Malware Analysis Report

2025-01-18 21:30

Sample ID 240321-zqrlyaca3t
Target dc97cc32556cfc04dbd9abbe898326d2
SHA256 1a72fc29464f36513bae08e9bc4076d7485ddbd6d06b93be1139ba95aeb11d4c
Tags
adware discovery persistence spyware stealer upx
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1a72fc29464f36513bae08e9bc4076d7485ddbd6d06b93be1139ba95aeb11d4c

Threat Level: Shows suspicious behavior

The file dc97cc32556cfc04dbd9abbe898326d2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

adware discovery persistence spyware stealer upx

Reads user/profile data of web browsers

UPX packed file

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks installed software on the system

Installs/modifies Browser Helper Object

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

NSIS installer

Suspicious behavior: EnumeratesProcesses

Modifies registry class

Suspicious use of FindShellTrayWindow

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Enumerates system info in registry

Kills process with taskkill

Modifies Internet Explorer start page

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-21 20:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-21 20:55

Reported

2024-03-21 20:58

Platform

win7-20240220-en

Max time kernel

122s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
N/A N/A C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "TBSB01315" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\inst.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbcore3.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\about.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\basis.xml C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\info.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\your_logo.png C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File created C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\icons.bmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\options.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\version.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\google_toolbar.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\demo_logo.bmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\error.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstall.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\basis C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\Height = "22" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\userid = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\ C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{645E4FA1-E7C5-11EE-82B1-CE167E742B8D} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\AutoComplete = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\AutoWild C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\blockPopups = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\needSetHomepage = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RTL = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\toolbar_version = "undefined" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\rtime = "1711054547" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\version = "undefined" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\LastQAScriptCheckTime = "1711054550" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000abb8596cc50c0546bfda6658dcffc23300000000020000000000106600000001000020000000be4751f28190ed81a1b7b5f4d6ea105d3fcfcd67f26e84d10369f295f1b1ebac000000000e800000000200002000000029e20324abe3ed6c3c18160ea41e5d456389dacb501b77c989d8bffa8d9920c620000000a913d67bf6397b4c6e8ee1a71c31645f257a3187c0b125addbe4805a2da2267040000000667e75212055725c00275f6765c949248e53ab02ce6adb8ff0c198eb68fd957652a8ec3bf00c1591b0744d25c5ea59b4402c53b323338b3dcebd9495c32e047d C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001001600000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\CountOS = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\SendReports = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} = 00 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\Height = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\ShowHighlightButton = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\firstTime = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\History\tb_cmb_SVCgVyWG C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\DeskbarMode = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000000700005e010000060000000903000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\tb_items C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\SiteAllow C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\MAIN\Start Page = "http://www.google.fr/" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32 C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ComObject.DeskbarEnabler\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.ContextMenuNotifier.1\ = "ContextMenuNotifier Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57CADC46-58FF-4105-B733-5A9F3FC9783C}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5} C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\Programmable C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\Software\Microsoft C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsi142E.tmp" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1 C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29} C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CLSID\ = "{FCBCCB87-9224-4B8D-B117-F56D924BEB18}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\VersionIndependentProgID\ = "Toolbar3.SearchProviderManager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}\ = "IBubble" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE338F6D-5A7C-4D1D-86E3-C618532079B5}\ProgID C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager\ = "TbPropertyManager Class" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\URLSearchHook.ToolbarURLSearchHook C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\InprocServer32\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsi142E.tmp\\tbcore3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ = "ICustomInternetSecurityImpl" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Software\Microsoft\Internet Explorer\Main\ C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.SearchProviderManager.1\CLSID\ = "{D433A9D0-8267-40CB-8AD5-24F22FA5373F}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib\ = "{C4BAE205-5E02-4E32-876E-F34B4E2D000C}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper\CLSID\ = "{AE338F6D-5A7C-4D1D-86E3-C618532079B5}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbDownloadManager\CLSID C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbDownloadManager\CLSID\ = "{D89031C2-10DA-4C90-9A62-FCED012BC46B}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\ProxyStubClsid32 C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315.1\CLSID\ = "{FCBCCB87-9224-4B8D-B117-F56D924BEB18}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer\ = "Toolbar3.TBSB01315.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D433A9D0-8267-40CB-8AD5-24F22FA5373F}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\ = "IContextMenuNotifier" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\ = "IDocHandlerCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315.3\ = "Google Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.IEToolbar\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbPropertyManager.1\ = "TbPropertyManager Class" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2728 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2240 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2508 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2728 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2444 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2036 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2400 wrote to memory of 2200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 2200 wrote to memory of 1944 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe

"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\121A.tmp\certificat.bat" "

C:\Windows\SysWOW64\findstr.exe

FINDSTR /C:Path profiles.ini

C:\Windows\SysWOW64\findstr.exe

FINDSTR /C:.defau profiles.ini

C:\Windows\SysWOW64\reg.exe

reg import c:\proxy\Proxy.reg

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM tbhelper2.exe

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll"

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe

"C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe" -RegServer

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe

"C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1316 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.icservic.com udp
FR 5.196.160.143:80 www.icservic.com tcp
FR 5.196.160.188:8181 icservic.com tcp
US 8.8.8.8:53 www.google.fr udp
US 8.8.8.8:53 www.google.com udp
FR 5.196.160.143:80 www.icservic.com tcp
NL 142.250.179.196:80 www.google.com tcp
NL 142.250.179.196:80 www.google.com tcp
FR 5.196.160.188:8181 www.icservic.com tcp
NL 142.250.179.196:443 www.google.com tcp
GB 92.123.128.142:80 www.bing.com tcp
GB 92.123.128.142:80 www.bing.com tcp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 th.bing.com udp
US 8.8.8.8:53 r.bing.com udp
US 8.8.8.8:53 softomate.net udp
RU 109.202.21.168:80 softomate.net tcp
RU 109.202.21.168:80 softomate.net tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
IE 20.190.159.71:443 login.microsoftonline.com tcp
IE 20.190.159.71:443 login.microsoftonline.com tcp
US 8.8.8.8:53 a4.bing.com udp
GB 92.123.128.142:80 th.bing.com tcp
GB 184.28.198.218:80 a4.bing.com tcp
GB 184.28.198.218:80 a4.bing.com tcp
GB 92.123.128.142:80 th.bing.com tcp
GB 92.123.128.142:443 th.bing.com tcp
GB 92.123.128.142:443 th.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
GB 92.123.128.150:443 r.bing.com tcp
RU 109.202.21.168:80 softomate.net tcp
RU 109.202.21.168:80 softomate.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

MD5 a0fe1191d60d3459d84262f5e3613e6a
SHA1 278b47dc1480ada26c546b4e74388857fa8a8106
SHA256 ca98b7510a17e287b111276e58ccf36d4f5df44c253dbe84d402539e9d91a982
SHA512 584925d6eb712a1c5657a69249482d9823f7d51a6794539c2423fc709449aad647236dd9d775f6a75b19427ca6e3d7546e5d5430d57a6a473fd2a04d5aa2b4d3

memory/2728-10-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2240-14-0x0000000000400000-0x0000000000410000-memory.dmp

memory/2728-15-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\121A.tmp\certificat.bat

MD5 36f5ab7eaa9af08b0d6befa8a8421f11
SHA1 386b2100018d24adff21e1c0191b9b8d4e6d49c4
SHA256 51e7c7f87241543bd92d43a566acc65e85932e1f597c7fafd0bc62a89347390d
SHA512 fd61eb0168d27b5a03236ee206eb423b4ec73a9f212d89b9155f1f261769fefdaffeef4ed7c76edfa79ec81c3e2ce72efe7b53d1f2914428d98041791be1152e

\??\c:\proxy\Proxy.reg

MD5 a3fb50e0b4733b1a37b23f42c1c16d70
SHA1 5f513f61c4f9c05bfc8fc266435ea11f9bf32ec0
SHA256 f9233f4e19b87b8256bcccac5d4ab96048e5b74595657cdb129fb83bfb39a2b1
SHA512 d5d29bfc873b55a27963b61da45d93b321ae3aff104ad877680f7fc81721d5f760cdf357065591be702529ebbc3d5d49ff16c8a5499ae97223fc2093dfbb444b

memory/2240-45-0x0000000000400000-0x0000000000410000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

MD5 36e857db113b3af9e8b47f27a72b1c81
SHA1 da4d44bfcbf8831cc352461baaf5bd2aa367c2c4
SHA256 b5425cf0a94bcf30b95a17b4e5a1f53bd6d79f53dc813713dc81684ed1809604
SHA512 fccbce5b84cebac3317c891deb21361bd7940bd4ed2bc1fe866c1444df769504cd88d52b10d32942809ef9cda970831f4a23d05910b81c37fc302bd9cc4d7d70

\Users\Admin\AppData\Local\Temp\nso13FF.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

\Users\Admin\AppData\Local\Temp\nso13FF.tmp\CabDLL.dll

MD5 3b8cf4f6c883c7ca0c964ef2a96525aa
SHA1 7f0d1b89783056decea951fa7b25d3c4c354d0d3
SHA256 58b29737613b3b916ae6d8ad12790da5cffcf0f354739abfa41bab60a80d40ea
SHA512 6474c7a8fb31c0e1cdbb4fbc5653a060961557565484ee2d26beb8be0e5d047790f8ff96710729bf5ee9eb00011beb98c370eb2ae01aa4ad0971f58910ebcd24

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstaller.exe

MD5 a84214d5259fe35cac798a7948b1eefa
SHA1 86573c569e0ac99a7eea533e8a9c37d129fa4d2c
SHA256 24d87f45282378deaa0af6b6ce0b3de6217c19f2bbfa829bdb78ade76d16e099
SHA512 5f7620fd0a5636edb6cda3af1c12e3e6d195fd82ffc6fdf21189c056089eb933fe71e7c142529c8dd1ffed1c790e03382e2b33e148c4c48313ac18315a18a895

\Users\Admin\AppData\Local\Temp\nso13FF.tmp\inetc.dll

MD5 ef630cf1898c257df36b1037bd1e5392
SHA1 b2c47d9a741d2b5391387059552b37f2daddade2
SHA256 41776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f
SHA512 986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbcore3.dll

MD5 f365dad6814d03d7cc9fbb596129c3f3
SHA1 494340382954e76aa60245628e1e35239cec2efa
SHA256 0bd2aba554c60448af1facb8cc005134d006883db5a1aa179f446080f8e7b542
SHA512 95c442a4d92974e63ee9959b8f1b3c58ee325510f6240e5443f7d33a859491198aa4b0bb38fd4197c0c8c316dabe9d39f7f2084804acb690b3ee4a94cb2f4bda

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\about.html

MD5 d67f20570f2bef999552e37aa86d53d3
SHA1 bd59e160023e5612d227a3ddc369805bff641666
SHA256 e3ebba3f9ca4caa5a9f5e3b821fd4d4884db5fa58f2a080fe36625a327948ed2
SHA512 08d91508d8e35ab0570a506010ae6d238cc05e44d013ccc1c2d95dd74a47806b8ecbefd9e033007c8d647b31f2f7c1fe43fef038b0eb129676bd140b383c595c

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\basis.xml

MD5 7d4ff117ba468e62943651996bf4b76a
SHA1 17eb37cbc06ce71c5545a4983eb98e2916b85abe
SHA256 5fa97d4cc63aa8f560447fbe18dbf6c35b84014b4ba101a41605ccd449a1cb76
SHA512 787af0d0e77da56848b709a9ba10413de3db503487efc8008dd202cbe8ab7e52e847292c99fa00a6c9b742590f4eabadbd1ebbdf027cafa40436966d5813bd08

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\demo_logo.bmp

MD5 6e6ef6706a77076d3497fc4ab70fb87d
SHA1 0d683098713ee0df442b57fd33c48b96dc025f3b
SHA256 a1bc64615a4555a3a43d94f13a71a158f6fb6549aa14fdba36ca623907b45438
SHA512 e778b1e8aa3a346f92d56b30ccef28564c298f4107f8ca969d148fa91af7181e6b3278f4cb55e92712c9405a4255ab2b75ffbc0a683ee9768cb6902e21f403c1

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\error.html

MD5 62360bdda99a8fbfc53ad1ed4f8a58da
SHA1 0c26c863088ada7dc1d8a142f0b8e03263787ac4
SHA256 3e1ca16e30578ba66641151dafac162f46d2502fc777780b3c7b8ad6dfcd2961
SHA512 0bde00cfd09ca02f400dcfc0ba202940bfbc2589c1f40aec504f96d4f3d83fce4a0e8b63597ff1e72b16be470e6c1dc3f6911c394f076db9dc043ba8dd4ac913

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\icons.bmp

MD5 94fb20e3f0d75f1690801dee53d58fe2
SHA1 f118e4d8a47e6f45fda3ed99f44bcf67e9a0db0f
SHA256 221554718f7b15f50e0a6518245269f6993a555fc63679ec67ae44799966bab6
SHA512 a9a7087b2df0b8e9d6018fa3624148a386d0df0ab32a6fa3888b351ae6c5229d4482d3c5080025b229157fe57891dcba21c26b3f46808d8ddc85a66b66795c7b

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\info.txt

MD5 27a3da5fd0259ebb0a264cc96d59a0a7
SHA1 9ce43b28ee3c49358446eeb41fc5ebce3b8cbb82
SHA256 ac5c66127e7a76c3fd2c1443f28637762a5d74223f398cd9c7870a3f0110cf7b
SHA512 7cf10e7a9c48ec31dadceb06e91601fdb5b2c569cf4a7f2431f64be6d638eb5dfa0cca59bccc2cfc7d093cf27badff29c1b56530bc2843d504644a30d45e1ca1

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\options.html

MD5 17e96ac1d05fdf7437aeff7534ecbf65
SHA1 30b070fa99865b726978e92ef496464a5d3c3e9d
SHA256 d13cb02752415056dd0277b634badcd31970f2651a6b59811a8f0c18f3afebcb
SHA512 3c9b426fa93406cf51b86e6e89d0402c492f8d5522ceee516e22ee65ffd0d0b55a8b2712030d2da828567db18888a81014bcbc934f453a9ef6aec850bd0a2d1f

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbHelper2.exe

MD5 505d26efa3e1f41a0efb8d54a416d9ae
SHA1 4919d9a1b7dbff78aab3242659b807b6236190b7
SHA256 7c32c3548f9a58ffee43155396c1d0a295481c080639b9ffe0c645f43040fa65
SHA512 be3a585b0918eb766878e66dcbf24403caf66077fbecfe7875b2647a754df49aff516ec89480be516395a7f9822150e2276cbafe491e6a14a7e3380c2410f9a9

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\uninstall.exe

MD5 5de82c78d4a9025b16286b76f7974a29
SHA1 775e106cfc3933f369e60ddb3b930343db0deaff
SHA256 7f71641efb3048d552176f019a93a46bfbf11323cfcf29c07c8e5406b047c5fe
SHA512 a2bd8d977ba032126209b094b81dc63d0b6b0fad535fca890ed6ec7c8bb29ccaaf9cbf095aaee7e81803f5042c55a07661a77f89bd6eb7be4ecde1ff84f6a33c

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\update.exe

MD5 a518a8472025160102877a8efafd0382
SHA1 fb26a02a418e757de8874b474687b67cc0a2d24f
SHA256 4fa6289e5a4c1ebf74e57b9105f46a9d492f6d1b84c89a005c3cd8d715005ba9
SHA512 d2b1a88529e4243cd71c0d516cf175482f37dca84309d5dffc8725f8c271b63a14b249be3cce946ded4475a067f72755ef01e5b3ea12bb0b8b09d014a5bd0d56

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\version.txt

MD5 b74eceb8cd0aa961e9ecb71fb2499de5
SHA1 3d897b0e40482fd756959d8e97f7f2aa99373ce6
SHA256 b9c76f125b18336ad3fa36421f278daea9d380c42ff485cd94b0857720968817
SHA512 721e3da544db766586e2d714d281c08ea9664e9faa270888e1b0d192305f14b9992becfd1d10e0a405c7941b686050a9badf0e000658f749adfeb27ee294df54

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\your_logo.png

MD5 4f85d6b204fe0eb75858031af68b62fd
SHA1 85a2e6a6ba242c0cbd6027b0bee00fe47f9ac390
SHA256 f1f6901c53d9bc846c65ff79486c93c82ecd832912104b76f0e0a049883e0b1e
SHA512 d2be63b38b5012b1179d92c62327bdf703ee3b9762fdc98364ee35dd10a2c9dbb1120e83a36cd5ed8e7188708db70799dfff73d9030b5eba0761378955911e56

memory/2200-158-0x00000000007F0000-0x0000000000844000-memory.dmp

\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\tbhelper.dll

MD5 9e581e562d7199bd632bda0a5c06981e
SHA1 cabec8c7278932e4081d6eb921edbda94c27a7bb
SHA256 083edf3272c24fef6e0fbf7fde2a8e3dc040d8bdc142c1c28dab93f2f9c4eceb
SHA512 c81a314a01af97316751f546dd1dad6ecf8c1a684e340a322ecf37be118d44996815ef0cd4019dd3725bb5ff85f4ca95f337d04aefda987ef82ed8bbfeb3ca1a

\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\google_toolbar.dll

MD5 a38c85c4155a7600e83286a00f42e213
SHA1 ed66950dcf0267c474db1728862729c4060ca35f
SHA256 a2e491a3a360daaff17016fac439ee2f5c96297b02f24430bda69c3411c52360
SHA512 a8fcbb63910153851c47e474e5600e1aaaca68564e8edec8c97139c03e71b70c53f10efc7bae2528643222f098212473f2394bc64c04ca859d2dc9f696b577df

C:\Program Files (x86)\Google Toolbar\tbunsi142E.tmp\TbCommonUtils.dll

MD5 664053fdc85a172d34846adefa5d876f
SHA1 43dcd734f59aa4f49cd6143ac620b696ba2b9e56
SHA256 796802332734a00c3e2f372df277b98aa3c8cf04b2235be05971057e2dc8eb0f
SHA512 f83691a4f30b3bef1e8f6552cd8e6ce93b351ff1590dddb4768839c493bca415a8a5cc83c5a723890965fe520fc24667c28fc674ff4f433b004cce97b29717b2

memory/2200-166-0x0000000002310000-0x0000000002364000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\proxy[1].htm

MD5 592fa76dcb02a73ca2912fa7d6559de3
SHA1 6e0a131587618d2bb0f16079c2b25f1ff6cc5669
SHA256 96d6e6b1d5dcfb7679e0361dfb8dcc9f2545d3dd13b78e508b516751dcc2413c
SHA512 c93e2c7d23cb7f42ff4e2b40d2de4d87e00c528e119deabaa7930c0941d1c92bfad6d88e354303b4cf98c5d66b8baaade8e5c3642e5cf74409b504bb55b0738c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RYNL6UIN\favicon-trans-bg-blue-mg[1].ico

MD5 30967b1b52cb6df18a8af8fcc04f83c9
SHA1 aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588
SHA256 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e
SHA512 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

C:\Users\Admin\AppData\Local\Temp\Cab3C76.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab3D72.tmp

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar3DE4.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82532f9f269bec6d7298982ba411b8ab
SHA1 1171233a57201beb1f8e3127cf15c7b97f37652d
SHA256 dd227f1dcbe08f1544e92ff7894076b7689fd0c9b29273b5c922cba1747d9774
SHA512 08a686e4410bfb3322754743ffb8914a587df274dcc9c3e08d5719e345ec3dae7518efbaca619b30e602cbbce83fc2a5957aca32be86b73bcf22e053a56d68b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ed96416335bff0f012f7a536ac0a18d
SHA1 57421403fe7e24a7d1cc62c9ea1b4d5c06c22f93
SHA256 46be88ab7e074556efa1e34bd013be36047c05107d8ffa64723bb75ba166cc07
SHA512 5245e47dafff5fc9c8a088580da7a3ad5882dfc45d5195071c5ab8a6cdf2436205d27835991eb3a2ec37ce542d7c27d62e945cec589a093b62f8aef6d0a467b3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3f7267d666b9e07cb97d2f5092b1637
SHA1 8e3f976d20cc7be6d45510653ac0396f18598e62
SHA256 1274f990af67353da7856250e1e2a7aede8b5e9ede36770ca11019ef2645fe78
SHA512 58718f4d9f896d2f1c9f5be18013ab5511db717387e9366e3f4dfeb1f1a66116a6ac698aa92b3e3a2a236f73efd150a5466f50bdc5e639d6af9b95dee0d1b4f0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e505827598ca7ac6f69f9ea4a40d417c
SHA1 65c31b9c4f8dae29f25e3b0d157dbabb18d6a14f
SHA256 c2eafc814027f1714d626eb6fe3128246e247597b79ee2a6422ae202cf9e8a5b
SHA512 ec981f1815375265b1a4072d9f67b52f5cd5264c28db4e39814996c7794e1fbe97d457fd2e0bab5cab68b898b3e7c83d951d1d8076a515dfb38ad89f0e38fd8a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 c19bf282e5b91f5173a91345fbb8d19e
SHA1 995331dab70e49addf99ab459fbd2fc02b3914f9
SHA256 7a1923a0c203be59a92dd63011b595863686b7196f15b78d262778af1b5f54af
SHA512 bd668b1df40e7b118e9e41730780e8d012c5ea0bd9e9bd6a06ee421e4dc35d9a78b6abcac6da5ed80cb2c9ae7131e2a3377cc5356f62af6631e1531efb032f86

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 77f86f45a5212ca6b0d467a1af2312f8
SHA1 0f9e9e647592f8975b1adbe5b34c4639fd652f55
SHA256 388ef775304db85a0a7f0404409a6e2d3489b45632bfb948b2c9df52eafb50dd
SHA512 50b3dc68355e018a68436c51b8f4d85eb8b0add0f44262fc7451e57edd6eef3fd938bcddb59728f26c3fa242233f017e3c8bf8ba77ba0898130f4123635a92b4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6B2043001D270792DFFD725518EAFE2C

MD5 f55da450a5fb287e1e0f0dcc965756ca
SHA1 7e04de896a3e666d00e687d33ffad93be83d349e
SHA256 31ad6648f8104138c738f39ea4320133393e3a18cc02296ef97c2ac9ef6731d0
SHA512 19bd9a319dfdaad7c13a6b085e51c67c0f9cb1eb4babc4c2b5cdf921c13002ca324e62dfa05f344e340d0d100aa4d6fac0683552162ccc7c0321a8d146da0630

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1f6272f8b1782260e3bb65d887c4fbda
SHA1 7d069004da108b8559c80ba5b7a40d19e0984166
SHA256 71fb2c2500c0861878f39967f24941cc676711c586a1f108bc795d5a19b3497e
SHA512 b66f0f9d6f7191540f3862c9446155032d308dab2d88bfbc7d6be672612140e185604cc5a5a44b4f7bfa0902d9ccd511a5061ae8441acecd4feb925de5c5b4a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f672d249e9c4004da633f55107c6efb1
SHA1 12240162bab95cd0a138d684dfc7cd195698ca09
SHA256 0d7ef9ec5e302b4f967e15d8d80d792eb828bea70bff7883606aaa9122062425
SHA512 96d6657ffe2ebbceddd54826545a66e5c0e2b2d788dc41361309bfe1f4172c5b20a71c626ffeeda0d5ba15655bb2e93641395ee5b9a014a74296ddb5a9b15e2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b69f7d867db0cbc6ad5a86c2715088e7
SHA1 16918255bfe1d14248f6b3e941205daef29cb219
SHA256 e6c4b327e052cfcc6a4c589d1cd63e086ac22fa8b44ee32e67d8f41d5f58ac4c
SHA512 3af9c59457d578d04e92dd913341cb075f4032714d821f93743d090ecb5da96e9569eb9677f3d42d73811e5d37f451a03a1be33a626d8a9c32eca70c5c41dded

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6B2043001D270792DFFD725518EAFE2C

MD5 a7e8cf576337f66ce228ec296de9e279
SHA1 eae2a4040d333e262b996808a2e85432623ed1d6
SHA256 f9bd51c880374b0e3e8cf7d05e6edb40c01ff81041e7761d20d1beaff81f7410
SHA512 be15cae9d021a06f088ad7d79d09f2e1ab5082cdc5a2cbc443fc4c4fb18d80568de356e8d07a1e5946315cdc13c02e9a146f7ff6558902972537dfdc9ad651b5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e22a62c2d3479ecdeb6294b7d19e176b
SHA1 05366ad5693509844d0005e6642d1bb94318ad05
SHA256 5e66dc8e92754597dd281a652ec1fdae1d2247e2289192d16ff72dd22ad66b35
SHA512 a0dc5e4c1a4d08ac64170076e57ca91f5f72a88cc7f928763ef7426917c4b10d03deba52c9ccfe83dd6b9672be6e7bb851e290b9659220588aa9c5c484201a7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0e3eed6a4f8bf8d4b2e5151f17af8b9
SHA1 fa8ec63ffd56cfff19914f638d225936cceab2c4
SHA256 0b8498cdc0c3643798286b912b6d8b9cdf689fb41d95b40731a9cec2bcc6c60d
SHA512 49613c97e12fe632b765c900240f7113e98b39ffbd1ff4113164e4409302fc0f560d2ef28f38b951bce8911d8133f8932e59ae1ba0a738547c1973987167e845

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ae131271cf89127d71cdbd893d231527
SHA1 da787e130e0317a0b0da6e2ecf2231f0bae40f4e
SHA256 b4da25bc7af67e66f895a03c438688e4e8b48c603f80446d39f77a9c4d4746e5
SHA512 0607c0d3d6dcdab50bffa241167de5ac505a5083908810a4dc4e432dc8a71fbcb9c4b2157724652b08ae93ceb9e2c7b46ea910c5e343e2a9ed58705822b8f5a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 74561fcea98125b3bd4db647a74d70bb
SHA1 3973d0c0283ff19f7a90d56fbe888f368dafde72
SHA256 6f6996d9bf753519cc060a6b9cec89fa56ede6113619bff5359dd3b9b0f58172
SHA512 dc803adabb89281e44841a35910512701b7cd7814db0c2b095551202c156c7181fdbd013d18670938e80592648a27c3165543b33b02c597d9fc9af1089c4926c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8be362c86a53a7cadb77324b4e633c96
SHA1 ef2de2c9a9f9f48362cd88c75d04430b38ee5c05
SHA256 c31eb71f4adc792dc045769ea53308bc214003d20b1ffcce1e53e40647765db0
SHA512 e3bd0b0d40652853f8d1dacf2220b4832ecf121f7855cdf718f2dde5639dcc92b5d154d1a40daf64742a0a78866f26933e50736b1b43dedd9d0779cb6dcfb78d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4183558a6b5048c7717b4b5f7cc47b60
SHA1 dd3fbdf11fbe6d05ebfe43d1717d11834c3612a5
SHA256 02ff55cf7ea56ee186afdf6287ef069a049b62460c30c3009b6bc56ffb0795b9
SHA512 77769df6535125255a93875df078c295e5fcbacd1425f970d3a1f3d22241b79e5f3c9ef2472aee3fb289564448a923c159f3a3710c7216a93194a179f75d1c65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c79185f3cb467c7a2884f85a2a9097da
SHA1 be969e825f89c150d208777d4edaf4d9df61ab25
SHA256 e5547e785e0ed37289f12fdf13a381f3de2d403cfb1104b51f42f1c7ad23f65e
SHA512 4e558536016699a79b852ae071640687df8393be265f5eebef135bf2d0dbb7deacc10f1718016aaf3fbc6f6624f7eb63bbf60854f28b7fdb2c09d927ed8d9232

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 937acf31cd96a83437b3b58ac9963a5f
SHA1 4dd9c09a113e2aae769236f3ccde03d7604a4a1e
SHA256 6acbb4cead935a902ca3ef83a4de7efba2f6192d02324b68ab2b23818befe910
SHA512 fc59acdb6b90470ddc6a69e4e01bb719fcde9ee20aaeb156621ff8c81c1ebba1aa4513e5c37844ac8544ea2dcf902ef4951776935e846079cea0f5730bf3f6a8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e1e95df4e4c308cf63b5ba618249d17b
SHA1 a964352843c2b09155d2f58abd08b52fd4108d8f
SHA256 d3c4b5417aa9472c6d374c1acd5e145eff2855046c22eedcee3a3ef887af9645
SHA512 65666eefdb06125cc7969a736e599b2fc21237c655eb07bd8fcae69a404dc1a5da52ff907fa868bbdee3f081af9a160f92a54b47c4bdafd0aa537e509eb6d39a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02b059bb5cd824eb0eb897fec14a532e
SHA1 22a661a3db0a280284f820ea9b935d70f655e00c
SHA256 1e2484143ec5577e490750b923f9672c9b7c454af50cfcfe67fa5cf4de37ab5d
SHA512 dfc28da912f9eaf18f525b5451e21bc56102703c0a20ddc629fdb78b58849dc091516e948578c644e285af35ec1f8ea3e8662934964f691b3f13dec0fcf5443e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 a46f0993db363eeba67ab6043aca7bc9
SHA1 cd8abf64d231f5d9a536d473953e5f25ab29d718
SHA256 d78cc40ad50b76f5b87459f5043a70ff666d859a999e9f6bbf8dabef0002d1d0
SHA512 f488af65428ecb1825610a31fe54cb7883c6ae62d1a21236120615afeb323a9e56c84045decf18991bdaf0577ea975109c24df872a44e81ae42f0619af57456f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6c5f3b0ff04275b5347eb9cc3cad7718
SHA1 e39c1520ccc9d4674b9c633689b133ff384bdb44
SHA256 9fb179bae33ff22f0ae23f21622019cc2b0ff0d48c0b1035e98a174b820d9e7d
SHA512 7e01f252b42bba82bad02d6a20be08b3c8a5ed1c4a919de8b58978cfad8a2a9fab72ad73453a4ac75b5886bf76fb3017a69bdf525579d4443e0aec8c2a3315ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 94d5b9c7f01eb6cd7527344a985a9823
SHA1 f6278e1197e97cb2a96e055629b50f62c011a7c2
SHA256 ecbdcb70ed939f2268e045977de0abfea28d10af5521f7c29209e27c3ba64f61
SHA512 c8302ce23e21976d5757e0a66dafabe7880c6e1a5339c6f4dfb81e700e69733fe379f055c07197b8d0923d13ae50455ee3245cca1f74e95d3e8be2b606c205a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a81e161eb93e2350e10923baa0d8f1b9
SHA1 779647e4517d6ce9cd948f06dccad80fcb0af234
SHA256 8ecd741930f7f1629134d7051e79a18864d2f9be5431661e70015af2d9b3964f
SHA512 4eb0244bf5e5b42cd364206163228425bff3da8edc0ee22a67d2d002c8cae0e5e67c6200ef07c477d93901d9d330fc41c97016fbe184b6ffaf7abc6994f97873

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-21 20:55

Reported

2024-03-21 20:58

Platform

win10v2004-20240226-en

Max time kernel

138s

Max time network

140s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe N/A

Checks installed software on the system

discovery

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\ = "TBSB01315" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\NoExplorer = "1" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\inst.tmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbcore3.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\demo_logo.bmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\options.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbhelper.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstall.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File created C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstaller.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\error.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\google_toolbar.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\update.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\your_logo.png C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\about.html C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\basis.xml C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\icons.bmp C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\info.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
File opened for modification C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\version.txt C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A

Enumerates physical storage devices

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\OpenNew = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\UpdateAutomatically = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\toolbar_id = "{CFEAEC9C-8BA5-4583-ACA4-6162773DD039}" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} = a4c0b64490ce3c7e6b05a66c402f2b2e C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Layout = 13000000000000000000000020000000100001002d00000001000000000700005e010000060000000103000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000a4c0b64490ce3c7e6b05a66c402f2b2e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "417819522" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchDragAutomatically = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks\{CA3EB689-8F09-4026-AA10-B9534C691CE0} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\mac_id = "628714877227" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchDragAutomatically = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\LastQAScriptCheckTime = "1711054551" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31095762" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\iexplore.exe = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\toolbar_version = "undefined" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\OpenNew = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DescriptiveText = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291} C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\needSetHomepage = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\AutoWild C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "956427570" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DeskbarMode = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000055176c4ced34542856d0f29947515a50000000002000000000010660000000100002000000049327103c58b6ab2e729df5266d9bd66bd0181979b848fc12699375fbf7628e6000000000e8000000002000020000000fe9483c0a9d33d7ca691cdb92c4e9b94a307454316c6805613daa0ffa5c5579620000000863d0708c74ee86d2c3da4e881a4d241601fb09789223d4ca4fc6eeabf106570400000009d7a67974aae286124d9e9ecca5dcf021c08b8f1d0d4d04b5fadaef1e451963e3138edff85e7102d0f3ede42892203fa29119890330a3932db4cf160b7619916 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\KeepHistory = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\TBShow = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\TBBreak = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "956427570" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\SiteAllow C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\mac_id = "628714877227" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\Main\ C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\DescriptiveText = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "955177620" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\CurrentLayout = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\AutoComplete = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\needSetHomepage = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\History\tb_cmb_SVCgVyWG C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315 C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\WebBrowser\ITBar7Height = "22" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\URLSearchHooks\ C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\version = "undefined" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\RunSearchAutomatically = "1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\basis C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\ShowFindButtons = "0" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{628F3201-34D0-49C0-BB9A-82A26AEFB291}\AppName = "TbHelper2.exe" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\C:\Users\Admin\AppData\LocalLow\Toolbar4\{44B6C0A4-CE90- = "333" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Enable Browser Extensions = "yes" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\Software\TBSB01315\Toolbar\updateXML = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\InternetRegistry\REGISTRY C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://www.google.fr/" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D565B35E-B787-40FA-95E3-E3562F8FC1A0} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib\ = "{4509D3CC-B642-4745-B030-645B79522C6D}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper.1\CLSID C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\ = "IToolbarURLSearchHook" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B9F43021-60D4-42A6-A065-9BA37F38AC47}\ = "ITbPropertyManager" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\ = "ITbTask" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.TBSB01315\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCC9CDD3-EFFF-11D1-A9F0-00A0244AC403}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4897BBA6-48D9-468C-8EFA-846275D7701B}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B} C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\VersionIndependentProgID\ = "TBSB01315.IEToolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2A42D13C-D427-4787-821B-CF6973855778}\ = "IPosBHO" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TbCommonUtils.DLL C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\TbHelper.EXE\AppID = "{628F3201-34D0-49C0-BB9A-82A26AEFB291}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6B458F62-592F-4B25-8967-E6A350A59328}\ = "ISearchProviderManager" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA3EB689-8F09-4026-AA10-B9534C691CE0}\ = "ToolbarURLSearchHook Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6B458F62-592F-4B25-8967-E6A350A59328} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{45CDA4F7-594C-49A0-AAD1-8224517FE979}\ProxyStubClsid32 C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\ = "IToolbarObj" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.TBSB01315\CLSID\ = "{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659} C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B2CA345D-ADB8-4F5D-AC64-4AB34322F659}\ProxyStubClsid32 C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FCBCCB87-9224-4B8D-B117-F56D924BEB18}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Toolbar3.CustomInternetSecurityImpl.1\CLSID\ = "{D565B35E-B787-40FA-95E3-E3562F8FC1A0}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3BDF4CE9-E81D-432B-A55E-9F0570CE811F}\Programmable C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\Software\Microsoft\Internet Explorer C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{D89031C2-10DA-4C90-9A62-FCED012BC46B}\ProgID C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\TypeLib\ = "{B87F8B63-7274-43FD-87FA-09D3B7496148}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D8478AA-7B88-48A9-8BCB-B85D594411EC}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\TypeLib\ = "{EC4085F2-8DB3-45A6-AD0B-CA289F3C5D7E}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{81E852CC-1FD5-4004-8761-79A48B975E29}\TypeLib\Version = "1.0" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{452AE416-9A97-44CA-93DA-D0F15C36254F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TBSB01315.IEToolbar\ = "IE Toolbar" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E67D5BC7-7129-493E-9281-F47BDAFACE4F}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{4D8ED2B3-DC62-43EC-ABA3-5B74F046B1BE}\ = "IContextMenuNotifier" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{0FA32667-9A8A-4E9C-902F-CA3323180003}\ = "IDocHandlerCallback" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{95B6A271-FEB4-4160-B0FF-44394C21C8DC}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C4BAE205-5E02-4E32-876E-F34B4E2D000C}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\ = "ICommonUtils" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{01221FCC-4BFB-461C-B08C-F6D2DF309921}\TypeLib\Version = "1.0" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628F3201-34D0-49C0-BB9A-82A26AEFB291} C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.ToolbarHelper C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1C950DE5-D31E-42FB-AFB9-91B0161633D8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Google Toolbar\\tbunsd3589.tmp\\TbHelper2.exe\"" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{C339D489-FABC-41DD-B39D-276101667C70}\Programmable C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{44B6C0A4-CE90-7E3C-6B05-A66C402F2B2E}\InprocServer32\ = "C:\\Program Files (x86)\\Google Toolbar\\tbunsd3589.tmp\\tbcore3.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbCommonUtils.CommonUtils.1\ = "CommonUtils Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TbHelper.TbTask\CLSID\ = "{A9A56B8E-2DEB-4ED3-BC92-1FA450BCE1A5}" C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2060 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 2060 wrote to memory of 4420 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE
PID 4420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 4420 wrote to memory of 5116 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE C:\Windows\SysWOW64\cmd.exe
PID 5116 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 4444 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 2896 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\findstr.exe
PID 5116 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 5116 wrote to memory of 4432 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2060 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2060 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 2060 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe
PID 4980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 5020 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 3696 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\taskkill.exe
PID 4980 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4980 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 4980 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 5064 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 5064 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 5064 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1952 wrote to memory of 4976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
PID 1952 wrote to memory of 4976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
PID 1952 wrote to memory of 4976 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe
PID 1952 wrote to memory of 3240 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1952 wrote to memory of 3240 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3240 wrote to memory of 4860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3240 wrote to memory of 4860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3240 wrote to memory of 4860 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 4860 wrote to memory of 4932 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 4860 wrote to memory of 4932 N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe
PID 4932 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4932 wrote to memory of 1676 N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 3876 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1676 wrote to memory of 5064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe

"C:\Users\Admin\AppData\Local\Temp\dc97cc32556cfc04dbd9abbe898326d2.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\325A.tmp\certificat.bat" "

C:\Windows\SysWOW64\findstr.exe

FINDSTR /C:Path profiles.ini

C:\Windows\SysWOW64\findstr.exe

FINDSTR /C:.defau profiles.ini

C:\Windows\SysWOW64\reg.exe

reg import c:\proxy\Proxy.reg

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM rssclient.exe

C:\Windows\SysWOW64\taskkill.exe

"C:\Windows\system32\taskkill.exe" /F /IM tbhelper2.exe

C:\Windows\system32\pacjsworker.exe

C:\Windows\system32\pacjsworker.exe 72316990-603e-461b-bf2a-ad34ab59a0c4 3455cce1-ee83-4971-b0ae-d51528026442

C:\Windows\system32\pacjsworker.exe

C:\Windows\system32\pacjsworker.exe 97760f5f-4130-4248-b69f-7b83bf662fd4 3455cce1-ee83-4971-b0ae-d51528026442

C:\Windows\SysWOW64\regsvr32.exe

C:\Windows\system32\regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll"

C:\Windows\SysWOW64\regsvr32.exe

regsvr32 /s "C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll"

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe

"C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe" -RegServer

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe

"C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe" -Embedding

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3240 CREDAT:17410 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\ie_to_edge_stub.exe" --from-ie-to-edge=3 --ie-frame-hwnd=a0054

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --from-ie-to-edge=3 --ie-frame-hwnd=a0054

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9f5a646f8,0x7ff9f5a64708,0x7ff9f5a64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=proxy_resolver.mojom.ProxyResolverFactory --field-trial-handle=2028,193173788901877340,15449758104400760272,131072 --lang=en-US --service-sandbox-type=proxy_resolver --mojo-platform-channel-handle=3380 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 www.icservic.com udp
FR 5.196.160.143:80 www.icservic.com tcp
FR 5.196.160.188:8181 5.196.160.188 tcp
FR 5.196.160.188:8181 5.196.160.188 tcp
FR 5.196.160.188:8181 icservic.com tcp
US 8.8.8.8:53 143.160.196.5.in-addr.arpa udp
US 8.8.8.8:53 188.160.196.5.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
NL 142.250.179.196:80 www.google.com tcp
NL 142.250.179.196:80 www.google.com tcp
US 8.8.8.8:53 196.179.250.142.in-addr.arpa udp
FR 5.196.160.188:8181 5.196.160.188 tcp
FR 5.196.160.188:8181 5.196.160.188 tcp
FR 5.196.160.188:8181 tcp
FR 5.196.160.188:8181 www.icservic.com tcp
US 8.8.8.8:53 www.icservic.com udp
FR 5.196.160.143:80 www.icservic.com tcp
FR 5.196.160.143:80 www.icservic.com tcp
GB 92.123.128.142:443 www.bing.com tcp
GB 92.123.128.142:443 www.bing.com tcp
US 8.8.8.8:53 edge.microsoft.com udp
US 8.8.8.8:53 142.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 softomate.net udp
RU 109.202.21.168:80 softomate.net tcp
RU 109.202.21.168:80 softomate.net tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 204.79.197.239:443 edge.microsoft.com tcp
US 8.8.8.8:53 r.bing.com udp
GB 92.123.128.132:443 r.bing.com tcp
GB 92.123.128.132:443 r.bing.com tcp
US 8.8.8.8:53 login.microsoftonline.com udp
NL 40.126.32.138:443 login.microsoftonline.com tcp
NL 40.126.32.138:443 login.microsoftonline.com tcp
US 8.8.8.8:53 239.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 132.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 th.bing.com udp
GB 92.123.128.185:443 th.bing.com tcp
GB 92.123.128.185:443 th.bing.com tcp
US 8.8.8.8:53 185.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
RU 109.202.21.168:80 softomate.net tcp
RU 109.202.21.168:80 softomate.net tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\CERTIF~1.EXE

MD5 a0fe1191d60d3459d84262f5e3613e6a
SHA1 278b47dc1480ada26c546b4e74388857fa8a8106
SHA256 ca98b7510a17e287b111276e58ccf36d4f5df44c253dbe84d402539e9d91a982
SHA512 584925d6eb712a1c5657a69249482d9823f7d51a6794539c2423fc709449aad647236dd9d775f6a75b19427ca6e3d7546e5d5430d57a6a473fd2a04d5aa2b4d3

memory/4420-7-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\325A.tmp\certificat.bat

MD5 36f5ab7eaa9af08b0d6befa8a8421f11
SHA1 386b2100018d24adff21e1c0191b9b8d4e6d49c4
SHA256 51e7c7f87241543bd92d43a566acc65e85932e1f597c7fafd0bc62a89347390d
SHA512 fd61eb0168d27b5a03236ee206eb423b4ec73a9f212d89b9155f1f261769fefdaffeef4ed7c76edfa79ec81c3e2ce72efe7b53d1f2914428d98041791be1152e

\??\c:\proxy\Proxy.reg

MD5 084b0f14ab07ebd84c5cfb0a4d3bc51f
SHA1 f0f097d590223bab722a45656c43fa0300022cc6
SHA256 f8cec4b3c51ea7ca647ca68ba0e6a44a67b253b89a0b51aaddc16f45193c4ad6
SHA512 df880be96693e1252f6ab19d9d98195c736ef169e80faa7cd4d2034db1297a508ef816d4dbc1f3d92da0b7e4d80e6a4c2681c39bc14b1dd1adf34668002cc67f

memory/4420-26-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

MD5 de47bfec38bea525168ed54243f752f2
SHA1 2eb200e324be593d7ac21eae58cc9475a88cd3cb
SHA256 abd018da12e3cd706ab4873e614e5308e55ae33a1008b6ee88c448df6d4c86a4
SHA512 d04cf06adc507e9b79e1aeb2f8b9486f0667db56b802dbe0d1356e449480ef4a85119c7eaa3d2717b4d7ceab994b4c91efee0d6f43cfe9993f9bc1d7ac709072

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\photo.exe

MD5 e48f6f7499ee23a9381527c80857de00
SHA1 e96797398ab5865c9ceaee783492685a4b9f0b69
SHA256 2fae3370ca95f88ea59bce7cba29eb19200f633814b7d31f7e4429aca2590c87
SHA512 e1e70c8ba94db7817ef808e9870ff8e7bb73eb80e2125c80c7356ac33d31e6e7e05d086e0437265ad403b9d72e340d66119d704dc754d85c5082bbf490edb087

C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\UserInfo.dll

MD5 7579ade7ae1747a31960a228ce02e666
SHA1 8ec8571a296737e819dcf86353a43fcf8ec63351
SHA256 564c80dec62d76c53497c40094db360ff8a36e0dc1bda8383d0f9583138997f5
SHA512 a88bc56e938374c333b0e33cb72951635b5d5a98b9cb2d6785073cbcad23bf4c0f9f69d3b7e87b46c76eb03ced9bb786844ce87656a9e3df4ca24acf43d7a05b

C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\CabDLL.dll

MD5 3b8cf4f6c883c7ca0c964ef2a96525aa
SHA1 7f0d1b89783056decea951fa7b25d3c4c354d0d3
SHA256 58b29737613b3b916ae6d8ad12790da5cffcf0f354739abfa41bab60a80d40ea
SHA512 6474c7a8fb31c0e1cdbb4fbc5653a060961557565484ee2d26beb8be0e5d047790f8ff96710729bf5ee9eb00011beb98c370eb2ae01aa4ad0971f58910ebcd24

C:\Users\Admin\AppData\Local\Temp\nsy351B.tmp\inetc.dll

MD5 ef630cf1898c257df36b1037bd1e5392
SHA1 b2c47d9a741d2b5391387059552b37f2daddade2
SHA256 41776a77b4e3bba1c3e70d10b9f560248148b8f2c45d39d4cd8683754112860f
SHA512 986b405d723294ff5b3649f899bc048c5693bd386dc3f489b390ccb1d56e8e65a9dbe6d0863d553525ce93d505a162eaa087faf4b4c5133345c3330d01327211

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbcore3.dll

MD5 f365dad6814d03d7cc9fbb596129c3f3
SHA1 494340382954e76aa60245628e1e35239cec2efa
SHA256 0bd2aba554c60448af1facb8cc005134d006883db5a1aa179f446080f8e7b542
SHA512 95c442a4d92974e63ee9959b8f1b3c58ee325510f6240e5443f7d33a859491198aa4b0bb38fd4197c0c8c316dabe9d39f7f2084804acb690b3ee4a94cb2f4bda

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\basis.xml

MD5 7d4ff117ba468e62943651996bf4b76a
SHA1 17eb37cbc06ce71c5545a4983eb98e2916b85abe
SHA256 5fa97d4cc63aa8f560447fbe18dbf6c35b84014b4ba101a41605ccd449a1cb76
SHA512 787af0d0e77da56848b709a9ba10413de3db503487efc8008dd202cbe8ab7e52e847292c99fa00a6c9b742590f4eabadbd1ebbdf027cafa40436966d5813bd08

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\demo_logo.bmp

MD5 6e6ef6706a77076d3497fc4ab70fb87d
SHA1 0d683098713ee0df442b57fd33c48b96dc025f3b
SHA256 a1bc64615a4555a3a43d94f13a71a158f6fb6549aa14fdba36ca623907b45438
SHA512 e778b1e8aa3a346f92d56b30ccef28564c298f4107f8ca969d148fa91af7181e6b3278f4cb55e92712c9405a4255ab2b75ffbc0a683ee9768cb6902e21f403c1

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\about.html

MD5 d67f20570f2bef999552e37aa86d53d3
SHA1 bd59e160023e5612d227a3ddc369805bff641666
SHA256 e3ebba3f9ca4caa5a9f5e3b821fd4d4884db5fa58f2a080fe36625a327948ed2
SHA512 08d91508d8e35ab0570a506010ae6d238cc05e44d013ccc1c2d95dd74a47806b8ecbefd9e033007c8d647b31f2f7c1fe43fef038b0eb129676bd140b383c595c

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\error.html

MD5 62360bdda99a8fbfc53ad1ed4f8a58da
SHA1 0c26c863088ada7dc1d8a142f0b8e03263787ac4
SHA256 3e1ca16e30578ba66641151dafac162f46d2502fc777780b3c7b8ad6dfcd2961
SHA512 0bde00cfd09ca02f400dcfc0ba202940bfbc2589c1f40aec504f96d4f3d83fce4a0e8b63597ff1e72b16be470e6c1dc3f6911c394f076db9dc043ba8dd4ac913

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\icons.bmp

MD5 94fb20e3f0d75f1690801dee53d58fe2
SHA1 f118e4d8a47e6f45fda3ed99f44bcf67e9a0db0f
SHA256 221554718f7b15f50e0a6518245269f6993a555fc63679ec67ae44799966bab6
SHA512 a9a7087b2df0b8e9d6018fa3624148a386d0df0ab32a6fa3888b351ae6c5229d4482d3c5080025b229157fe57891dcba21c26b3f46808d8ddc85a66b66795c7b

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\info.txt

MD5 27a3da5fd0259ebb0a264cc96d59a0a7
SHA1 9ce43b28ee3c49358446eeb41fc5ebce3b8cbb82
SHA256 ac5c66127e7a76c3fd2c1443f28637762a5d74223f398cd9c7870a3f0110cf7b
SHA512 7cf10e7a9c48ec31dadceb06e91601fdb5b2c569cf4a7f2431f64be6d638eb5dfa0cca59bccc2cfc7d093cf27badff29c1b56530bc2843d504644a30d45e1ca1

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\options.html

MD5 17e96ac1d05fdf7437aeff7534ecbf65
SHA1 30b070fa99865b726978e92ef496464a5d3c3e9d
SHA256 d13cb02752415056dd0277b634badcd31970f2651a6b59811a8f0c18f3afebcb
SHA512 3c9b426fa93406cf51b86e6e89d0402c492f8d5522ceee516e22ee65ffd0d0b55a8b2712030d2da828567db18888a81014bcbc934f453a9ef6aec850bd0a2d1f

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstaller.exe

MD5 a84214d5259fe35cac798a7948b1eefa
SHA1 86573c569e0ac99a7eea533e8a9c37d129fa4d2c
SHA256 24d87f45282378deaa0af6b6ce0b3de6217c19f2bbfa829bdb78ade76d16e099
SHA512 5f7620fd0a5636edb6cda3af1c12e3e6d195fd82ffc6fdf21189c056089eb933fe71e7c142529c8dd1ffed1c790e03382e2b33e148c4c48313ac18315a18a895

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\uninstall.exe

MD5 5de82c78d4a9025b16286b76f7974a29
SHA1 775e106cfc3933f369e60ddb3b930343db0deaff
SHA256 7f71641efb3048d552176f019a93a46bfbf11323cfcf29c07c8e5406b047c5fe
SHA512 a2bd8d977ba032126209b094b81dc63d0b6b0fad535fca890ed6ec7c8bb29ccaaf9cbf095aaee7e81803f5042c55a07661a77f89bd6eb7be4ecde1ff84f6a33c

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbHelper2.exe

MD5 505d26efa3e1f41a0efb8d54a416d9ae
SHA1 4919d9a1b7dbff78aab3242659b807b6236190b7
SHA256 7c32c3548f9a58ffee43155396c1d0a295481c080639b9ffe0c645f43040fa65
SHA512 be3a585b0918eb766878e66dcbf24403caf66077fbecfe7875b2647a754df49aff516ec89480be516395a7f9822150e2276cbafe491e6a14a7e3380c2410f9a9

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\your_logo.png

MD5 4f85d6b204fe0eb75858031af68b62fd
SHA1 85a2e6a6ba242c0cbd6027b0bee00fe47f9ac390
SHA256 f1f6901c53d9bc846c65ff79486c93c82ecd832912104b76f0e0a049883e0b1e
SHA512 d2be63b38b5012b1179d92c62327bdf703ee3b9762fdc98364ee35dd10a2c9dbb1120e83a36cd5ed8e7188708db70799dfff73d9030b5eba0761378955911e56

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\version.txt

MD5 b74eceb8cd0aa961e9ecb71fb2499de5
SHA1 3d897b0e40482fd756959d8e97f7f2aa99373ce6
SHA256 b9c76f125b18336ad3fa36421f278daea9d380c42ff485cd94b0857720968817
SHA512 721e3da544db766586e2d714d281c08ea9664e9faa270888e1b0d192305f14b9992becfd1d10e0a405c7941b686050a9badf0e000658f749adfeb27ee294df54

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\update.exe

MD5 a518a8472025160102877a8efafd0382
SHA1 fb26a02a418e757de8874b474687b67cc0a2d24f
SHA256 4fa6289e5a4c1ebf74e57b9105f46a9d492f6d1b84c89a005c3cd8d715005ba9
SHA512 d2b1a88529e4243cd71c0d516cf175482f37dca84309d5dffc8725f8c271b63a14b249be3cce946ded4475a067f72755ef01e5b3ea12bb0b8b09d014a5bd0d56

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\tbhelper.dll

MD5 9e581e562d7199bd632bda0a5c06981e
SHA1 cabec8c7278932e4081d6eb921edbda94c27a7bb
SHA256 083edf3272c24fef6e0fbf7fde2a8e3dc040d8bdc142c1c28dab93f2f9c4eceb
SHA512 c81a314a01af97316751f546dd1dad6ecf8c1a684e340a322ecf37be118d44996815ef0cd4019dd3725bb5ff85f4ca95f337d04aefda987ef82ed8bbfeb3ca1a

memory/1952-131-0x0000000002820000-0x0000000002874000-memory.dmp

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\google_toolbar.dll

MD5 a38c85c4155a7600e83286a00f42e213
SHA1 ed66950dcf0267c474db1728862729c4060ca35f
SHA256 a2e491a3a360daaff17016fac439ee2f5c96297b02f24430bda69c3411c52360
SHA512 a8fcbb63910153851c47e474e5600e1aaaca68564e8edec8c97139c03e71b70c53f10efc7bae2528643222f098212473f2394bc64c04ca859d2dc9f696b577df

C:\Program Files (x86)\Google Toolbar\tbunsd3589.tmp\TbCommonUtils.dll

MD5 664053fdc85a172d34846adefa5d876f
SHA1 43dcd734f59aa4f49cd6143ac620b696ba2b9e56
SHA256 796802332734a00c3e2f372df277b98aa3c8cf04b2235be05971057e2dc8eb0f
SHA512 f83691a4f30b3bef1e8f6552cd8e6ce93b351ff1590dddb4768839c493bca415a8a5cc83c5a723890965fe520fc24667c28fc674ff4f433b004cce97b29717b2

memory/1952-140-0x0000000003080000-0x00000000030D4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e0811105475d528ab174dfdb69f935f3
SHA1 dd9689f0f70a07b4e6fb29607e42d2d5faf1f516
SHA256 c91388c87878a9e2c530c6096dbdd993b0a26fefe8ad797e0133547225032d6c
SHA512 8374a721ea3ff3a1ea70d8a074e5c193dbba27ba7e301f19cea89d648b2378c376e48310c33fe81078cd40b1863daec935e8ac22e8e3878dc3a5bb529d028852

\??\pipe\LOCAL\crashpad_1676_XRYSLUBZBNMUCEPL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 618237a65b3513678b5bd4cff87631d3
SHA1 dc2f50281ca82c9a43a56f8632ad7d996ef4c159
SHA256 36e0147d234dc01bbf027107507a23f1d6c185e524bcdc2b865c3b0fa8b6589d
SHA512 625991ebd821884094f19a507092c9ec323a315d2a7ac47471b61156012dd03bca0706f9f4772e36d9ed994def033e7f65fe35c9c9b53f3adb1a94a2e320ff92

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\favicon-trans-bg-blue-mg[1].ico

MD5 30967b1b52cb6df18a8af8fcc04f83c9
SHA1 aaf67cd84fcd64fb2d8974d7135d6f1e4fc03588
SHA256 439b6089e45ef1e0c37ef88764d5c99a3b2752609c4e2af3376480d7ffcfaf2e
SHA512 7cb3c09a81fbd301741e7cf5296c406baf1c76685d354c54457c87f6471867390a1aeed9f95701eb9361d7dfacce31afd1d240841037fc1de4a120c66c1b088c

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\IGS2C121\pXVzgohStRjQefcwyp3z6bhIArA.gz[1].js

MD5 47442e8d5838baaa640a856f98e40dc6
SHA1 54c60cad77926723975b92d09fe79d7beff58d99
SHA256 15ed1579bccf1571a7d8b888226e9fe455aca5628684419d1a18f7cda68af89e
SHA512 87c849283248baf779faab7bde1077a39274da88bea3a6f8e1513cb8dcd24a8c465bf431aee9d655b4e4802e62564d020f0bb1271fb331074d2ec62fc8d08f63

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UUFWLFGT\NRudXMsXYtnM1BQyD6xvAZoudZM.gz[1].js

MD5 2ab12bf4a9e00a1f96849ebb31e03d48
SHA1 7214619173c4ec069be1ff00dd61092fd2981af0
SHA256 f8b5acf4da28e0617f1c81093192d044bd5a6cc2a2e0c77677f859adcf3430ac
SHA512 7d5aae775be1e482eada1f453bea2c52a62c552fa94949e6a6081f322e679e916b1276bb59ff28cf7c86d21727bcc329ecb03e5d77ca93204e0cd2694faa72bd

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HT2TD2G4\v1[1].xml

MD5 25a40f949855471562a1a9e465cfed7c
SHA1 c3a563c56fb8323e6c2ee7fa417c45d8384a4156
SHA256 075f1f4ec57dcfdbb2f1b60ffbf9efe0286216c43d0a65f82eae86af66b36127
SHA512 e5b4ed8df62488e7bb9ccb77f1daac251f65cd3251257ab94094df1316fa50a96901b32e7e76e47a4616d763ae54d7134f5d29f030ee7d2399bbe728498fedd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ea25a61c2fde5380aed50068f1af1ead
SHA1 8ab3e1232d13005da1f3f0c062fa5678bec3902f
SHA256 17569e549c8ac0c12f3bcf4ab524e81ce1874772a657bdae7a170ded020850c6
SHA512 166074bacf7a2a3fe4f31814c8ced032a640fb723e8ec7685e386b81251a96a09094710e2b2a774ec19086e05a84c92047ff80d6cd608c9f4231abbcd7a2f5c6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 73c94e1d9d219899762e456fd02cc77f
SHA1 8e8fff912c9e2c6f17e5630a54295aca4a07ffda
SHA256 aedb95eb05dd70658f6dab1833d0f2b1e5a5a4bdc1b3d343a80e7b3191fa17f0
SHA512 387cd50263e2cd49f35150d85275690b5fd3e44e88db8bd56db9514b5dc80eb1649965c3fcde3fa931dfd243cdbfacda544d86df3ccb7ca23983266624fbaae3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 2760a3b8577b4d3926a516965cfb3c1b
SHA1 446b1e26553861557ef9afb3b98a4d73fa4454a7
SHA256 8a37830f702ddab0f9206d8cc6971a091622c2415b46024453690af7f238c9f7
SHA512 ea2572a2b187e49e7bf1326696c286310f42f3b6d1becd05aee6b2e401e6f684e703c87d5c7c1dc2f70b36df639814946d5ee9d4819bda7cfe1b92699f5adf15

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verC7D4.tmp

MD5 1a545d0052b581fbb2ab4c52133846bc
SHA1 62f3266a9b9925cd6d98658b92adec673cbe3dd3
SHA256 557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1
SHA512 bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\PL0BY74L\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee