ab189ea48bea31159a35dbc810496a47a3fca3368370a04922967a78bdea4510

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation	rundll32.exe

Executes dropped EXE 1 IoCs

pid	Process
3808	Smartbar.exe

Loads dropped DLL 64 IoCs

pid	Process
3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe
3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe
3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe
2748	MsiExec.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
1924	rundll32.exe
2748	MsiExec.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
992	rundll32.exe
2748	MsiExec.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHistoryClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D48A6EC6-6A4A-11CF-94A7-444553540000}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCDefaultDispatchClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLDDElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\ThreadingModel = "Both"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDOMImplementationClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetsCollectionClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLUListElementClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLLabelElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.CPluginsClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F273-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLNextIdElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCPropertyBehaviorClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCDescBehaviorClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetRulesCollectionClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLRuleStyleClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerBHO.DLL"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHeaderElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHRElementClass"	RegAsm.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	Smartbar.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Smartbar.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1"	RegAsm.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\assembly\tmp\BBOHUJHK\Interop.IWshRuntimeLibrary.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Personalization.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.LanguageSettings.resources.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\RegAsm.exe	rundll32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA384.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Personalization.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.ProductUninstaller.dll	rundll32.exe
File created	C:\Windows\Installer\e579b17.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\RegAsm.exe	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Installer.CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.LanguageSettings.resources.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.ObjectBuilder.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll	rundll32.exe
File created	C:\Windows\assembly\tmp\VLKXDRPP\System.Data.SQLite.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Infrastructure.Utilities.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.ObjectBuilder.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll	rundll32.exe
File created	C:\Windows\assembly\GACLock.dat	msiexec.exe
File opened for modification	C:\Windows\assembly	Smartbar.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Infrastructure.Utilities.dll	rundll32.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	Smartbar.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Installer.CustomActions.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Personalization.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp	msiexec.exe
File created	C:\Windows\assembly\Desktop.ini	Smartbar.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.Translations.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.SetBrowsersSettings.dll	rundll32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.Translations.dll	rundll32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Infrastructure.Utilities.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.ProductUninstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.Translations.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.UninstallerForm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.ProcessDownMonitor.dll	rundll32.exe
File created	C:\Windows\assembly\tmp\4UBBP24W\Microsoft.VisualStudio.OLE.Interop.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\e579b17.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.LanguageSettings.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA395.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.BrowserHelperUtils.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.ProcessDownMonitor.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.LanguageSettings.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{978D004E-4180-440E-B657-E1BB5694C950}	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
752	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\Default = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	RegAsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchUrl	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\SearchUrl	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar"	RegAsm.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Search	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MAO Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}"	rundll32.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=hp&babsrc=lnkry_nt"	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{35F0ED97-3328-3F26-958A-A8E5FAB21405}\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E0ED74B-B69A-3F95-9FD8-66006DB3972C}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ADCDA984-74EE-399A-B8C7-F16E1D96115F}\7.0.3300.0\Class = "mshtml._HTML_PAINTER_INFO"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2C4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B105EDC3-7FEE-32E9-BCB5-B7D3314D03E0}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ = "LinkuryTest Smartbar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLUrnCollectionClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\RuntimeVersion = "v2.0.50727"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E107CA26-9F34-3EA3-A2F9-C8844CC4DE75}\7.0.3300.0\Class = "mshtml._styleFontWeight"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A94470-9C4F-3A47-AE2F-E6BEDB44F52A}\7.0.3300.0\Class = "mshtml._stylePageBreak"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17EC906B-6004-331A-8325-B4422D1ED446}\7.0.3300.0\Class = "mshtml._styleLayoutGridMode"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLRenderStyleClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA6-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FB5C8C6-11BF-32E3-9F5E-6F95AFA8D553}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCPropertyBehaviorClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{47A03182-4FA3-306E-AF15-902E10310178}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD371A4C-17BD-3FE8-ABCE-2515081859E2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLSelectElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTableClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A5C76C0B-A22F-3565-BA14-863844C9570C}\7.0.3300.0\Class = "mshtml._styleLineBreak"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F31A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3D4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F248-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLAnchorElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Class = "IESmartBar.IESmartBar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.ThreadDialogProcParamClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA10143D-B4E8-349C-9E3E-C78AC463673D}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerBHO, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLUListElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLInputButtonElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{78C1BD14-4E05-34D5-90D8-E821FB657DEC}\7.0.3300.0\Class = "mshtml._styleWordWrap"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.DOMChildrenCollectionClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F172639F-F18B-3756-8450-06866584ADEF}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6D55083F-D6FF-3028-A8A3-95DE56BB6EDF}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{31C3DCFD-A426-3D6A-A085-C8EBF166715A}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3E8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLFieldSetElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A982E8A8-31B6-3CB2-81AC-2C185D16EEFD}\7.0.3300.0\Class = "mshtml.__MIDL___MIDL_itf_mshtml_0250_0006"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHistoryClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLObjectElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DD05F906-C219-3916-B377-597EA9E255C2}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	rundll32.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4892	msiexec.exe
4892	msiexec.exe
992	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
3808	Smartbar.exe
3808	Smartbar.exe
4788	msedge.exe
4788	msedge.exe
3556	msedge.exe
3556	msedge.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
384	rundll32.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
2248	identity_helper.exe
2248	identity_helper.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe
3808	Smartbar.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	752	taskkill.exe
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeSecurityPrivilege	4892	msiexec.exe
Token: SeCreateTokenPrivilege	1008	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1008	msiexec.exe
Token: SeLockMemoryPrivilege	1008	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1008	msiexec.exe
Token: SeMachineAccountPrivilege	1008	msiexec.exe
Token: SeTcbPrivilege	1008	msiexec.exe
Token: SeSecurityPrivilege	1008	msiexec.exe
Token: SeTakeOwnershipPrivilege	1008	msiexec.exe
Token: SeLoadDriverPrivilege	1008	msiexec.exe
Token: SeSystemProfilePrivilege	1008	msiexec.exe
Token: SeSystemtimePrivilege	1008	msiexec.exe
Token: SeProfSingleProcessPrivilege	1008	msiexec.exe
Token: SeIncBasePriorityPrivilege	1008	msiexec.exe
Token: SeCreatePagefilePrivilege	1008	msiexec.exe
Token: SeCreatePermanentPrivilege	1008	msiexec.exe
Token: SeBackupPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	1008	msiexec.exe
Token: SeShutdownPrivilege	1008	msiexec.exe
Token: SeDebugPrivilege	1008	msiexec.exe
Token: SeAuditPrivilege	1008	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1008	msiexec.exe
Token: SeChangeNotifyPrivilege	1008	msiexec.exe
Token: SeRemoteShutdownPrivilege	1008	msiexec.exe
Token: SeUndockPrivilege	1008	msiexec.exe
Token: SeSyncAgentPrivilege	1008	msiexec.exe
Token: SeEnableDelegationPrivilege	1008	msiexec.exe
Token: SeManageVolumePrivilege	1008	msiexec.exe
Token: SeImpersonatePrivilege	1008	msiexec.exe
Token: SeCreateGlobalPrivilege	1008	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeDebugPrivilege	992	rundll32.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe
Token: SeRestorePrivilege	4892	msiexec.exe
Token: SeTakeOwnershipPrivilege	4892	msiexec.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe
3556	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 752	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	85
PID 3724 wrote to memory of 752	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	85
PID 3724 wrote to memory of 752	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	85
PID 3724 wrote to memory of 1008	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	91
PID 3724 wrote to memory of 1008	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	91
PID 3724 wrote to memory of 1008	3724	2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe	91
PID 4892 wrote to memory of 2748	4892	msiexec.exe	94
PID 4892 wrote to memory of 2748	4892	msiexec.exe	94
PID 4892 wrote to memory of 2748	4892	msiexec.exe	94
PID 2748 wrote to memory of 1924	2748	MsiExec.exe	95
PID 2748 wrote to memory of 1924	2748	MsiExec.exe	95
PID 2748 wrote to memory of 1924	2748	MsiExec.exe	95
PID 1924 wrote to memory of 3268	1924	rundll32.exe	96
PID 1924 wrote to memory of 3268	1924	rundll32.exe	96
PID 1924 wrote to memory of 3268	1924	rundll32.exe	96
PID 3268 wrote to memory of 2444	3268	csc.exe	98
PID 3268 wrote to memory of 2444	3268	csc.exe	98
PID 3268 wrote to memory of 2444	3268	csc.exe	98
PID 2748 wrote to memory of 992	2748	MsiExec.exe	99
PID 2748 wrote to memory of 992	2748	MsiExec.exe	99
PID 2748 wrote to memory of 992	2748	MsiExec.exe	99
PID 2748 wrote to memory of 384	2748	MsiExec.exe	101
PID 2748 wrote to memory of 384	2748	MsiExec.exe	101
PID 2748 wrote to memory of 384	2748	MsiExec.exe	101
PID 384 wrote to memory of 2388	384	rundll32.exe	102
PID 384 wrote to memory of 2388	384	rundll32.exe	102
PID 384 wrote to memory of 2388	384	rundll32.exe	102
PID 384 wrote to memory of 4276	384	rundll32.exe	104
PID 384 wrote to memory of 4276	384	rundll32.exe	104
PID 384 wrote to memory of 3544	384	rundll32.exe	106
PID 384 wrote to memory of 3544	384	rundll32.exe	106
PID 384 wrote to memory of 3544	384	rundll32.exe	106
PID 384 wrote to memory of 408	384	rundll32.exe	108
PID 384 wrote to memory of 408	384	rundll32.exe	108
PID 384 wrote to memory of 4340	384	rundll32.exe	110
PID 384 wrote to memory of 4340	384	rundll32.exe	110
PID 384 wrote to memory of 4340	384	rundll32.exe	110
PID 384 wrote to memory of 4312	384	rundll32.exe	112
PID 384 wrote to memory of 4312	384	rundll32.exe	112
PID 384 wrote to memory of 4088	384	rundll32.exe	114
PID 384 wrote to memory of 4088	384	rundll32.exe	114
PID 384 wrote to memory of 4088	384	rundll32.exe	114
PID 384 wrote to memory of 3008	384	rundll32.exe	118
PID 384 wrote to memory of 3008	384	rundll32.exe	118
PID 384 wrote to memory of 3808	384	rundll32.exe	120
PID 384 wrote to memory of 3808	384	rundll32.exe	120
PID 384 wrote to memory of 3808	384	rundll32.exe	120
PID 384 wrote to memory of 3556	384	rundll32.exe	121
PID 384 wrote to memory of 3556	384	rundll32.exe	121
PID 3556 wrote to memory of 4368	3556	msedge.exe	122
PID 3556 wrote to memory of 4368	3556	msedge.exe	122
PID 384 wrote to memory of 4920	384	rundll32.exe	123
PID 384 wrote to memory of 4920	384	rundll32.exe	123
PID 384 wrote to memory of 4920	384	rundll32.exe	123
PID 4920 wrote to memory of 2716	4920	csc.exe	125
PID 4920 wrote to memory of 2716	4920	csc.exe	125
PID 4920 wrote to memory of 2716	4920	csc.exe	125
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126
PID 3556 wrote to memory of 3976	3556	msedge.exe	126

C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /F /IM msiexec.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:752
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1008

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 46C158A98109F82C495A0ADB6DCE0FEF
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2748
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI9C01.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240622750 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:1924
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e_sfu0xz.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3268
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp"
        5⤵
        
        PID:2444
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA395.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240624546 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:992
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIAED1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240627421 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
    3⤵
    - Checks computer location settings
    - Loads dropped DLL
    - Drops file in Windows directory
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:384
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2388
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
      4⤵
      Registers COM server for autorun
      Modifies Internet Explorer settings
      Modifies registry class
      PID:4276
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
      4⤵
      Installs/modifies Browser Helper Object
      PID:3544
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
      4⤵
      Registers COM server for autorun
      Installs/modifies Browser Helper Object
      Modifies registry class
      PID:408
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
      4⤵
      Modifies registry class
      PID:4340
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
      4⤵
      Registers COM server for autorun
      Modifies registry class
      PID:4312
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
      4⤵
      PID:4088
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
      4⤵
      Modifies registry class
      PID:3008
  - - C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
      "C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
      4⤵
      Executes dropped EXE
      Drops desktop.ini file(s)
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:3808
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7c3ulrem.cmdline"
        5⤵
        
        PID:2264
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC9E7.tmp"
        6⤵
        
        PID:5064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieku54w7.cmdline"
        5⤵
        
        PID:4988
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB2F.tmp"
        6⤵
        
        PID:4936
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cpqadejx.cmdline"
        5⤵
        
        PID:3908
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBBC.tmp"
        6⤵
        
        PID:1440
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psix0ynf.cmdline"
        5⤵
        
        PID:3860
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC69.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC58.tmp"
        6⤵
        
        PID:3312
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0oqnrzs.cmdline"
        5⤵
        
        PID:4812
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD14.tmp"
        6⤵
        
        PID:1348
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkgh7eqo.cmdline"
        5⤵
        
        PID:4996
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCDB0.tmp"
        6⤵
        
        PID:5064
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6gdgd8mj.cmdline"
        5⤵
        
        PID:2504
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE6C.tmp"
        6⤵
        
        PID:4312
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2h9jkvp.cmdline"
        5⤵
        
        PID:3588
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF46.tmp"
        6⤵
        
        PID:3412
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlp0_klx.cmdline"
        5⤵
        
        PID:4832
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFE3.tmp"
        6⤵
        
        PID:3476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1yythvym.cmdline"
        5⤵
        
        PID:2368
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4996
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0CE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0CD.tmp"
        6⤵
        
        PID:4896
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ynet.co.il/
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:3556
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe4a946f8,0x7fffe4a94708,0x7fffe4a94718
        5⤵
        
        PID:4368
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
        5⤵
        
        PID:3976
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4788
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
        5⤵
        
        PID:3912
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1
        5⤵
        
        PID:4520
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1
        5⤵
        
        PID:3688
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
        5⤵
        
        PID:4300
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
        5⤵
        
        PID:1652
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
        5⤵
        
        PID:4404
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2248
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1
        5⤵
        
        PID:4428
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
        5⤵
        
        PID:2716
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
        5⤵
        
        PID:3696
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
        5⤵
        
        PID:1472
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1
        5⤵
        
        PID:2648
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
        5⤵
        
        PID:4016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v-4kc_-f.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4920
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC7A5.tmp"
        5⤵
        
        PID:2716
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lq4tl7vi.cmdline"
      4⤵
      PID:4924
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB20.tmp"
        5⤵
        
        PID:3008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

Defense Evasion

Modify Registry

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery