Analysis Overview
SHA256
1a72fc29464f36513bae08e9bc4076d7485ddbd6d06b93be1139ba95aeb11d4c
Threat Level: Shows suspicious behavior
The file dc97cc32556cfc04dbd9abbe898326d2 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
UPX packed file
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Adds Run key to start application
Checks installed software on the system
Installs/modifies Browser Helper Object
Drops file in Program Files directory
Enumerates physical storage devices
Unsigned PE
NSIS installer
Suspicious behavior: EnumeratesProcesses
Modifies registry class
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Enumerates system info in registry
Kills process with taskkill
Modifies Internet Explorer start page
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-21 20:55
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-21 20:55
Reported
2024-03-21 20:58
Platform
win7-20240220-en
Max time kernel
122s
Max time network
148s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "TBSB01315" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\inst.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbcore3.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\about.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\basis.xml | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\info.txt | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\your_logo.png | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File created | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\icons.bmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\options.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\version.txt | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\google_toolbar.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbhelper.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\update.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\demo_logo.bmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\error.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\basis | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\Height = "22" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\userid = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\ | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{645E4FA1-E7C5-11EE-82B1-CE167E742B8D} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\AutoComplete = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\AutoWild | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\blockPopups = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\needSetHomepage = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RTL = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\toolbar_version = "undefined" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\rtime = "1711054547" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\version = "undefined" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\LastQAScriptCheckTime = "1711054550" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000be4751f28190ed81a1b7b5f4d6ea105d3fcfcd67f26e84d10369f295f1b1ebac000000000e800000000200002000000029e20324abe3ed6c3c18160ea41e5d456389dacb501b77c989d8bffa8d9920c620000000a913d67bf6397b4c6e8ee1a71c31645f257a3187c0b125addbe4805a2da2267040000000667e75212055725c00275f6765c949248e53ab02ce6adb8ff0c198eb68fd957652a8ec3bf00c1591b0744d25c5ea59b4402c53b323338b3dcebd9495c32e047d | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\CountOS = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\SendReports = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} = 00 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\Height = "22" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowHighlightButton = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\firstTime = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\History\tb_cmb_SVCgVyWG | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\DeskbarMode = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000060000000903000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\tb_items | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\SiteAllow | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.google.fr/" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32 | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ComObject.DeskbarEnabler\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1\ = "ContextMenuNotifier Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5} | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\Programmable | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Software\Microsoft | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsi142E.tmp" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1 | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29} | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CLSID\ = "{FCBCCB87-9224-4B8D-B117-F56D924BEB18}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\VersionIndependentProgID\ = "Toolbar3.SearchProviderManager" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}\ = "IBubble" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\ProgID | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager\ = "TbPropertyManager Class" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\InprocServer32\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsi142E.tmp\\tbcore3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ = "IPosBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ = "ICustomInternetSecurityImpl" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Software\Microsoft\Internet Explorer\Main\ | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1\CLSID\ = "{D433A9D0-8267-40CB-8AD5-24F22FA5373F}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib\ = "{C4BAE205-5E02-4E32-876E-F34B4E2D000C}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper\CLSID\ = "{AE338F6D-5A7C-4D1D-86E3-C618532079B5}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbDownloadManager\CLSID | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbDownloadManager\CLSID\ = "{D89031C2-10DA-4C90-9A62-FCED012BC46B}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\ProxyStubClsid32 | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315.1\CLSID\ = "{FCBCCB87-9224-4B8D-B117-F56D924BEB18}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer\ = "Toolbar3.TBSB01315.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\ = "IContextMenuNotifier" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\ = "IDocHandlerCallback" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315.3\ = "Google Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.IEToolbar\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager.1\ = "TbPropertyManager Class" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" | C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe
"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\121A.tmp\certificat.bat" "
C:\Windows\SysWOW64\findstr.exe
FINDSTR /C:Path profiles.ini
C:\Windows\SysWOW64\findstr.exe
FINDSTR /C:.defau profiles.ini
C:\Windows\SysWOW64\reg.exe
reg import c:\proxy\Proxy.reg
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM tbhelper2.exe
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll"
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe
"C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe" -RegServer
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe
"C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe" -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.icservic.com | udp |
| FR | 5.196.160.143:80 | www.icservic.com | tcp |
| FR | 5.196.160.188:8181 | icservic.com | tcp |
| US | 8.8.8.8:53 | www.google.fr | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| FR | 5.196.160.143:80 | www.icservic.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| FR | 5.196.160.188:8181 | www.icservic.com | tcp |
| NL | 142.250.179.196:443 | www.google.com | tcp |
| GB | 92.123.128.142:80 | www.bing.com | tcp |
| GB | 92.123.128.142:80 | www.bing.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| US | 8.8.8.8:53 | softomate.net | udp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| IE | 20.190.159.71:443 | login.microsoftonline.com | tcp |
| IE | 20.190.159.71:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | a4.bing.com | udp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 184.28.198.218:80 | a4.bing.com | tcp |
| GB | 184.28.198.218:80 | a4.bing.com | tcp |
| GB | 92.123.128.142:80 | th.bing.com | tcp |
| GB | 92.123.128.142:443 | th.bing.com | tcp |
| GB | 92.123.128.142:443 | th.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| GB | 92.123.128.150:443 | r.bing.com | tcp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
| MD5 | a0fe1191d60d3459d84262f5e3613e6a |
| SHA1 | 278b47dc1480ada26c546b4e74388857fa8a8106 |
| SHA256 | ca98b7510a17e287b111276e58ccf36d4f5df44c253dbe84d402539e9d91a982 |
| SHA512 | 584925d6eb712a1c5657a69249482d9823f7d51a6794539c2423fc709449aad647236dd9d775f6a75b19427ca6e3d7546e5d5430d57a6a473fd2a04d5aa2b4d3 |
memory/2728-10-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2240-14-0x0000000000400000-0x0000000000410000-memory.dmp
memory/2728-15-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\121A.tmp\certificat.bat
| MD5 | 36f5ab7eaa9af08b0d6befa8a8421f11 |
| SHA1 | 386b2100018d24adff21e1c0191b9b8d4e6d49c4 |
| SHA256 | 51e7c7f87241543bd92d43a566acc65e85932e1f597c7fafd0bc62a89347390d |
| SHA512 | fd61eb0168d27b5a03236ee206eb423b4ec73a9f212d89b9155f1f261769fefdaffeef4ed7c76edfa79ec81c3e2ce72efe7b53d1f2914428d98041791be1152e |
\??\c:\proxy\Proxy.reg
| MD5 | a3fb50e0b4733b1a37b23f42c1c16d70 |
| SHA1 | 5f513f61c4f9c05bfc8fc266435ea11f9bf32ec0 |
| SHA256 | f9233f4e19b87b8256bcccac5d4ab96048e5b74595657cdb129fb83bfb39a2b1 |
| SHA512 | d5d29bfc873b55a27963b61da45d93b321ae3aff104ad877680f7fc81721d5f760cdf357065591be702529ebbc3d5d49ff16c8a5499ae97223fc2093dfbb444b |
memory/2240-45-0x0000000000400000-0x0000000000410000-memory.dmp
\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
| MD5 | 36e857db113b3af9e8b47f27a72b1c81 |
| SHA1 | da4d44bfcbf8831cc352461baaf5bd2aa367c2c4 |
| SHA256 | b5425cf0a94bcf30b95a17b4e5a1f53bd6d79f53dc813713dc81684ed1809604 |
| SHA512 | fccbce5b84cebac3317c891deb21361bd7940bd4ed2bc1fe866c1444df769504cd88d52b10d32942809ef9cda970831f4a23d05910b81c37fc302bd9cc4d7d70 |
\Users\Admin\AppData\Local\Temp\nso13FF.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
\Users\Admin\AppData\Local\Temp\nso13FF.tmp\CabDLL.dll
| MD5 | 3b8cf4f6c883c7ca0c964ef2a96525aa |
| SHA1 | 7f0d1b89783056decea951fa7b25d3c4c354d0d3 |
| SHA256 | 58b29737613b3b916ae6d8ad12790da5cffcf0f354739abfa41bab60a80d40ea |
| SHA512 | 6474c7a8fb31c0e1cdbb4fbc5653a060961557565484ee2d26beb8be0e5d047790f8ff96710729bf5ee9eb00011beb98c370eb2ae01aa4ad0971f58910ebcd24 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstaller.exe
| MD5 | a84214d5259fe35cac798a7948b1eefa |
| SHA1 | 86573c569e0ac99a7eea533e8a9c37d129fa4d2c |
| SHA256 | 24d87f45282378deaa0af6b6ce0b3de6217c19f2bbfa829bdb78ade76d16e099 |
| SHA512 | 5f7620fd0a5636edb6cda3af1c12e3e6d195fd82ffc6fdf21189c056089eb933fe71e7c142529c8dd1ffed1c790e03382e2b33e148c4c48313ac18315a18a895 |
\Users\Admin\AppData\Local\Temp\nso13FF.tmp\inetc.dll
| MD5 | ef630cf1898c257df36b1037bd1e5392 |
| SHA1 | b2c47d9a741d2b5391387059552b37f2daddade2 |
| SHA256 | 41776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f |
| SHA512 | 986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll
| MD5 | f365dad6814d03d7cc9fbb596129c3f3 |
| SHA1 | 494340382954e76aa60245628e1e35239cec2efa |
| SHA256 | 0bd2aba554c60448af1facb8cc005134d006883db5a1aa179f446080f8e7b542 |
| SHA512 | 95c442a4d92974e63ee9959b8f1b3c58ee325510f6240e5443f7d33a859491198aa4b0bb38fd4197c0c8c316dabe9d39f7f2084804acb690b3ee4a94cb2f4bda |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\about.html
| MD5 | d67f20570f2bef999552e37aa86d53d3 |
| SHA1 | bd59e160023e5612d227a3ddc369805bff641666 |
| SHA256 | e3ebba3f9ca4caa5a9f5e3b821fd4d4884db5fa58f2a080fe36625a327948ed2 |
| SHA512 | 08d91508d8e35ab0570a506010ae6d238cc05e44d013ccc1c2d95dd74a47806b8ecbefd9e033007c8d647b31f2f7c1fe43fef038b0eb129676bd140b383c595c |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\basis.xml
| MD5 | 7d4ff117ba468e62943651996bf4b76a |
| SHA1 | 17eb37cbc06ce71c5545a4983eb98e2916b85abe |
| SHA256 | 5fa97d4cc63aa8f560447fbe18dbf6c35b84014b4ba101a41605ccd449a1cb76 |
| SHA512 | 787af0d0e77da56848b709a9ba10413de3db503487efc8008dd202cbe8ab7e52e847292c99fa00a6c9b742590f4eabadbd1ebbdf027cafa40436966d5813bd08 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\demo_logo.bmp
| MD5 | 6e6ef6706a77076d3497fc4ab70fb87d |
| SHA1 | 0d683098713ee0df442b57fd33c48b96dc025f3b |
| SHA256 | a1bc64615a4555a3a43d94f13a71a158f6fb6549aa14fdba36ca623907b45438 |
| SHA512 | e778b1e8aa3a346f92d56b30ccef28564c298f4107f8ca969d148fa91af7181e6b3278f4cb55e92712c9405a4255ab2b75ffbc0a683ee9768cb6902e21f403c1 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\error.html
| MD5 | 62360bdda99a8fbfc53ad1ed4f8a58da |
| SHA1 | 0c26c863088ada7dc1d8a142f0b8e03263787ac4 |
| SHA256 | 3e1ca16e30578ba66641151dafac162f46d2502fc777780b3c7b8ad6dfcd2961 |
| SHA512 | 0bde00cfd09ca02f400dcfc0ba202940bfbc2589c1f40aec504f96d4f3d83fce4a0e8b63597ff1e72b16be470e6c1dc3f6911c394f076db9dc043ba8dd4ac913 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\icons.bmp
| MD5 | 94fb20e3f0d75f1690801dee53d58fe2 |
| SHA1 | f118e4d8a47e6f45fda3ed99f44bcf67e9a0db0f |
| SHA256 | 221554718f7b15f50e0a6518245269f6993a555fc63679ec67ae44799966bab6 |
| SHA512 | a9a7087b2df0b8e9d6018fa3624148a386d0df0ab32a6fa3888b351ae6c5229d4482d3c5080025b229157fe57891dcba21c26b3f46808d8ddc85a66b66795c7b |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\info.txt
| MD5 | 27a3da5fd0259ebb0a264cc96d59a0a7 |
| SHA1 | 9ce43b28ee3c49358446eeb41fc5ebce3b8cbb82 |
| SHA256 | ac5c66127e7a76c3fd2c1443f28637762a5d74223f398cd9c7870a3f0110cf7b |
| SHA512 | 7cf10e7a9c48ec31dadceb06e91601fdb5b2c569cf4a7f2431f64be6d638eb5dfa0cca59bccc2cfc7d093cf27badff29c1b56530bc2843d504644a30d45e1ca1 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\options.html
| MD5 | 17e96ac1d05fdf7437aeff7534ecbf65 |
| SHA1 | 30b070fa99865b726978e92ef496464a5d3c3e9d |
| SHA256 | d13cb02752415056dd0277b634badcd31970f2651a6b59811a8f0c18f3afebcb |
| SHA512 | 3c9b426fa93406cf51b86e6e89d0402c492f8d5522ceee516e22ee65ffd0d0b55a8b2712030d2da828567db18888a81014bcbc934f453a9ef6aec850bd0a2d1f |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe
| MD5 | 505d26efa3e1f41a0efb8d54a416d9ae |
| SHA1 | 4919d9a1b7dbff78aab3242659b807b6236190b7 |
| SHA256 | 7c32c3548f9a58ffee43155396c1d0a295481c080639b9ffe0c645f43040fa65 |
| SHA512 | be3a585b0918eb766878e66dcbf24403caf66077fbecfe7875b2647a754df49aff516ec89480be516395a7f9822150e2276cbafe491e6a14a7e3380c2410f9a9 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstall.exe
| MD5 | 5de82c78d4a9025b16286b76f7974a29 |
| SHA1 | 775e106cfc3933f369e60ddb3b930343db0deaff |
| SHA256 | 7f71641efb3048d552176f019a93a46bfbf11323cfcf29c07c8e5406b047c5fe |
| SHA512 | a2bd8d977ba032126209b094b81dc63d0b6b0fad535fca890ed6ec7c8bb29ccaaf9cbf095aaee7e81803f5042c55a07661a77f89bd6eb7be4ecde1ff84f6a33c |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\update.exe
| MD5 | a518a8472025160102877a8efafd0382 |
| SHA1 | fb26a02a418e757de8874b474687b67cc0a2d24f |
| SHA256 | 4fa6289e5a4c1ebf74e57b9105f46a9d492f6d1b84c89a005c3cd8d715005ba9 |
| SHA512 | d2b1a88529e4243cd71c0d516cf175482f37dca84309d5dffc8725f8c271b63a14b249be3cce946ded4475a067f72755ef01e5b3ea12bb0b8b09d014a5bd0d56 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\version.txt
| MD5 | b74eceb8cd0aa961e9ecb71fb2499de5 |
| SHA1 | 3d897b0e40482fd756959d8e97f7f2aa99373ce6 |
| SHA256 | b9c76f125b18336ad3fa36421f278daea9d380c42ff485cd94b0857720968817 |
| SHA512 | 721e3da544db766586e2d714d281c08ea9664e9faa270888e1b0d192305f14b9992becfd1d10e0a405c7941b686050a9badf0e000658f749adfeb27ee294df54 |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\your_logo.png
| MD5 | 4f85d6b204fe0eb75858031af68b62fd |
| SHA1 | 85a2e6a6ba242c0cbd6027b0bee00fe47f9ac390 |
| SHA256 | f1f6901c53d9bc846c65ff79486c93c82ecd832912104b76f0e0a049883e0b1e |
| SHA512 | d2be63b38b5012b1179d92c62327bdf703ee3b9762fdc98364ee35dd10a2c9dbb1120e83a36cd5ed8e7188708db70799dfff73d9030b5eba0761378955911e56 |
memory/2200-158-0x00000000007F0000-0x0000000000844000-memory.dmp
\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbhelper.dll
| MD5 | 9e581e562d7199bd632bda0a5c06981e |
| SHA1 | cabec8c7278932e4081d6eb921edbda94c27a7bb |
| SHA256 | 083edf3272c24fef6e0fbf7fde2a8e3dc040d8bdc142c1c28dab93f2f9c4eceb |
| SHA512 | c81a314a01af97316751f546dd1dad6ecf8c1a684e340a322ecf37be118d44996815ef0cd4019dd3725bb5ff85f4ca95f337d04aefda987ef82ed8bbfeb3ca1a |
\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\google_toolbar.dll
| MD5 | a38c85c4155a7600e83286a00f42e213 |
| SHA1 | ed66950dcf0267c474db1728862729c4060ca35f |
| SHA256 | a2e491a3a360daaff17016fac439ee2f5c96297b02f24430bda69c3411c52360 |
| SHA512 | a8fcbb63910153851c47e474e5600e1aaaca68564e8edec8c97139c03e71b70c53f10efc7bae2528643222f098212473f2394bc64c04ca859d2dc9f696b577df |
C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll
| MD5 | 664053fdc85a172d34846adefa5d876f |
| SHA1 | 43dcd734f59aa4f49cd6143ac620b696ba2b9e56 |
| SHA256 | 796802332734a00c3e2f372df277b98aa3c8cf04b2235be05971057e2dc8eb0f |
| SHA512 | f83691a4f30b3bef1e8f6552cd8e6ce93b351ff1590dddb4768839c493bca415a8a5cc83c5a723890965fe520fc24667c28fc674ff4f433b004cce97b29717b2 |
memory/2200-166-0x0000000002310000-0x0000000002364000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\proxy[1].htm
| MD5 | 592fa76dcb02a73ca2912fa7d6559de3 |
| SHA1 | 6e0a131587618d2bb0f16079c2b25f1ff6cc5669 |
| SHA256 | 96d6e6b1d5dcfb7679e0361dfb8dcc9f2545d3dd13b78e508b516751dcc2413c |
| SHA512 | c93e2c7d23cb7f42ff4e2b40d2de4d87e00c528e119deabaa7930c0941d1c92bfad6d88e354303b4cf98c5d66b8baaade8e5c3642e5cf74409b504bb55b0738c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon-trans-bg-blue-mg[1].ico
| MD5 | 30967b1b52cb6df18a8af8fcc04f83c9 |
| SHA1 | aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588 |
| SHA256 | 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e |
| SHA512 | 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c |
C:\Users\Admin\AppData\Local\Temp\Cab3C76.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab3D72.tmp
| MD5 | 753df6889fd7410a2e9fe333da83a429 |
| SHA1 | 3c425f16e8267186061dd48ac1c77c122962456e |
| SHA256 | b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78 |
| SHA512 | 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444 |
C:\Users\Admin\AppData\Local\Temp\Tar3DE4.tmp
| MD5 | dd73cead4b93366cf3465c8cd32e2796 |
| SHA1 | 74546226dfe9ceb8184651e920d1dbfb432b314e |
| SHA256 | a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22 |
| SHA512 | ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 82532f9f269bec6d7298982ba411b8ab |
| SHA1 | 1171233a57201beb1f8e3127cf15c7b97f37652d |
| SHA256 | dd227f1dcbe08f1544e92ff7894076b7689fd0c9b29273b5c922cba1747d9774 |
| SHA512 | 08a686e4410bfb3322754743ffb8914a587df274dcc9c3e08d5719e345ec3dae7518efbaca619b30e602cbbce83fc2a5957aca32be86b73bcf22e053a56d68b2 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ed96416335bff0f012f7a536ac0a18d |
| SHA1 | 57421403fe7e24a7d1cc62c9ea1b4d5c06c22f93 |
| SHA256 | 46be88ab7e074556efa1e34bd013be36047c05107d8ffa64723bb75ba166cc07 |
| SHA512 | 5245e47dafff5fc9c8a088580da7a3ad5882dfc45d5195071c5ab8a6cdf2436205d27835991eb3a2ec37ce542d7c27d62e945cec589a093b62f8aef6d0a467b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3f7267d666b9e07cb97d2f5092b1637 |
| SHA1 | 8e3f976d20cc7be6d45510653ac0396f18598e62 |
| SHA256 | 1274f990af67353da7856250e1e2a7aede8b5e9ede36770ca11019ef2645fe78 |
| SHA512 | 58718f4d9f896d2f1c9f5be18013ab5511db717387e9366e3f4dfeb1f1a66116a6ac698aa92b3e3a2a236f73efd150a5466f50bdc5e639d6af9b95dee0d1b4f0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e505827598ca7ac6f69f9ea4a40d417c |
| SHA1 | 65c31b9c4f8dae29f25e3b0d157dbabb18d6a14f |
| SHA256 | c2eafc814027f1714d626eb6fe3128246e247597b79ee2a6422ae202cf9e8a5b |
| SHA512 | ec981f1815375265b1a4072d9f67b52f5cd5264c28db4e39814996c7794e1fbe97d457fd2e0bab5cab68b898b3e7c83d951d1d8076a515dfb38ad89f0e38fd8a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | c19bf282e5b91f5173a91345fbb8d19e |
| SHA1 | 995331dab70e49addf99ab459fbd2fc02b3914f9 |
| SHA256 | 7a1923a0c203be59a92dd63011b595863686b7196f15b78d262778af1b5f54af |
| SHA512 | bd668b1df40e7b118e9e41730780e8d012c5ea0bd9e9bd6a06ee421e4dc35d9a78b6abcac6da5ed80cb2c9ae7131e2a3377cc5356f62af6631e1531efb032f86 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 77f86f45a5212ca6b0d467a1af2312f8 |
| SHA1 | 0f9e9e647592f8975b1adbe5b34c4639fd652f55 |
| SHA256 | 388ef775304db85a0a7f0404409a6e2d3489b45632bfb948b2c9df52eafb50dd |
| SHA512 | 50b3dc68355e018a68436c51b8f4d85eb8b0add0f44262fc7451e57edd6eef3fd938bcddb59728f26c3fa242233f017e3c8bf8ba77ba0898130f4123635a92b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C
| MD5 | f55da450a5fb287e1e0f0dcc965756ca |
| SHA1 | 7e04de896a3e666d00e687d33ffad93be83d349e |
| SHA256 | 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0 |
| SHA512 | 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1f6272f8b1782260e3bb65d887c4fbda |
| SHA1 | 7d069004da108b8559c80ba5b7a40d19e0984166 |
| SHA256 | 71fb2c2500c0861878f39967f24941cc676711c586a1f108bc795d5a19b3497e |
| SHA512 | b66f0f9d6f7191540f3862c9446155032d308dab2d88bfbc7d6be672612140e185604cc5a5a44b4f7bfa0902d9ccd511a5061ae8441acecd4feb925de5c5b4a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f672d249e9c4004da633f55107c6efb1 |
| SHA1 | 12240162bab95cd0a138d684dfc7cd195698ca09 |
| SHA256 | 0d7ef9ec5e302b4f967e15d8d80d792eb828bea70bff7883606aaa9122062425 |
| SHA512 | 96d6657ffe2ebbceddd54826545a66e5c0e2b2d788dc41361309bfe1f4172c5b20a71c626ffeeda0d5ba15655bb2e93641395ee5b9a014a74296ddb5a9b15e2d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b69f7d867db0cbc6ad5a86c2715088e7 |
| SHA1 | 16918255bfe1d14248f6b3e941205daef29cb219 |
| SHA256 | e6c4b327e052cfcc6a4c589d1cd63e086ac22fa8b44ee32e67d8f41d5f58ac4c |
| SHA512 | 3af9c59457d578d04e92dd913341cb075f4032714d821f93743d090ecb5da96e9569eb9677f3d42d73811e5d37f451a03a1be33a626d8a9c32eca70c5c41dded |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C
| MD5 | a7e8cf576337f66ce228ec296de9e279 |
| SHA1 | eae2a4040d333e262b996808a2e85432623ed1d6 |
| SHA256 | f9bd51c880374b0e3e8cf7d05e6edb40c01ff81041e7761d20d1beaff81f7410 |
| SHA512 | be15cae9d021a06f088ad7d79d09f2e1ab5082cdc5a2cbc443fc4c4fb18d80568de356e8d07a1e5946315cdc13c02e9a146f7ff6558902972537dfdc9ad651b5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e22a62c2d3479ecdeb6294b7d19e176b |
| SHA1 | 05366ad5693509844d0005e6642d1bb94318ad05 |
| SHA256 | 5e66dc8e92754597dd281a652ec1fdae1d2247e2289192d16ff72dd22ad66b35 |
| SHA512 | a0dc5e4c1a4d08ac64170076e57ca91f5f72a88cc7f928763ef7426917c4b10d03deba52c9ccfe83dd6b9672be6e7bb851e290b9659220588aa9c5c484201a7f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f0e3eed6a4f8bf8d4b2e5151f17af8b9 |
| SHA1 | fa8ec63ffd56cfff19914f638d225936cceab2c4 |
| SHA256 | 0b8498cdc0c3643798286b912b6d8b9cdf689fb41d95b40731a9cec2bcc6c60d |
| SHA512 | 49613c97e12fe632b765c900240f7113e98b39ffbd1ff4113164e4409302fc0f560d2ef28f38b951bce8911d8133f8932e59ae1ba0a738547c1973987167e845 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae131271cf89127d71cdbd893d231527 |
| SHA1 | da787e130e0317a0b0da6e2ecf2231f0bae40f4e |
| SHA256 | b4da25bc7af67e66f895a03c438688e4e8b48c603f80446d39f77a9c4d4746e5 |
| SHA512 | 0607c0d3d6dcdab50bffa241167de5ac505a5083908810a4dc4e432dc8a71fbcb9c4b2157724652b08ae93ceb9e2c7b46ea910c5e343e2a9ed58705822b8f5a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 74561fcea98125b3bd4db647a74d70bb |
| SHA1 | 3973d0c0283ff19f7a90d56fbe888f368dafde72 |
| SHA256 | 6f6996d9bf753519cc060a6b9cec89fa56ede6113619bff5359dd3b9b0f58172 |
| SHA512 | dc803adabb89281e44841a35910512701b7cd7814db0c2b095551202c156c7181fdbd013d18670938e80592648a27c3165543b33b02c597d9fc9af1089c4926c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 8be362c86a53a7cadb77324b4e633c96 |
| SHA1 | ef2de2c9a9f9f48362cd88c75d04430b38ee5c05 |
| SHA256 | c31eb71f4adc792dc045769ea53308bc214003d20b1ffcce1e53e40647765db0 |
| SHA512 | e3bd0b0d40652853f8d1dacf2220b4832ecf121f7855cdf718f2dde5639dcc92b5d154d1a40daf64742a0a78866f26933e50736b1b43dedd9d0779cb6dcfb78d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4183558a6b5048c7717b4b5f7cc47b60 |
| SHA1 | dd3fbdf11fbe6d05ebfe43d1717d11834c3612a5 |
| SHA256 | 02ff55cf7ea56ee186afdf6287ef069a049b62460c30c3009b6bc56ffb0795b9 |
| SHA512 | 77769df6535125255a93875df078c295e5fcbacd1425f970d3a1f3d22241b79e5f3c9ef2472aee3fb289564448a923c159f3a3710c7216a93194a179f75d1c65 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c79185f3cb467c7a2884f85a2a9097da |
| SHA1 | be969e825f89c150d208777d4edaf4d9df61ab25 |
| SHA256 | e5547e785e0ed37289f12fdf13a381f3de2d403cfb1104b51f42f1c7ad23f65e |
| SHA512 | 4e558536016699a79b852ae071640687df8393be265f5eebef135bf2d0dbb7deacc10f1718016aaf3fbc6f6624f7eb63bbf60854f28b7fdb2c09d927ed8d9232 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 937acf31cd96a83437b3b58ac9963a5f |
| SHA1 | 4dd9c09a113e2aae769236f3ccde03d7604a4a1e |
| SHA256 | 6acbb4cead935a902ca3ef83a4de7efba2f6192d02324b68ab2b23818befe910 |
| SHA512 | fc59acdb6b90470ddc6a69e4e01bb719fcde9ee20aaeb156621ff8c81c1ebba1aa4513e5c37844ac8544ea2dcf902ef4951776935e846079cea0f5730bf3f6a8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e1e95df4e4c308cf63b5ba618249d17b |
| SHA1 | a964352843c2b09155d2f58abd08b52fd4108d8f |
| SHA256 | d3c4b5417aa9472c6d374c1acd5e145eff2855046c22eedcee3a3ef887af9645 |
| SHA512 | 65666eefdb06125cc7969a736e599b2fc21237c655eb07bd8fcae69a404dc1a5da52ff907fa868bbdee3f081af9a160f92a54b47c4bdafd0aa537e509eb6d39a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 02b059bb5cd824eb0eb897fec14a532e |
| SHA1 | 22a661a3db0a280284f820ea9b935d70f655e00c |
| SHA256 | 1e2484143ec5577e490750b923f9672c9b7c454af50cfcfe67fa5cf4de37ab5d |
| SHA512 | dfc28da912f9eaf18f525b5451e21bc56102703c0a20ddc629fdb78b58849dc091516e948578c644e285af35ec1f8ea3e8662934964f691b3f13dec0fcf5443e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | a46f0993db363eeba67ab6043aca7bc9 |
| SHA1 | cd8abf64d231f5d9a536d473953e5f25ab29d718 |
| SHA256 | d78cc40ad50b76f5b87459f5043a70ff666d859a999e9f6bbf8dabef0002d1d0 |
| SHA512 | f488af65428ecb1825610a31fe54cb7883c6ae62d1a21236120615afeb323a9e56c84045decf18991bdaf0577ea975109c24df872a44e81ae42f0619af57456f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6c5f3b0ff04275b5347eb9cc3cad7718 |
| SHA1 | e39c1520ccc9d4674b9c633689b133ff384bdb44 |
| SHA256 | 9fb179bae33ff22f0ae23f21622019cc2b0ff0d48c0b1035e98a174b820d9e7d |
| SHA512 | 7e01f252b42bba82bad02d6a20be08b3c8a5ed1c4a919de8b58978cfad8a2a9fab72ad73453a4ac75b5886bf76fb3017a69bdf525579d4443e0aec8c2a3315ce |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 94d5b9c7f01eb6cd7527344a985a9823 |
| SHA1 | f6278e1197e97cb2a96e055629b50f62c011a7c2 |
| SHA256 | ecbdcb70ed939f2268e045977de0abfea28d10af5521f7c29209e27c3ba64f61 |
| SHA512 | c8302ce23e21976d5757e0a66dafabe7880c6e1a5339c6f4dfb81e700e69733fe379f055c07197b8d0923d13ae50455ee3245cca1f74e95d3e8be2b606c205a9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a81e161eb93e2350e10923baa0d8f1b9 |
| SHA1 | 779647e4517d6ce9cd948f06dccad80fcb0af234 |
| SHA256 | 8ecd741930f7f1629134d7051e79a18864d2f9be5431661e70015af2d9b3964f |
| SHA512 | 4eb0244bf5e5b42cd364206163228425bff3da8edc0ee22a67d2d002c8cae0e5e67c6200ef07c477d93901d9d330fc41c97016fbe184b6ffaf7abc6994f97873 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-21 20:55
Reported
2024-03-21 20:58
Platform
win10v2004-20240226-en
Max time kernel
138s
Max time network
140s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe | N/A |
Checks installed software on the system
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "TBSB01315" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\inst.tmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbcore3.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\demo_logo.bmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\options.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbhelper.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstall.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File created | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstaller.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\error.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\google_toolbar.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\update.exe | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\your_logo.png | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\about.html | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\basis.xml | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\icons.bmp | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\info.txt | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\version.txt | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\OpenNew = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\toolbar_id = "{CFEAEC9C-8BA5-4583-ACA4-6162773DD039}" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} = a4c0b64490ce3c7e6b05a66c402f2b2e | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417819522" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchDragAutomatically = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\mac_id = "628714877227" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchDragAutomatically = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\LastQAScriptCheckTime = "1711054551" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095762" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\toolbar_version = "undefined" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\OpenNew = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DescriptiveText = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291} | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\needSetHomepage = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\AutoWild | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "956427570" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DeskbarMode = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a50000000002000000000010660000000100002000000049327103c58b6ab2e729df5266d9bd66bd0181979b848fc12699375fbf7628e6000000000e8000000002000020000000fe9483c0a9d33d7ca691cdb92c4e9b94a307454316c6805613daa0ffa5c5579620000000863d0708c74ee86d2c3da4e881a4d241601fb09789223d4ca4fc6eeabf106570400000009d7a67974aae286124d9e9ecca5dcf021c08b8f1d0d4d04b5fadaef1e451963e3138edff85e7102d0f3ede42892203fa29119890330a3932db4cf160b7619916 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\TBShow = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\TBBreak = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "956427570" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\SiteAllow | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\mac_id = "628714877227" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\ | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DescriptiveText = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "955177620" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\CurrentLayout = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\AutoComplete = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\needSetHomepage = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\History\tb_cmb_SVCgVyWG | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315 | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\ | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\version = "undefined" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\basis | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\C:\Users\Admin\AppData\LocalLow\Toolbar4\{44B6C0A4-CE90- = "333" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\updateXML = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1\CLSID | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\ = "ITbPropertyManager" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\ = "ITbTask" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B} | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\VersionIndependentProgID\ = "TBSB01315.IEToolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ = "IPosBHO" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TbCommonUtils.DLL | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TbHelper.EXE\AppID = "{628F3201-34D0-49C0-BB9A-82A26AEFB291}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ = "ISearchProviderManager" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32 | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\ = "IToolbarObj" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315\CLSID\ = "{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659} | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\ProxyStubClsid32 | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1\CLSID\ = "{D565B35E-B787-40FA-95E3-E3562F8FC1A0}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}\Programmable | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Software\Microsoft\Internet Explorer | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}\ProgID | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\Version = "1.0" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.IEToolbar\ = "IE Toolbar" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\ = "IContextMenuNotifier" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\ = "IDocHandlerCallback" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ = "ICommonUtils" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib\Version = "1.0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291} | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google Toolbar\\tbunsd3589.tmp\\TbHelper2.exe\"" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}\Programmable | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsd3589.tmp\\tbcore3.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1\ = "CommonUtils Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbTask\CLSID\ = "{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}" | C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe
"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\325A.tmp\certificat.bat" "
C:\Windows\SysWOW64\findstr.exe
FINDSTR /C:Path profiles.ini
C:\Windows\SysWOW64\findstr.exe
FINDSTR /C:.defau profiles.ini
C:\Windows\SysWOW64\reg.exe
reg import c:\proxy\Proxy.reg
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe
C:\Windows\SysWOW64\taskkill.exe
"C:\Windows\system32\taskkill.exe" /F /IM tbhelper2.exe
C:\Windows\system32\pacjsworker.exe
C:\Windows\system32\pacjsworker.exe 72316990-603e-461b-bf2a-ad34ab59a0c4 3455cce1-ee83-4971-b0ae-d51528026442
C:\Windows\system32\pacjsworker.exe
C:\Windows\system32\pacjsworker.exe 97760f5f-4130-4248-b69f-7b83bf662fd4 3455cce1-ee83-4971-b0ae-d51528026442
C:\Windows\SysWOW64\regsvr32.exe
C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll"
C:\Windows\SysWOW64\regsvr32.exe
regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll"
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
"C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe" -RegServer
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
"C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe" -Embedding
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3240 CREDAT:17410 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=a0054
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=a0054
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5a646f8,0x7ff9f5a64708,0x7ff9f5a64718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=proxy_resolver.mojom.ProxyResolverFactory --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=proxy_resolver --mojo-platform-channel-handle=3380 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.icservic.com | udp |
| FR | 5.196.160.143:80 | www.icservic.com | tcp |
| FR | 5.196.160.188:8181 | 5.196.160.188 | tcp |
| FR | 5.196.160.188:8181 | 5.196.160.188 | tcp |
| FR | 5.196.160.188:8181 | icservic.com | tcp |
| US | 8.8.8.8:53 | 143.160.196.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.160.196.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| NL | 142.250.179.196:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | 196.179.250.142.in-addr.arpa | udp |
| FR | 5.196.160.188:8181 | 5.196.160.188 | tcp |
| FR | 5.196.160.188:8181 | 5.196.160.188 | tcp |
| FR | 5.196.160.188:8181 | tcp | |
| FR | 5.196.160.188:8181 | www.icservic.com | tcp |
| US | 8.8.8.8:53 | www.icservic.com | udp |
| FR | 5.196.160.143:80 | www.icservic.com | tcp |
| FR | 5.196.160.143:80 | www.icservic.com | tcp |
| GB | 92.123.128.142:443 | www.bing.com | tcp |
| GB | 92.123.128.142:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | edge.microsoft.com | udp |
| US | 8.8.8.8:53 | 142.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | softomate.net | udp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| US | 204.79.197.239:443 | edge.microsoft.com | tcp |
| US | 8.8.8.8:53 | r.bing.com | udp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| GB | 92.123.128.132:443 | r.bing.com | tcp |
| US | 8.8.8.8:53 | login.microsoftonline.com | udp |
| NL | 40.126.32.138:443 | login.microsoftonline.com | tcp |
| NL | 40.126.32.138:443 | login.microsoftonline.com | tcp |
| US | 8.8.8.8:53 | 239.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 132.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | th.bing.com | udp |
| GB | 92.123.128.185:443 | th.bing.com | tcp |
| GB | 92.123.128.185:443 | th.bing.com | tcp |
| US | 8.8.8.8:53 | 185.128.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| RU | 109.202.21.168:80 | softomate.net | tcp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 186.178.17.96.in-addr.arpa | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
| MD5 | a0fe1191d60d3459d84262f5e3613e6a |
| SHA1 | 278b47dc1480ada26c546b4e74388857fa8a8106 |
| SHA256 | ca98b7510a17e287b111276e58ccf36d4f5df44c253dbe84d402539e9d91a982 |
| SHA512 | 584925d6eb712a1c5657a69249482d9823f7d51a6794539c2423fc709449aad647236dd9d775f6a75b19427ca6e3d7546e5d5430d57a6a473fd2a04d5aa2b4d3 |
memory/4420-7-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\325A.tmp\certificat.bat
| MD5 | 36f5ab7eaa9af08b0d6befa8a8421f11 |
| SHA1 | 386b2100018d24adff21e1c0191b9b8d4e6d49c4 |
| SHA256 | 51e7c7f87241543bd92d43a566acc65e85932e1f597c7fafd0bc62a89347390d |
| SHA512 | fd61eb0168d27b5a03236ee206eb423b4ec73a9f212d89b9155f1f261769fefdaffeef4ed7c76edfa79ec81c3e2ce72efe7b53d1f2914428d98041791be1152e |
\??\c:\proxy\Proxy.reg
| MD5 | 084b0f14ab07ebd84c5cfb0a4d3bc51f |
| SHA1 | f0f097d590223bab722a45656c43fa0300022cc6 |
| SHA256 | f8cec4b3c51ea7ca647ca68ba0e6a44a67b253b89a0b51aaddc16f45193c4ad6 |
| SHA512 | df880be96693e1252f6ab19d9d98195c736ef169e80faa7cd4d2034db1297a508ef816d4dbc1f3d92da0b7e4d80e6a4c2681c39bc14b1dd1adf34668002cc67f |
memory/4420-26-0x0000000000400000-0x0000000000410000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
| MD5 | de47bfec38bea525168ed54243f752f2 |
| SHA1 | 2eb200e324be593d7ac21eae58cc9475a88cd3cb |
| SHA256 | abd018da12e3cd706ab4873e614e5308e55ae33a1008b6ee88c448df6d4c86a4 |
| SHA512 | d04cf06adc507e9b79e1aeb2f8b9486f0667db56b802dbe0d1356e449480ef4a85119c7eaa3d2717b4d7ceab994b4c91efee0d6f43cfe9993f9bc1d7ac709072 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
| MD5 | e48f6f7499ee23a9381527c80857de00 |
| SHA1 | e96797398ab5865c9ceaee783492685a4b9f0b69 |
| SHA256 | 2fae3370ca95f88ea59bce7cba29eb19200f633814b7d31f7e4429aca2590c87 |
| SHA512 | e1e70c8ba94db7817ef808e9870ff8e7bb73eb80e2125c80c7356ac33d31e6e7e05d086e0437265ad403b9d72e340d66119d704dc754d85c5082bbf490edb087 |
C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\UserInfo.dll
| MD5 | 7579ade7ae1747a31960a228ce02e666 |
| SHA1 | 8ec8571a296737e819dcf86353a43fcf8ec63351 |
| SHA256 | 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5 |
| SHA512 | a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b |
C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\CabDLL.dll
| MD5 | 3b8cf4f6c883c7ca0c964ef2a96525aa |
| SHA1 | 7f0d1b89783056decea951fa7b25d3c4c354d0d3 |
| SHA256 | 58b29737613b3b916ae6d8ad12790da5cffcf0f354739abfa41bab60a80d40ea |
| SHA512 | 6474c7a8fb31c0e1cdbb4fbc5653a060961557565484ee2d26beb8be0e5d047790f8ff96710729bf5ee9eb00011beb98c370eb2ae01aa4ad0971f58910ebcd24 |
C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\inetc.dll
| MD5 | ef630cf1898c257df36b1037bd1e5392 |
| SHA1 | b2c47d9a741d2b5391387059552b37f2daddade2 |
| SHA256 | 41776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f |
| SHA512 | 986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll
| MD5 | f365dad6814d03d7cc9fbb596129c3f3 |
| SHA1 | 494340382954e76aa60245628e1e35239cec2efa |
| SHA256 | 0bd2aba554c60448af1facb8cc005134d006883db5a1aa179f446080f8e7b542 |
| SHA512 | 95c442a4d92974e63ee9959b8f1b3c58ee325510f6240e5443f7d33a859491198aa4b0bb38fd4197c0c8c316dabe9d39f7f2084804acb690b3ee4a94cb2f4bda |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\basis.xml
| MD5 | 7d4ff117ba468e62943651996bf4b76a |
| SHA1 | 17eb37cbc06ce71c5545a4983eb98e2916b85abe |
| SHA256 | 5fa97d4cc63aa8f560447fbe18dbf6c35b84014b4ba101a41605ccd449a1cb76 |
| SHA512 | 787af0d0e77da56848b709a9ba10413de3db503487efc8008dd202cbe8ab7e52e847292c99fa00a6c9b742590f4eabadbd1ebbdf027cafa40436966d5813bd08 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\demo_logo.bmp
| MD5 | 6e6ef6706a77076d3497fc4ab70fb87d |
| SHA1 | 0d683098713ee0df442b57fd33c48b96dc025f3b |
| SHA256 | a1bc64615a4555a3a43d94f13a71a158f6fb6549aa14fdba36ca623907b45438 |
| SHA512 | e778b1e8aa3a346f92d56b30ccef28564c298f4107f8ca969d148fa91af7181e6b3278f4cb55e92712c9405a4255ab2b75ffbc0a683ee9768cb6902e21f403c1 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\about.html
| MD5 | d67f20570f2bef999552e37aa86d53d3 |
| SHA1 | bd59e160023e5612d227a3ddc369805bff641666 |
| SHA256 | e3ebba3f9ca4caa5a9f5e3b821fd4d4884db5fa58f2a080fe36625a327948ed2 |
| SHA512 | 08d91508d8e35ab0570a506010ae6d238cc05e44d013ccc1c2d95dd74a47806b8ecbefd9e033007c8d647b31f2f7c1fe43fef038b0eb129676bd140b383c595c |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\error.html
| MD5 | 62360bdda99a8fbfc53ad1ed4f8a58da |
| SHA1 | 0c26c863088ada7dc1d8a142f0b8e03263787ac4 |
| SHA256 | 3e1ca16e30578ba66641151dafac162f46d2502fc777780b3c7b8ad6dfcd2961 |
| SHA512 | 0bde00cfd09ca02f400dcfc0ba202940bfbc2589c1f40aec504f96d4f3d83fce4a0e8b63597ff1e72b16be470e6c1dc3f6911c394f076db9dc043ba8dd4ac913 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\icons.bmp
| MD5 | 94fb20e3f0d75f1690801dee53d58fe2 |
| SHA1 | f118e4d8a47e6f45fda3ed99f44bcf67e9a0db0f |
| SHA256 | 221554718f7b15f50e0a6518245269f6993a555fc63679ec67ae44799966bab6 |
| SHA512 | a9a7087b2df0b8e9d6018fa3624148a386d0df0ab32a6fa3888b351ae6c5229d4482d3c5080025b229157fe57891dcba21c26b3f46808d8ddc85a66b66795c7b |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\info.txt
| MD5 | 27a3da5fd0259ebb0a264cc96d59a0a7 |
| SHA1 | 9ce43b28ee3c49358446eeb41fc5ebce3b8cbb82 |
| SHA256 | ac5c66127e7a76c3fd2c1443f28637762a5d74223f398cd9c7870a3f0110cf7b |
| SHA512 | 7cf10e7a9c48ec31dadceb06e91601fdb5b2c569cf4a7f2431f64be6d638eb5dfa0cca59bccc2cfc7d093cf27badff29c1b56530bc2843d504644a30d45e1ca1 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\options.html
| MD5 | 17e96ac1d05fdf7437aeff7534ecbf65 |
| SHA1 | 30b070fa99865b726978e92ef496464a5d3c3e9d |
| SHA256 | d13cb02752415056dd0277b634badcd31970f2651a6b59811a8f0c18f3afebcb |
| SHA512 | 3c9b426fa93406cf51b86e6e89d0402c492f8d5522ceee516e22ee65ffd0d0b55a8b2712030d2da828567db18888a81014bcbc934f453a9ef6aec850bd0a2d1f |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstaller.exe
| MD5 | a84214d5259fe35cac798a7948b1eefa |
| SHA1 | 86573c569e0ac99a7eea533e8a9c37d129fa4d2c |
| SHA256 | 24d87f45282378deaa0af6b6ce0b3de6217c19f2bbfa829bdb78ade76d16e099 |
| SHA512 | 5f7620fd0a5636edb6cda3af1c12e3e6d195fd82ffc6fdf21189c056089eb933fe71e7c142529c8dd1ffed1c790e03382e2b33e148c4c48313ac18315a18a895 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstall.exe
| MD5 | 5de82c78d4a9025b16286b76f7974a29 |
| SHA1 | 775e106cfc3933f369e60ddb3b930343db0deaff |
| SHA256 | 7f71641efb3048d552176f019a93a46bfbf11323cfcf29c07c8e5406b047c5fe |
| SHA512 | a2bd8d977ba032126209b094b81dc63d0b6b0fad535fca890ed6ec7c8bb29ccaaf9cbf095aaee7e81803f5042c55a07661a77f89bd6eb7be4ecde1ff84f6a33c |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
| MD5 | 505d26efa3e1f41a0efb8d54a416d9ae |
| SHA1 | 4919d9a1b7dbff78aab3242659b807b6236190b7 |
| SHA256 | 7c32c3548f9a58ffee43155396c1d0a295481c080639b9ffe0c645f43040fa65 |
| SHA512 | be3a585b0918eb766878e66dcbf24403caf66077fbecfe7875b2647a754df49aff516ec89480be516395a7f9822150e2276cbafe491e6a14a7e3380c2410f9a9 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\your_logo.png
| MD5 | 4f85d6b204fe0eb75858031af68b62fd |
| SHA1 | 85a2e6a6ba242c0cbd6027b0bee00fe47f9ac390 |
| SHA256 | f1f6901c53d9bc846c65ff79486c93c82ecd832912104b76f0e0a049883e0b1e |
| SHA512 | d2be63b38b5012b1179d92c62327bdf703ee3b9762fdc98364ee35dd10a2c9dbb1120e83a36cd5ed8e7188708db70799dfff73d9030b5eba0761378955911e56 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\version.txt
| MD5 | b74eceb8cd0aa961e9ecb71fb2499de5 |
| SHA1 | 3d897b0e40482fd756959d8e97f7f2aa99373ce6 |
| SHA256 | b9c76f125b18336ad3fa36421f278daea9d380c42ff485cd94b0857720968817 |
| SHA512 | 721e3da544db766586e2d714d281c08ea9664e9faa270888e1b0d192305f14b9992becfd1d10e0a405c7941b686050a9badf0e000658f749adfeb27ee294df54 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\update.exe
| MD5 | a518a8472025160102877a8efafd0382 |
| SHA1 | fb26a02a418e757de8874b474687b67cc0a2d24f |
| SHA256 | 4fa6289e5a4c1ebf74e57b9105f46a9d492f6d1b84c89a005c3cd8d715005ba9 |
| SHA512 | d2b1a88529e4243cd71c0d516cf175482f37dca84309d5dffc8725f8c271b63a14b249be3cce946ded4475a067f72755ef01e5b3ea12bb0b8b09d014a5bd0d56 |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbhelper.dll
| MD5 | 9e581e562d7199bd632bda0a5c06981e |
| SHA1 | cabec8c7278932e4081d6eb921edbda94c27a7bb |
| SHA256 | 083edf3272c24fef6e0fbf7fde2a8e3dc040d8bdc142c1c28dab93f2f9c4eceb |
| SHA512 | c81a314a01af97316751f546dd1dad6ecf8c1a684e340a322ecf37be118d44996815ef0cd4019dd3725bb5ff85f4ca95f337d04aefda987ef82ed8bbfeb3ca1a |
memory/1952-131-0x0000000002820000-0x0000000002874000-memory.dmp
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\google_toolbar.dll
| MD5 | a38c85c4155a7600e83286a00f42e213 |
| SHA1 | ed66950dcf0267c474db1728862729c4060ca35f |
| SHA256 | a2e491a3a360daaff17016fac439ee2f5c96297b02f24430bda69c3411c52360 |
| SHA512 | a8fcbb63910153851c47e474e5600e1aaaca68564e8edec8c97139c03e71b70c53f10efc7bae2528643222f098212473f2394bc64c04ca859d2dc9f696b577df |
C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll
| MD5 | 664053fdc85a172d34846adefa5d876f |
| SHA1 | 43dcd734f59aa4f49cd6143ac620b696ba2b9e56 |
| SHA256 | 796802332734a00c3e2f372df277b98aa3c8cf04b2235be05971057e2dc8eb0f |
| SHA512 | f83691a4f30b3bef1e8f6552cd8e6ce93b351ff1590dddb4768839c493bca415a8a5cc83c5a723890965fe520fc24667c28fc674ff4f433b004cce97b29717b2 |
memory/1952-140-0x0000000003080000-0x00000000030D4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e0811105475d528ab174dfdb69f935f3 |
| SHA1 | dd9689f0f70a07b4e6fb29607e42d2d5faf1f516 |
| SHA256 | c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c |
| SHA512 | 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852 |
\??\pipe\LOCAL\crashpad_1676_XRYSLUBZBNMUCEPL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 618237a65b3513678b5bd4cff87631d3 |
| SHA1 | dc2f50281ca82c9a43a56f8632ad7d996ef4c159 |
| SHA256 | 36e0147d234dc01bbf027107507a23f1d6c185e524bcdc2b865c3b0fa8b6589d |
| SHA512 | 625991ebd821884094f19a507092c9ec323a315d2a7ac47471b61156012dd03bca0706f9f4772e36d9ed994def033e7f65fe35c9c9b53f3adb1a94a2e320ff92 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\favicon-trans-bg-blue-mg[1].ico
| MD5 | 30967b1b52cb6df18a8af8fcc04f83c9 |
| SHA1 | aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588 |
| SHA256 | 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e |
| SHA512 | 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IGS2C121\pXVzgohStRjQefcwyp3z6bhIArA.gz[1].js
| MD5 | 47442e8d5838baaa640a856f98e40dc6 |
| SHA1 | 54c60cad77926723975b92d09fe79d7beff58d99 |
| SHA256 | 15ed1579bccf1571a7d8b888226e9fe455aca5628684419d1a18f7cda68af89e |
| SHA512 | 87c849283248baf779faab7bde1077a39274da88bea3a6f8e1513cb8dcd24a8c465bf431aee9d655b4e4802e62564d020f0bb1271fb331074d2ec62fc8d08f63 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\NRudXMsXYtnM1BQyD6xvAZoudZM.gz[1].js
| MD5 | 2ab12bf4a9e00a1f96849ebb31e03d48 |
| SHA1 | 7214619173c4ec069be1ff00dd61092fd2981af0 |
| SHA256 | f8b5acf4da28e0617f1c81093192d044bd5a6cc2a2e0c77677f859adcf3430ac |
| SHA512 | 7d5aae775be1e482eada1f453bea2c52a62c552fa94949e6a6081f322e679e916b1276bb59ff28cf7c86d21727bcc329ecb03e5d77ca93204e0cd2694faa72bd |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HT2TD2G4\v1[1].xml
| MD5 | 25a40f949855471562a1a9e465cfed7c |
| SHA1 | c3a563c56fb8323e6c2ee7fa417c45d8384a4156 |
| SHA256 | 075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127 |
| SHA512 | e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ea25a61c2fde5380aed50068f1af1ead |
| SHA1 | 8ab3e1232d13005da1f3f0c062fa5678bec3902f |
| SHA256 | 17569e549c8ac0c12f3bcf4ab524e81ce1874772a657bdae7a170ded020850c6 |
| SHA512 | 166074bacf7a2a3fe4f31814c8ced032a640fb723e8ec7685e386b81251a96a09094710e2b2a774ec19086e05a84c92047ff80d6cd608c9f4231abbcd7a2f5c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 73c94e1d9d219899762e456fd02cc77f |
| SHA1 | 8e8fff912c9e2c6f17e5630a54295aca4a07ffda |
| SHA256 | aedb95eb05dd70658f6dab1833d0f2b1e5a5a4bdc1b3d343a80e7b3191fa17f0 |
| SHA512 | 387cd50263e2cd49f35150d85275690b5fd3e44e88db8bd56db9514b5dc80eb1649965c3fcde3fa931dfd243cdbfacda544d86df3ccb7ca23983266624fbaae3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2760a3b8577b4d3926a516965cfb3c1b |
| SHA1 | 446b1e26553861557ef9afb3b98a4d73fa4454a7 |
| SHA256 | 8a37830f702ddab0f9206d8cc6971a091622c2415b46024453690af7f238c9f7 |
| SHA512 | ea2572a2b187e49e7bf1326696c286310f42f3b6d1becd05aee6b2e401e6f684e703c87d5c7c1dc2f70b36df639814946d5ee9d4819bda7cfe1b92699f5adf15 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC7D4.tmp
| MD5 | 1a545d0052b581fbb2ab4c52133846bc |
| SHA1 | 62f3266a9b9925cd6d98658b92adec673cbe3dd3 |
| SHA256 | 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1 |
| SHA512 | bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |