da0470864f3

Download Submit
\Program Files (x86)\IObit\Smart Defrag\ProductStatistics.dll
Filesize
1.1MB

MD5
5266e1184dfe17cbafd9db2ced614d0f

SHA1
3c2b328ea26ec70c959f8e25c725162eda084a01

SHA256
2a80f1f875b6f605c5532f7322f77ba32469a5dec182ef4aaaca4102199f3ce1

SHA512
717c96dbab2fa519557476449f1f9700f531d35fe15cd8eadfc662e9172387d8aaca624264467c5b8d8b886b28c9cf172e6e639cd4241a0b073d5055e57e7c93

Download Submit
\Program Files (x86)\IObit\Smart Defrag\RegisterCom.dll
Filesize
1021KB

MD5
c23e5d330119dc4de38103bdba64d4a2

SHA1
be377c600209f6e0ef702b67d39767225570c2d0

SHA256
6a8e6c58adf040ea0884155aa8cc7a7497eae47ec1499ae70fc3dccef0942022

SHA512
0eaeea09412fc2d0f72873b7c340d2e92afa86ec0217f6036ec33d0819a2d267d0192d90c896e9bf5f536107b1fa2d826b6091ebb9776502f84887092b04bc7e

Download Submit
\Program Files (x86)\IObit\Smart Defrag\SDDriverMgr.dll
Filesize
83KB

MD5
aee39371634b755aa3d661baa74ba264

SHA1
552844208397f158f30d8824a6ecc0c8686e97a1

SHA256
9eab8185c5cc0eed5adaec9a179afab16e7a3048f45f219852f2dd6e7eb4ab7c

SHA512
798ed421e031ab0401de547bfbf2466a1e7bc5197a782efbe727dd532285efaea2126b26e19b330412bba5d49536e448376a991db951f0cf0d8c9aca2768a936

Download Submit
\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
Filesize
5.5MB

MD5
73d85ec96a0fbb274e87f1dc5ae30838

SHA1
af9b0a90cb4afb35f9a152f94fd42767f51229aa

SHA256
74039d17d22e0390f577f6e57bcd288a97e2969f725466cdf18f3fc4996dddb8

SHA512
9af26c71bb7a93244fb1991792340413581218f90a9749e6e7fe06b80f71fa122e648b7a9220d329191be72acbce8c0c4a7e57a81a251e8b8b3dc87a0ebfbe61

Download Submit
\Program Files (x86)\IObit\Smart Defrag\SmartDefrag.exe
Filesize
5.5MB

MD5
73d85ec96a0fbb274e87f1dc5ae30838

SHA1
af9b0a90cb4afb35f9a152f94fd42767f51229aa

SHA256
74039d17d22e0390f577f6e57bcd288a97e2969f725466cdf18f3fc4996dddb8

SHA512
9af26c71bb7a93244fb1991792340413581218f90a9749e6e7fe06b80f71fa122e648b7a9220d329191be72acbce8c0c4a7e57a81a251e8b8b3dc87a0ebfbe61

Download Submit
\Program Files (x86)\IObit\Smart Defrag\dataexchange.dll
Filesize
73KB

MD5
cf370248212f07882e2d8468d2325f19

SHA1
86cb05c7bac9e47319291a1a972009d9ca318bd3

SHA256
0ed32b5fcd774fdf7c7dcdfb8f5e2ebd12979226bf20e1b80ba553dfd9c7875c

SHA512
70875e795b2028b695a67e7f32418f1c2d6ee8dc22abe2f3264bdcdf167ee13999eb283b1044bf1cfb3155bd9f40e01db2b7de431f63063317b60dd5b23cee62

Download Submit
\Program Files (x86)\IObit\Smart Defrag\rtl120.bpl
Filesize
1.1MB

MD5
0bb593d71d750ef578c0deb9bee3f6ab

SHA1
bdf4dd3f7f10e6049d49fa69f90a4adb8202878f

SHA256
581cc5a6f3cd6bffbbaa2647a1a81fb62cf3887dbb27084da8bf38920144fdaa

SHA512
b9d7edeecbe643bb2279ed3c986c7a30310d4897980d2e3be93e428b09884fd65fb5b962118813c406a13aa56770996f5fa27f7caf77c8369657330b7091305f

Download Submit
\Program Files (x86)\IObit\Smart Defrag\sdassist.dll
Filesize
198KB

MD5
d5b0f3283d4a86300a2f4acd9dc362c3

SHA1
bb789b4218261bdfb05640f44dcd0132099f8707

SHA256
d07457185e16a751a7aeff0e74c54fe66c8db345a027ee1b4793d5f4889e3623

SHA512
4cf3b923f8e2e9b62e94d00bb3329c493ebc3394ee109ad93f8fc37f9c0d3c5eb1cb7b80d1b72703207efa2efea669bb512f231dc0198ddd8e2a051ee6628364

Download Submit
\Program Files (x86)\IObit\Smart Defrag\sdcore.dll
Filesize
210KB

MD5
c982c324cef0bf7dff52d42e4fce0215

SHA1
8533a858a8639d72940ea806b8bcf91df806b65c

SHA256
7a363f084ff4f56c290ca5d27552232b5a2afc4ecc6c0bd5b8a281edfa2f6d0c

SHA512
8c0fea19f808ab990e92c553814c1343542522331b258bedcbf6ceaf6ae50aba7851b37d9f9e752c5b9e306c685564eeac0dbed9de6c3fa74ee4abf529ce359d

Download Submit
\Program Files (x86)\IObit\Smart Defrag\unins000.exe
Filesize
1.2MB

MD5
55accee2e490cee39e5545c17a961795

SHA1
73f81789c23e80a2d0730378793a02faa3e594c2

SHA256
02cc46584d2e30bb32b969dca8332dec5b8a2051f4e0fae235e152abfb6f9a76

SHA512
397780770974e13c4c7c9cd51f4b45fa4292b8871bf53d84d2b5405505dc669d527111465070360afbfa25d63eafaa6beca464ec3256eca376961fbf6628f5ee

Download Submit
\Program Files (x86)\IObit\Smart Defrag\vcl120.bpl
Filesize
1.9MB

MD5
a74f501d75e780441b657c241ffb1975

SHA1
5b63178ef11f0afad87b1890f33cec64dfd70fb3

SHA256
6c7499006af181d5d4a619587723cb16f8c572ee0170b611c520f7e6dba2391f

SHA512
51336ff165e8d6dd9ce928b66ef1d0534cb6be3f3f67e8e7af63b7b64b7724c9be8b54329758b99e5936b9fd6e2a5901f40226710add053502d4aba8b7919722

Download Submit
\Program Files (x86)\IObit\Smart Defrag\vclx120.bpl
Filesize
217KB

MD5
bcb2d3ebc821f37b781df7862f53a199

SHA1
fb8a2bdd53b7bf7c139db20e32b698d4fc39deae

SHA256
c2002724a02549254618201db1a023f50bc0f09a107e08d7ef6185e78fa9e8bc

SHA512
a9d1f7fa9ac31a0ef386101aff61b5ddaf2b2e74616af83cae342fe1ad8d8f69a3953fb61b48d0f5872896bb11414fc8133d3dca1c2bd9ac359fdb0d70311605

Download Submit
\Program Files (x86)\IObit\Smart Defrag\webres.dll
Filesize
878KB

MD5
73ed8d10da94e13c4a62aaccbeceb88f

SHA1
666155fbfb0400a30071f93446162d25b3187f09

SHA256
0b40f5be83e058003e3f4f9b5a3f0bd7849faa69a812cc08dde49c94102ef8e5

SHA512
c3a85cc0e89b34a5898001551bab946b2af47c336b4281c480e5fdfa1d92c4da719459c182f836a12484a81a14f7e79815cf0ffcc95f6c2829a7fc4ddd0fae41

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
Filesize
1.1MB

MD5
18eb6378e1e21c3820f967e014aeb6b1

SHA1
828c51838633e09407b35e90f3b6fb32c69e05bd

SHA256
ed32d9f47d4fff72bf30fa271be48349729efd72053d5b6cb682f933064babe0

SHA512
e9345bf038c9e7d1d31eec0a2ac7629e296a1d686873a4d8b0d7bff4fa15bd1d4769c8074457f73c9ecb6095447dd7fd4be0db4c71a307ddfbb75ed90a975525

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
Filesize
1.1MB

MD5
18eb6378e1e21c3820f967e014aeb6b1

SHA1
828c51838633e09407b35e90f3b6fb32c69e05bd

SHA256
ed32d9f47d4fff72bf30fa271be48349729efd72053d5b6cb682f933064babe0

SHA512
e9345bf038c9e7d1d31eec0a2ac7629e296a1d686873a4d8b0d7bff4fa15bd1d4769c8074457f73c9ecb6095447dd7fd4be0db4c71a307ddfbb75ed90a975525

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
Filesize
1.1MB

MD5
18eb6378e1e21c3820f967e014aeb6b1

SHA1
828c51838633e09407b35e90f3b6fb32c69e05bd

SHA256
ed32d9f47d4fff72bf30fa271be48349729efd72053d5b6cb682f933064babe0

SHA512
e9345bf038c9e7d1d31eec0a2ac7629e296a1d686873a4d8b0d7bff4fa15bd1d4769c8074457f73c9ecb6095447dd7fd4be0db4c71a307ddfbb75ed90a975525

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\Patch.exe
Filesize
1.1MB

MD5
18eb6378e1e21c3820f967e014aeb6b1

SHA1
828c51838633e09407b35e90f3b6fb32c69e05bd

SHA256
ed32d9f47d4fff72bf30fa271be48349729efd72053d5b6cb682f933064babe0

SHA512
e9345bf038c9e7d1d31eec0a2ac7629e296a1d686873a4d8b0d7bff4fa15bd1d4769c8074457f73c9ecb6095447dd7fd4be0db4c71a307ddfbb75ed90a975525

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
\Users\Admin\AppData\Local\Temp\RarSFX0\smart-defrag-setup.exe
Filesize
14.9MB

MD5
f5cc3dcefa28335694ccc19dcf5b4e61

SHA1
dfe5f854a10c18aa27d80d1ca019435dfa4724b9

SHA256
bfbd369fbb445c40dd168003b3e1cd301714a12e826c8ff65707b8f339daf2ae

SHA512
fcf912a7d8a75db532ada001c469041a2f0f6c663f8355c88e01a723785cea66ec18c620580e05c073015f98051e6e74cd27b02a325107ef60e60665c5a61733

Download Submit
\Users\Admin\AppData\Local\Temp\is-B8S3G.tmp\smart-defrag-setup.tmp
Filesize
1.2MB

MD5
55accee2e490cee39e5545c17a961795

SHA1
73f81789c23e80a2d0730378793a02faa3e594c2

SHA256
02cc46584d2e30bb32b969dca8332dec5b8a2051f4e0fae235e152abfb6f9a76

SHA512
397780770974e13c4c7c9cd51f4b45fa4292b8871bf53d84d2b5405505dc669d527111465070360afbfa25d63eafaa6beca464ec3256eca376961fbf6628f5ee

Download Submit
\Users\Admin\AppData\Local\Temp\is-NOB48.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-NOB48.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\qb6C715A.F8\Config.exe
Filesize
374KB

MD5
ccbe3afbc45a336fbd85dd6253bf010f

SHA1
66404313b89d7e0c9e76c39f919a99153118b104

SHA256
49923ae54f6fb4cd944e303b9be1ccf97da1e927bd5338bf3a572302843bb996

SHA512
84c43e0c58027e632f672c7043269fd9babb7c36b2105c9fe86461ace21ef8136ac90721b4b4688b03b456b72139b3aba54c2216004cd33ae4d8a350698f1263

Download Submit
\Users\Admin\AppData\Local\Temp\qb6C715A.F8\license.exe
Filesize
373KB

MD5
90a078498008102668441909b6c695c2

SHA1
fce5f386a2cfd476f5d151b8b628407dbb55d0a2

SHA256
c15813f091f6faad0f9b8fbfcda17403695819273cae426485177082609a8744

SHA512
a5b1ce3111882c5b80744753230a6151749e4947815bcc6c8db7a3cfdc65eaf1f903658ecf6a6d6885445a0b0321291962e4e16528eea2d858c363386437edf3

Download Submit
memory/336-59-0x0000000000000000-mapping.dmp

Download
memory/520-68-0x0000000000000000-mapping.dmp

Download
memory/548-74-0x0000000000000000-mapping.dmp

Download
memory/576-89-0x0000000000000000-mapping.dmp

Download
memory/632-110-0x0000000000000000-mapping.dmp

Download
memory/640-174-0x0000000000000000-mapping.dmp

Download
memory/832-154-0x00000000063F0000-0x00000000064F7000-memory.dmp

Filesize
1.0MB

Download
memory/832-148-0x00000000009D0000-0x0000000000B85000-memory.dmp

Filesize
1.7MB

Download
memory/832-145-0x0000000000260000-0x0000000000385000-memory.dmp

Filesize
1.1MB

Download
memory/832-124-0x0000000000000000-mapping.dmp

Download
memory/860-66-0x0000000000000000-mapping.dmp

Download
memory/860-111-0x0000000000000000-mapping.dmp

Download
memory/880-121-0x0000000000000000-mapping.dmp

Download
memory/944-112-0x0000000000000000-mapping.dmp

Download
memory/944-72-0x0000000000000000-mapping.dmp

Download
memory/968-159-0x00000000009D0000-0x0000000000AF5000-memory.dmp

Filesize
1.1MB

Download
memory/968-157-0x0000000000000000-mapping.dmp

Download
memory/968-166-0x00000000064A0000-0x00000000065A7000-memory.dmp

Filesize
1.0MB

Download
memory/968-160-0x0000000000C70000-0x0000000000E25000-memory.dmp

Filesize
1.7MB

Download
memory/1072-175-0x0000000000000000-mapping.dmp

Download
memory/1104-184-0x0000000004310000-0x0000000004417000-memory.dmp

Filesize
1.0MB

Download
memory/1104-182-0x0000000000000000-mapping.dmp

Download
memory/1108-177-0x0000000000000000-mapping.dmp

Download
memory/1176-181-0x0000000000000000-mapping.dmp

Download
memory/1296-99-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1296-108-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1296-96-0x0000000000000000-mapping.dmp

Download
memory/1320-169-0x0000000000000000-mapping.dmp

Download
memory/1372-76-0x0000000000000000-mapping.dmp

Download
memory/1384-80-0x0000000000000000-mapping.dmp

Download
memory/1440-178-0x0000000000000000-mapping.dmp

Download
memory/1472-70-0x0000000000000000-mapping.dmp

Download
memory/1492-62-0x0000000000000000-mapping.dmp

Download
memory/1528-78-0x0000000000000000-mapping.dmp

Download
memory/1528-113-0x0000000000000000-mapping.dmp

Download
memory/1528-155-0x0000000000000000-mapping.dmp

Download
memory/1564-185-0x0000000000000000-mapping.dmp

Download
memory/1712-54-0x0000000075DF1000-0x0000000075DF3000-memory.dmp

Filesize
8KB

Download
memory/1728-179-0x0000000000000000-mapping.dmp

Download
memory/1748-103-0x0000000000000000-mapping.dmp

Download
memory/1748-114-0x00000000748D1000-0x00000000748D3000-memory.dmp

Filesize
8KB

Download
memory/1756-171-0x0000000000000000-mapping.dmp

Download
memory/1768-65-0x0000000000000000-mapping.dmp

Download
memory/1784-170-0x0000000000000000-mapping.dmp

Download
memory/1788-168-0x0000000000C40000-0x0000000000DF5000-memory.dmp

Filesize
1.7MB

Download
memory/1788-162-0x0000000000000000-mapping.dmp

Download
memory/1796-84-0x0000000000000000-mapping.dmp

Download
memory/1808-161-0x0000000000000000-mapping.dmp

Download
memory/1812-64-0x0000000000000000-mapping.dmp

Download