Malware Analysis Report

2025-01-18 22:17

Sample ID 240430-nltpysbb7y
Target 2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia
SHA256 ab189ea48bea31159a35dbc810496a47a3fca3368370a04922967a78bdea4510
Tags
adware discovery persistence spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

ab189ea48bea31159a35dbc810496a47a3fca3368370a04922967a78bdea4510

Threat Level: Likely malicious

The file 2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia was found to be: Likely malicious.

Malicious Activity Summary

adware discovery persistence spyware stealer

Blocklisted process makes network request

Checks computer location settings

Registers COM server for autorun

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Checks installed software on the system

Drops desktop.ini file(s)

Adds Run key to start application

Installs/modifies Browser Helper Object

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Modifies registry class

Suspicious use of SendNotifyMessage

Modifies Internet Explorer start page

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Kills process with taskkill

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 11:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 11:29

Reported

2024-04-30 11:32

Platform

win7-20240221-en

Max time kernel

150s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe"

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4BA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLGenericElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\ = "mscoree.dll" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F248-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLAnchorElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTitleElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.FramesCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4BA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetRuleClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F281-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLBaseFontElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\Class = "mshtml.HTMLLocationClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\ = "mscoree.dll" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLFontElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\ThreadingModel = "Both" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.DOMChildrenCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDefaultsClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F273-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLLIElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLNextIdElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\ThreadingModel = "Both" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetRulesCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.FramesCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f761f05.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Infrastructure.Utilities.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Installer.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.UninstallerForm.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\C8KZRW3L\System.Data.SQLite.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.SetBrowsersSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.ProductUninstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\CDRKKUY4\Interop.SHDocVw.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.LanguageSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Installer.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.SetBrowsersSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.LanguageSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.UninstallerForm.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\System.Data.SQLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.ProcessDownMonitor.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\G9HRDF8X\Interop.IWshRuntimeLibrary.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\f761f08.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3100.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.UninstallerForm.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.LanguageSettings.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\M52GD9J6\Microsoft.VisualStudio.OLE.Interop.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f761f0a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.LanguageSettings.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.ProductUninstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.ProductUninstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Installer.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\RegAsm.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\System.Data.SQLite.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.BrowserHelperUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Smartbar.Resources.ProcessDownMonitor.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\Smartbar.Infrastructure.Utilities.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3816.tmp-\RegAsm.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Microsoft.Practices.ObjectBuilder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI20AA.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3111.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A

Enumerates physical storage devices

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\Total = "196" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\Total = "256" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\Total = "293" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\Total = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "202" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\Enable = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\International\CpMRU\InitHits = "100" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\User Preferences C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\Total = "231" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "196" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{F346A491-06E4-11EF-A3B3-6A83D32C515E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ynet.co.il\ = "196" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000f6b974b97656ea5929f687e8d942ef906527d1fa3b952655d198174ff614c53a000000000e800000000200002000000013965fe9a088b77ad421f02760d592b2e8cea835a01c72bf48163da539dca41290000000ba36edab60326f35f715536b952603985e425d6b6bd8057f59e7b6bd92edc5a6343127ae4f3780aae5ed51276e23056e0581e3b51c17a187fb1f98ff2bfbbfebcdb1edefd1b9b1ad684fd837f7c915e0aa9ade10de0b960f39a4902159e2c6310273cbb2fd468ee85a51eb57d6055ad6b65113571a4879389d12f5149b41bb94b3c35d29d6517ffe510faa01c1999d5340000000d8b6544b522914a24405250f219375f7d5a357651d4f3f5eddf9a9815ee5f1cc48556a42b1cfbb31fcd74cfd906ff8b320f06d9108c3f299b778c374ad46e662 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\ynet.co.il\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "256" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ynet.co.il\ = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "231" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ynet.co.il\ = "293" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ynet.co.il\ = "256" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "222" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.ynet.co.il C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0633EE93-D776-472f-A0FF-E1416B8B2E3A}" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=3d5efad4-48a5-4d53-ad77-ecc4db840d94&affid={affid}&searchtype=hp&babsrc=lnkry_nt" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{84385E4D-357D-3D36-976A-725E44ABB78E} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FCB7A29-B2EE-3458-93FB-68B840DF3DC0}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D48A6EC9-6A4A-11CF-94A7-444553540000}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B} C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D0A77F11-94B6-3863-BA84-FFCC85309928}\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E7B0F28-0DDC-3AFF-A175-CD28A181C7EC}\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F316-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLIFrameClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F25D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLDOMAttributeClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8C0A7C91-D77F-3637-9090-08B639665910}\7.0.3300.0\Class = "mshtml._htmlWrap" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLLinkElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3E9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0B6629F3-9B9B-3017-84F8-9580573810D8}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F80E13C0-EF26-3EDE-887E-8EA2498C0B99} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7716A370-38CA-11D0-A48B-00A0C90A8F39}\1.1.0.0\RuntimeVersion = "v2.0.50727" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLLabelElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLTextAreaElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD3026D1-A1C0-386F-B46F-71131FA56E4B}\7.0.3300.0\Class = "mshtml._RemotableHandle" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4BA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{78C1BD14-4E05-34D5-90D8-E821FB657DEC}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F278-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLIsIndexElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D4F52BA-91D9-3585-B305-F8AAF0B1DBAC}\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5E8433C3-CEE5-399A-883B-0FBB33FA9689}\7.0.3300.0\Class = "mshtml._styleAuto" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2BDB5CBB-72A0-3779-B85A-B00325551F92}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.IESmartBarBandObject C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E937FBB3-7ECA-3FA9-95E2-FB9266F8A306} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLInputElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{44F8A905-4739-3126-A4C7-C719CFD0F7CD}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8C0A7C91-D77F-3637-9090-08B639665910}\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{777BF24E-A6C1-301D-8F59-25FC964EEC68}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8872B56-D98C-3C12-B8A9-9F81495D11D3}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F25D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLEmbedClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17EC906B-6004-331A-8325-B4422D1ED446}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCDescBehaviorClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\ = "IESmartBar.SmartbarDisplayState" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2772 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 2576 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2468 wrote to memory of 2660 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2504 wrote to memory of 280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2504 wrote to memory of 280 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 280 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 280 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 280 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 280 wrote to memory of 1556 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 1504 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2660 wrote to memory of 2288 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1120 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1800 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1800 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1800 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1800 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2288 wrote to memory of 1796 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 96520081D9CE7D0E8115DC9C245C8927

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI20AA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259399897 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j474wrh3.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2444.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2443.tmp"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI3111.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259404047 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI3816.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259405856 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"

C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe

"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" http://www.ynet.co.il/

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sxjczocc.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES476D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC476C.tmp"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2380 CREDAT:275457 /prefetch:2

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ccsum_lo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES48E3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC48E2.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bt3upqis.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4941.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4940.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dbzswklo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES49AE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC49AD.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\85h7jb9z.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A0C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A0B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7z7h2ep7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4A5A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4A59.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wvz_kgst.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AA8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AA7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t8imu7pi.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AF5.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hldngcfp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4BFF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4BFE.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gi6zkxbp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C6C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C6B.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cyl32rbv.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4D47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4D36.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-z8nylfe.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES566B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC566A.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7pcc3vm6.cmdline"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "1134078504-5333251316573746993217681451498692252-157495060818701150971983980631"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES59B5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC59B4.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lj0ooqag.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA094.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA093.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud-search.linkury.com udp
US 8.8.8.8:53 linkurytest-webservices-westeurope.cloudapp.net udp
US 8.8.8.8:53 linkurytest-webcomponents-westeurope.cloudapp.net udp
US 8.8.8.8:53 linkurytest-webservices-westeurope.cloudapp.net udp
US 8.8.8.8:53 crl.microsoft.com udp
US 2.18.190.80:80 crl.microsoft.com tcp
US 8.8.8.8:53 linkurytest-feedrouter-westeurope.cloudapp.net udp
US 8.8.8.8:53 www.ynet.co.il udp
BE 2.21.17.161:80 www.ynet.co.il tcp
BE 2.21.17.161:80 www.ynet.co.il tcp
BE 2.21.17.161:443 www.ynet.co.il tcp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 totalmedia2.ynet.co.il udp
US 8.8.8.8:53 ynet-pic1.yit.co.il udp
US 8.8.8.8:53 securepubads.g.doubleclick.net udp
US 8.8.8.8:53 cdn.taboola.com udp
US 8.8.8.8:53 totalmedia2.ynet.co.il udp
US 8.8.8.8:53 cdn.flowplayer.com udp
US 8.8.8.8:53 imasdk.googleapis.com udp
BE 2.21.17.161:443 totalmedia2.ynet.co.il tcp
US 151.101.1.44:443 cdn.taboola.com tcp
US 151.101.1.44:443 cdn.taboola.com tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
BE 2.21.17.161:443 totalmedia2.ynet.co.il tcp
BE 2.21.17.161:443 totalmedia2.ynet.co.il tcp
GB 216.58.201.106:443 imasdk.googleapis.com tcp
GB 216.58.201.106:443 imasdk.googleapis.com tcp
GB 142.250.200.2:443 securepubads.g.doubleclick.net tcp
BE 2.21.17.161:443 totalmedia2.ynet.co.il tcp
GB 142.250.200.2:443 securepubads.g.doubleclick.net tcp
US 8.8.8.8:53 middycdn-a.akamaihd.net udp
US 8.8.8.8:53 tags.dxmdp.com udp
US 8.8.8.8:53 butterfly-button.web.app udp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 images1.ynet.co.il udp
US 8.8.8.8:53 c2.taboola.com udp
US 199.36.158.100:443 butterfly-button.web.app tcp
US 199.36.158.100:443 butterfly-button.web.app tcp
GB 23.73.139.48:443 middycdn-a.akamaihd.net tcp
GB 23.73.139.48:443 middycdn-a.akamaihd.net tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
BE 2.21.17.161:443 images1.ynet.co.il tcp
BE 2.21.17.161:443 images1.ynet.co.il tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 3.162.20.116:443 tags.dxmdp.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
US 104.18.7.158:443 ynet-pic1.yit.co.il tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
GB 18.165.160.82:443 cdn.flowplayer.com tcp
US 8.8.8.8:53 linkury.blob.core.windows.net udp
US 8.8.8.8:53 fundingchoicesmessages.google.com udp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
GB 172.217.16.238:443 fundingchoicesmessages.google.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 time.nist.gov udp
BE 64.233.167.156:443 stats.g.doubleclick.net tcp
BE 64.233.167.156:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 www.google.co.uk udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.178.4:443 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
GB 216.58.204.67:443 www.google.co.uk tcp
GB 216.58.204.67:443 www.google.co.uk tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 8.8.8.8:53 cdn.permutive.com udp
US 8.8.8.8:53 upapi.net udp
US 104.17.118.17:443 cdn.permutive.com tcp
US 104.17.118.17:443 cdn.permutive.com tcp
US 8.8.8.8:53 iframe.ynet.co.il udp
US 8.8.8.8:53 w.ynet.co.il udp
US 8.8.8.8:53 cdn.brandmetrics.com udp
US 8.8.8.8:53 events.browsiprod.com udp
US 8.8.8.8:53 yield-manager.browsiprod.com udp
US 8.8.8.8:53 static.chartbeat.com udp
US 8.8.8.8:53 s.skimresources.com udp
IE 34.249.200.254:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
US 8.8.8.8:53 cdn.exelator.com udp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
US 54.69.25.197:443 events.browsiprod.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
US 151.101.2.202:443 s.skimresources.com tcp
US 151.101.2.202:443 s.skimresources.com tcp
US 172.67.69.191:443 cdn.brandmetrics.com tcp
US 172.67.69.191:443 cdn.brandmetrics.com tcp
GB 18.172.91.153:443 static.chartbeat.com tcp
GB 18.172.91.153:443 static.chartbeat.com tcp
GB 18.165.160.93:443 cdn.exelator.com tcp
GB 18.165.160.93:443 cdn.exelator.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
US 8.8.8.8:53 connect.facebook.net udp
US 8.8.8.8:53 analytics.tiktok.com udp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 163.70.151.21:443 connect.facebook.net tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
NL 23.62.61.121:443 analytics.tiktok.com tcp
NL 23.62.61.121:443 analytics.tiktok.com tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
GB 13.224.81.62:443 yield-manager.browsiprod.com tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 63.35.51.142:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
IE 34.249.200.254:443 w.ynet.co.il tcp
BE 2.21.17.161:443 images1.ynet.co.il tcp
US 8.8.8.8:53 googleads.g.doubleclick.net udp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
GB 216.58.212.194:443 googleads.g.doubleclick.net tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
GB 13.224.73.189:80 ocsp.r2m02.amazontrust.com tcp
US 104.26.9.27:443 upapi.net tcp
US 104.26.9.27:443 upapi.net tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 216.58.201.97:443 lh3.googleusercontent.com tcp
GB 216.58.201.97:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 www.youtube.com udp
GB 172.217.169.78:443 www.youtube.com tcp
GB 172.217.169.78:443 www.youtube.com tcp
US 54.69.25.197:443 events.browsiprod.com tcp
GB 18.172.91.153:443 static.chartbeat.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 151.101.2.202:443 s.skimresources.com tcp
US 151.101.1.44:443 c2.taboola.com tcp
US 8.8.8.8:53 alerts.ynet.co.il udp
BE 92.123.51.247:443 alerts.ynet.co.il tcp
BE 92.123.51.247:443 alerts.ynet.co.il tcp
US 8.8.8.8:53 cloudflareinsights.com udp
US 104.16.79.73:443 cloudflareinsights.com tcp
US 8.8.8.8:53 google.com udp
GB 142.250.200.46:80 google.com tcp
GB 142.250.178.4:80 www.google.com tcp
GB 142.250.178.4:443 www.google.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\smartbar\Setter.dll

MD5 8b809d7fdef6c276791186b0d97ae839
SHA1 ad1202b0578aca08feee0f6937a14ec66fc7d653
SHA256 ee7ce728fc421cd33250ad55c5ef0effa3ecc71a0f2ac3b918636dee0f5f84d1
SHA512 aef7f1eba4fc8942c67873fd48377bbcfff83aafc0f7a5a32d85df00f13ceada6c60544b57c674b4e9595e7f67ef24f5855b9ce27bdab045fb9502b349f91539

\Users\Admin\AppData\Local\Temp\smartbar\sqlite3.dll

MD5 fec17d5fb09a03376d3aa204c65562a7
SHA1 2966508d76523b2c2d28713612b472e7256c66fc
SHA256 1e384af4479ba64bd2fa02b00603205c4b0a99a468cfa4cc33cdca7bac845bec
SHA512 4e250955a0b6e2a22d41cf24eecc88d3a36de1308c089d8f8ab02beed434f0ed44583f048ca2b436788b7c80ec1c7f0cd79166b3e62d040566c99aa536b9c11e

\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll

MD5 0fb00dcd1887e0e1339c630137c422f4
SHA1 40e83a2b22610e3d718dff15955cca69b54d7d2a
SHA256 d9cc21c8899168bbd783d8488405af97f19a18f2402d76683fb3f08733f402c3
SHA512 66ba4cc70217ed30f3a5c203e0515025400e03ccd605ab4151ebcaaa078a67c8e9d36d5c7ccbd1883a1a75de5bb5b5c04dff1a975d3e1c0a5cef4eccae4be4a1

C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi

MD5 ab3c448a172f887a9a41a98bc37baeb6
SHA1 4f564531b856433e34755d5f28ed91db09238fb0
SHA256 e59bd7fa9ff296101ce04bbdff361af630a4dbe5fa2020d5da11e9ecd8e490fd
SHA512 413960883fca3da12fbef69b6501a114fa9f7e9f2e420fc6bca69a8feb19b110745fb22e8709058ac187c13932efb84921e0e31d0adad99ec2f0a6b1d063e6a2

C:\Windows\Installer\MSI20AA.tmp

MD5 50431b75630bbf6b3c245e3c675a90c7
SHA1 3e99780baa1447056e63bdb677f4d3248e65d855
SHA256 4bbcb65193711559141311b1bbcde46471a3836248a96b374c4316e1e0cee161
SHA512 62377d84c8db9ef2361db6adc65efd6835405b945156e7680d6c102b4184d5a259dd61ca3822173781ec09d2f2d7784ce62bee256138b0918e01768629257050

\Windows\Installer\MSI20AA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 34d4a23cab5f23c300e965aa56ad3843
SHA1 68c62a2834f9d8c59ff395ec4ef405678d564ade
SHA256 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c
SHA512 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

\Windows\Installer\MSI20AA.tmp-\Smartbar.Installer.CustomActions.dll

MD5 6e7e63c2978f2139fc480fa3987c2454
SHA1 494c95837404aea3a17f558a70124350cbe0b665
SHA256 ef4fbe7fb8ea3db0a6c1d2e3ea85dbdc3b2fe9e203eb4f47f286f9686b70b0c9
SHA512 8201f6808cebbf8054fd430605d3f792ccf30816d115cee6087b856d07abb7198a028155113ca66d39a6aaf9c8cf33a40c50e1d40a358050d70a7cac8f8ff097

\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll

MD5 5828e61533ad8765e34c8bd5b2684768
SHA1 819ca2ba6ceaac7042f0d106f9bbd5b299dea954
SHA256 026e85591c1d8f9f6f9103ba5aa1c18ba23c28bd57e56823f4e11ac0abacd4f3
SHA512 b5fb79e30c3ca749a5478231ca3bcdfd558db9ef0d87852849b29e6554af305b4eda4f4be9b24e0fd4fa3e371d413f19b0b5f1e1f913b9e31dcb8e5b0b1442c8

\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.SetBrowsersSettings.dll

MD5 68462e5ccace2103619f9501c7accf51
SHA1 54e402eef5863227eb1128e17ccfc96bcc1b0c73
SHA256 bc31faeea673328c8624334b8d9f699a71221a570043d43f90d1f4672939e776
SHA512 162c45d1775e0c77ec6b7c7bbf483142a020193f6f07812e4e48c1686cd791758736d75317f3c796bba30464a92f41fd95c80d8a1d176f13aa7aa6623a13066e

\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.BrowserHelperUtils.dll

MD5 528b6340928ec73f7d3726396e3b8607
SHA1 36fececd456ed486e83185a39266aaa93d9a3851
SHA256 aaecb4c15e8a307714a92d2d962c12b35943058165369140abeda750fdc2bccf
SHA512 8cc45713604754832c6f70883f67996564d62e6c41f660fd3c69dd1900c50afa4360b97842c95e9a0fcb39007070549d8bbae069dedd1573511de99b33bf26ef

\Windows\Installer\MSI20AA.tmp-\Smartbar.Infrastructure.Utilities.dll

MD5 5514445cbc6717bc543e993a27b45614
SHA1 463fea10195dc9d95c3b185ddc0216154f138843
SHA256 515f391b52077e9c54f0dab77b39195378b12be557af43be4d60d078a9c59c2c
SHA512 1aceac5534980905717ea30424ef3c8822cec68093ff3dbaf4ea7be52efb2db7f2869bffe5a059c401c50c852d387882233bbba6db544ed77ee81ddd2eb613b8

\Windows\Installer\MSI20AA.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll

MD5 685a150a95abcc23eff7167e45b55eee
SHA1 7f6f6e6fb67b4eb578598f423ea284e01e12da00
SHA256 29feba57a0184ab164d6c5d0195c3b9c1f21e120a5853eee0afc6a66c5ef6a29
SHA512 f499ad24337adec2e78a6a4236877b27530d61deaf73cc09263f34c66c0ea84fbcdb057a70dd692c79e1608b69bc8945eff6ee346bb0a4efb3c8c5d4a2f8e703

\??\c:\Users\Admin\AppData\Local\Temp\j474wrh3.cmdline

MD5 23f5724739645ae5ab0da82273181171
SHA1 5f40175d736d0d931b041a9e2ca44b133e0a15c8
SHA256 6720302b00e40f075c4c16d4afb74d6331aa4b4396cb4f36cda48dc362a66d52
SHA512 7aa731aa5a58d2f8737db0b2263b9f82bee45eda71ef0ae14997d1dcdfb2fb749c76125f7b72d5e997f9e3ad0c4fe4b4054d6f241bd70a0efa0fc16b72224eb5

\??\c:\Users\Admin\AppData\Local\Temp\j474wrh3.0.cs

MD5 80d63b882b411290f39d49cd220b9099
SHA1 c045a403ee8e63bf0f745ae71d573371cc5fd547
SHA256 588b5a7b7054402f78db94a328401454031310687eb90aa81871d3dc029c9da2
SHA512 df6ddc155b36e3440023b3cfe7b6f86aaa8c9a525d2154fc432f4db03068e8ef0734da57fede2606e011d70392b3ae4744ce11387d23267b656eca2028a207bd

\??\c:\Users\Admin\AppData\Local\Temp\CSC2443.tmp

MD5 9309c6f9d635d8e3ea525e9dbf1db3e7
SHA1 8ff2cf1be969fd372f16362bf0fc443c8e8583e7
SHA256 c9d26599d1c056148abaccf6c9f7c4110daff507c67ed79513105b4915a7c515
SHA512 a265348dc0c10caa6d8638cda63362f63f0a69fe416d3cd589febe2e74b650071b663533d88d504607a11ead7c0da1cb88bc68064ecc45229f5591864825f80e

C:\Users\Admin\AppData\Local\Temp\RES2444.tmp

MD5 89c20a4d6fbf9a14aa987692433de3e6
SHA1 bdeef5ed9fa576270b4a330b6ff454c436eb1d24
SHA256 51fdf44f5fcbd7c53ad48398b79398280e3b7b0ea6d8453771c8103aecb49799
SHA512 b5f4db8ae9f066d08a6d1e552ae430a5d084df0f2fbef2a43e2babdc8969e179b2f40dbfc12bab96aeb4dd08b25ca39c006c5a178f87678f6a1049cbf3f2ea26

C:\Users\Admin\AppData\Local\Temp\j474wrh3.dll

MD5 6a0a02a78ac291640eed2ce6ba0d60d0
SHA1 79cf611f9736d7e4dffd5d90cf586a50ab26dedb
SHA256 d0665e6cbbb09933f28d430a68e19d5d05950f799db142ef7f6d346e317e5f93
SHA512 335b06a905fd5f4a0b7ca86357a859204dd3f57910fcc4d35b35c4217341a1c9e88142164f6d41e818fd7a05681340e65d0bd8e639bbe14baf8681ecd319f9f2

\Windows\Installer\MSI20AA.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll

MD5 7868ed46c34a1b36bea10560f453598f
SHA1 72330dac6f8aed0b8fde9d7f58f04192a0303d6b
SHA256 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176
SHA512 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

C:\Windows\Installer\MSI3111.tmp-\CustomAction.config

MD5 796621b6895449a5f70ca6b78e62f318
SHA1 2423c3e71fe5fa55fd71c00ae4e42063f4476bca
SHA256 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84
SHA512 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

MD5 e2afcd44f03640cb955547472864ebb7
SHA1 7e081f8f79d2f364123378b843cf412e9786c682
SHA256 a262c908f6ac958f98fe88712c27dc24120af57792cd67f5e42b3f5d5376ff26
SHA512 54d022419caaaf539ecbad37c33b5b97b0b84115d3056dd9ffd24645cdf49e54dac86616a1262e2c2692aae10ab53cc651884edd551ad82a8dab7e5f594d3c54

C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png

MD5 e6ab030a2d47b1306ad071cb3e011c1d
SHA1 ed5f9a6503c39832e8b1339d5b16464c5d5a3f03
SHA256 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c
SHA512 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

memory/2468-608-0x00000000003F0000-0x0000000000400000-memory.dmp

memory/2468-611-0x0000000000420000-0x0000000000446000-memory.dmp

memory/2468-641-0x0000000000EC0000-0x0000000000EE0000-memory.dmp

memory/2468-727-0x0000000001E60000-0x0000000001F43000-memory.dmp

C:\Windows\assembly\tmp\C8KZRW3L\System.Data.SQLite.dll

MD5 5b3d3a627813bcef2d7a8651941f2a96
SHA1 18713ace817081d3b99bb71e01030842345dc750
SHA256 2f7e3f285a523b3d918fe8b3cbd3d42d2380835779a1a8b50ccf6bb365a915bc
SHA512 fc6754246a071a40bf64d8a66bb7b4f926f031dfe17c25a3e7d37d8421757afad99837f28bf754fb894ca0e19f7b13850557b208b21c4566479619e77cafdff3

C:\Windows\assembly\tmp\CDRKKUY4\Interop.SHDocVw.dll

MD5 cc0611a32becda6d37695f38755a891f
SHA1 2b987c4cbe8de69b40f4096d424aca5469f90fe5
SHA256 9daf27aea3c266457e50501cbaf1485a81c15f2dc51a84609bb5417d286a2769
SHA512 bcae75594167257341ac903fbe2a7cb4da6b49044bfaad6bc523f2efcf8aac98a417564d48cdfc57fafa7a74c6a7041b725a7b5112082b499ff2d23d05bcccac

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

MD5 7d82602fd39678499b81f256f18f9a36
SHA1 d9be0c95408764f46400804cfc55cd61a58356aa
SHA256 c8c01f78b52dbd0a9c0d290a555e3d1f37388d3fb00136c070d3ccaa84404b68
SHA512 f6bf079799e97643e3ae1ea8d04704f60204babb64a8d7e0dfe8dbe66117eeddcb893d0b2e081838217af5153b0fe1fbe0627523ce13f20bc309cfcd11e96ec0

C:\Config.Msi\f761f09.rbs

MD5 3ff2934c9da2476e95fff8b9b4e966ed
SHA1 2825436abb17279b7cb548642b7894203786ddc2
SHA256 21e50cdc00936b15ca05246ceedace6d2b23833a72775986bc1ac1093510edfd
SHA512 409843739950451852987d842f9fee158ff7ebf0b68b58286a677b65eba2d3e943debacb02d4cb386cbab6a27c369359176b21ecc71d2fffa3e6a511537d3b2e

C:\Users\Admin\AppData\Local\Smartbar\Application\hahpwxde.newcfg

MD5 579a6d1c598c872127d8cf326ea131f0
SHA1 bea8f3a87b19972d50f6bab15de95d442f3e1575
SHA256 11b64b9a084c7b0bc34a89f03dc65356626ebacf3a7ca3148822151c87f8d236
SHA512 3fb709a8931dc21644d796aaf37ffda4c8b5af1f5050a4053b4a265d59be96179b7bbe8da7939dc70779f2bafc29d27c07d41df95feb98fb769d179d0b731d89

C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

MD5 0be303ed4cf1b6a49b4a81479a0ad1c8
SHA1 88748f992eb2042b2bb04c41b5d015dd8ebc4fa6
SHA256 ef01c5ec76d0f43a2cb79023bf829b34671dd652beca34cab258677e87ecb542
SHA512 14df5f8149f62e17b7741c71929f69fa37e0d4326a67998f2dce65c67bd37caae9be0fcd0eb55974ea0c271943363644e1d605ab328b31f9d97b16687df0c3e5

memory/1800-844-0x00000000009D0000-0x00000000009E8000-memory.dmp

memory/1800-845-0x00000000009D0000-0x00000000009E8000-memory.dmp

memory/1636-846-0x0000000000A20000-0x0000000000A46000-memory.dmp

memory/1636-847-0x0000000000A20000-0x0000000000A46000-memory.dmp

memory/1524-848-0x000000001C530000-0x000000001CCD6000-memory.dmp

memory/1524-849-0x000000001D490000-0x000000001DC36000-memory.dmp

memory/2780-850-0x0000000000890000-0x00000000008B6000-memory.dmp

memory/2780-851-0x0000000000AA0000-0x0000000000AC6000-memory.dmp

C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\PublisherSettings.xml

MD5 2abe611701543aa2466068aa14911b69
SHA1 f76194c23ce68539fee686a23b963c163e6387fd
SHA256 c3579133e8fa2594d61a754baa38f8614c2b5e85a3cedb6b1c5881fdb358aaa3
SHA512 62a4f98f82c5fc2aee85120f223577518dc9a41bc80ce6179f9b1557bc7e127ede57f9059f39ed86ad782ff91f31fce69449a38adda4168145cd179568d5a30e

C:\Users\Admin\AppData\Local\Temp\Cab472E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar4A2B.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2372-916-0x0000000060900000-0x000000006094F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 d8a65c7c8d79e13f6ef8804c85e664a1
SHA1 52507d024235b02931f6370bece12273aca08151
SHA256 df6b16807902eccaaba8b8e14e2837cb396cbcd41bf78b5d70c9ca4a3682ddb9
SHA512 4b3e489bd2c7fe4354dfa400eafba47428c244f1ca1eda8806a992101435a9dd385aaffaadf3409d3da3704f2bde9e55b8491d3d5b1145e2675acda6a62580fa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 6b11a0efea747a4cffd2e63ca1740a2f
SHA1 73a789f0f821196c6f615091da661b95ecb80a35
SHA256 20794b29b0d071e4b632bea0446b1dea7ef431942d5c87f8f1d7895f68059367
SHA512 8326060ee845aad3b9bb7c8e7699a23d4c5748f7aa784110d27aa30e0c38af0c3dce6226f031344efc2cf7600b373de208662935836b8c4e82c3b887416a9ba5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

MD5 761ac792b305b1e44a6657f715096443
SHA1 5c62163f7aad193ed60eff51f1c7cd3d6e102907
SHA256 737acd6df06ccbf4bfea938d03aed1ee3f44af8a8ed8098dc9678b6321b52fe0
SHA512 683a16885f8216682850423ff37dc21fb9041eb6ced9b64ba18fe8b2393bfd1652b99cd7f582d0c6c705ed96667b4131414ed5a13a2a7cb7165102ee649949c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

MD5 55540a230bdab55187a841cfe1aa1545
SHA1 363e4734f757bdeb89868efe94907774a327695e
SHA256 d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512 c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

C:\Users\Admin\AppData\Local\Temp\Tar4D24.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1993583f35c377c49217ea1f7f34d051
SHA1 c6de1e38d3818a1daf00365aa397c795b5ea455d
SHA256 63924dbf76faee8ea997a0e550a1f263b2639169177a5186fb33720e5353c5a4
SHA512 8f48d0df855e9042a4fd945fcc3b3909efe4ffce2f1a7e19c023cab20332a31867d4a07d28598b622825f31cd5bf5aad59fb32f0166ea710f37860775cf16309

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 28924b66530a8f3d2780105898efa18a
SHA1 16f191a179090b3de6e3fa87f36b35b823f8d979
SHA256 ee6fb53863c7e1093e670307139eda49e201deb950abe87de94d301a586647ea
SHA512 cf32f96b4828859b4f9568945ff72a733c60586bd9fdcc58a1fd6add03473310e83c2dc65639694273abbdbce7ca4dae844d2d91c21741b6d245bff0abbc1001

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f26f25f101c2ee79fbc0272516219e7d
SHA1 d84e98a5ad1b7389502139ab5b9b774a97984039
SHA256 0c4ac7d202e07e54ee2e062c73a1082e1339189fef82f2cd4f906b2651dc775b
SHA512 654610139995f9b1f817393d98ff30ba4b20a6234b85c9fd9eaa374f72609781e7608c893b86f385c948778f2970cbf8c94114ebdb3d8e09f18ac75b7e7a5b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9df5a85e083a48acef6bdc8ed7e31014
SHA1 09a7fdd72696eb0cdf0af3267de77eba225c3888
SHA256 aa19d49ee2139c6b40566c8265265e332aebd5284f219a3bfce6eaf17a88aad0
SHA512 492d30dc8e9c027e1d339a31f7db13334961815e3231e9f9b1b73766b1f5ade2c56531667f0785ade03fa6e0b7fba8966c654bd66931f83fd50daa764104d3fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 304aa579edb95688bf3ed77fb05b943e
SHA1 6cf5f658332357f11650274ecd6b977c4e759399
SHA256 efd2ffcac9e06c559f3d81651b7b222879841d166eb6626d49cbb87cca59da49
SHA512 eef7a8bfbc93958c7ef22b1cb63b00824dfbaf441c7d03b168a096c77ddb54955596e130a03d4a78252a5d13b3f8518db9746046fd8a5dbcddf1460c6e04aa8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 772a591c2ef568f35cf4e68cd0511fc5
SHA1 cd4337e070963c6123459266d8ab7e66cfee9eb2
SHA256 0d1445f0fb4e81725142c8200911416a5f85f79e7f17aef9c9fb9eaaa66e5e11
SHA512 11fdca42fbc611145abb566e4b9d5f9b4732f135337607d1641bcd5d111f5f67318cb5036f65bd75eb5d2a3d147556f497f00d28e9930e6b6e0768f208881839

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 aa4137dcb6795c7ddfa88ca97454a787
SHA1 fbf0bfe4ac8e0828ae5b1068df9c17b6beba0993
SHA256 242442ef6d91fe6222da3dc7d15acad1cc8c0c79c3043bd4a53116bdd39efaff
SHA512 f78d98b3dfc75f35cbb2792be3430748b8744cf5e37a97cdddeaed546d3163df02ff7029337698336eb988389899703cb8ecbba5602c2c45a0900eab0c3e0277

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a8c881efcc0be8b66e740c811ef21483
SHA1 946c495f8ac7f7bdc35f0ce23989c669b8e8e350
SHA256 8627381517d71dc61108fc7c35cc10e5e1f6372b39ea293860e5707e3ea82d81
SHA512 ee682806aa23e26998d3716839ab2ce60feafbccd7f0f4c4fd4356ad5672d27ee332f4954dd34501d807b85ee89bdc838a263a1c8fcd99960016b3b876e382ba

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8553024eecd342fb4be8bede6d30c236
SHA1 589cbceb4e17639a26d9b9657f98abf5579e9136
SHA256 8c58c805eae7cd1f3af72fc3e466c1049575ccbcb21fb461129079c31fbb72c1
SHA512 3a64dba0ecb75790ed0a445f4692fe2d68ffd008bfe27e96b642124e423c31fecfb4e4d95e0389f4d5e4699c69d58d8533028045e928e76ca1b98dfff3c3d179

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ed3674f5c591c1d1701c0dfd5f8ef9f4
SHA1 ba5a83d50fbbbf7e58c4782d6adc89fe010d4e49
SHA256 aa01c28c77072b97446d39accb1be62e044c9820b3d0dd2686cbf75ac272d59a
SHA512 1c983376d0b7b030c12bf2ebbb5f683ef1eb2f14fe649e6f198f145c5dd577ea0ff5b7a93a0e31be9a35de01fd8ea7cf8c4c56ef638a1f0665e0f932735ce43b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 83aa37a809909941143f60b7f7a47150
SHA1 db6774be1cbbed0bf6dd07dd9aef087beb8a1186
SHA256 438e5c49bab78e74e0c4ec695e6e73dfe780dea04c66fa32cf40f556ecce4ce1
SHA512 e22b81afa80e37d1c87fc9c7395f8271f36f82098e9b47bb5f801d53647359e8d8c2eef90a4d78cea344282c340f9f89901f42532dced4354c1410778c7c9ded

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

MD5 f3364b2a47b4fd8b42df6c653c3be8ab
SHA1 d13e4c6bdfb15dd16a6d10b198a2ac54e5bfc140
SHA256 5783656acbff592bbe2334d3ddcf3ba4c63c75719faa93b69726199e19c4260f
SHA512 578258a4a22b8a10982c390b7de3912b335a3539c0a0d976952b6682e1335bd98101eea51d0760a3577f132b1f68845b15bce6cace72230d76bd5fd038c2055c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f6cbda3a81e1dcaec492d984de5eaa9
SHA1 bff77023fdfcd0d40c86dc1816eddec786e26daa
SHA256 3523d5d4a0502b68e44a592625cb887e95a49413a484201eb8ae19383ad15a42
SHA512 a92b622e27df5c9b34b7250a42843187975e4aebb614470a5bfa0bda43f5545bf3199ac0fe09ee14f6ef7d06f1a94d383d5ac9dfb1d33e25389aca66b74ffeb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 04f55693f112c3464b92c0be8b3ce4c0
SHA1 ac92428808061a63e9376c143249337992637125
SHA256 17a29f51e8fb912d6913ee258dded96f76ad5314d1560a7240d2f87ac692923b
SHA512 7d7c2de34f6e3d738afc906e1f6ff942c226f7fcdc1e44b486eb0b3def3a3e1b7bd2a0ffb401b76ef7eb5b01abd03522a703c949e4c23f22de5777aca4230142

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 30870fd47037debe8f8923e647e2b187
SHA1 573ae09143819cb49bf3c518c876415f010181c3
SHA256 8c1b0245df27dd213788ce26f3022e02831c7f7b1dcbe88c80bc4413286a86b1
SHA512 247974eecdee3ab32f6ed0fa9e459e96a06bc82b89bce39c10971e439d4862137066900104f6ccaa37b2bab4a27432ba2f87619cb3485bd8b0a3ea1f3d498d39

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb72f9ebbb8b8af5a540f0aa52d3b882
SHA1 051de78dfe03d463e3ba5a634b3336cce67e4bba
SHA256 1150272f9b332deda76b25220d07232030c3b276726bb48b42372c551e18ff7a
SHA512 ab4bf9148d1fc0e94f6f24e71bfd4692106f300bcb22b39fb7de54df2451d2f33de7f3b63677a3233ce5dbd91d15428b3113f4d1b46bd591ccf026592b7c9bc3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d6f62023720d8198b87c8e1d222da978
SHA1 e9f08a3653ae2e8a99bd219c4da6d1cdeae228af
SHA256 4676abe82b755403c905ec1a1b05b810d2cd116ffa535d1b15000ea9b9b2fa85
SHA512 96387367a6293cf6a57eab9941cee8cd07d50e1a2ae97a19a3f50cf64f8ad2555fbd438ae753ab3cf7a54c96c0f277a0d1b26d868543242add08e5e4d0392f87

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 acd22d4bde91616f3af5b7472b44da4b
SHA1 d1f7e37b6840515edf2e41cba8d56acd5393e88a
SHA256 2ffc923271bab5cec907f6d219c4639fab723ab9ec00e60bf5a8c1b2dda00dca
SHA512 cf8cbc7d6ca25ecf078d8b59137d8ce259b5c2604651a94c029b796912aa4db1072e5f1673c501d3ee6e8149cc5d692534612750607d0fa79e0c480922b96ccb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f6dea75f4caaef0c5cce7b79710df5f3
SHA1 00a04f90b0b98a2f54242535ef61dec4d1cd9ac4
SHA256 e9b53d48835d8f9d5b96ffc2f62953287b6fe748d8b0c15424fb2c764f02a339
SHA512 37c99ee2701091a86062d1081e3ddcb4fa370ed1f89d46d0c99ce99228981884aa80d6d757d85746fc46647de2203006d8a303d7c3f25d6f5e02c1f1cd3fa29b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cdb74beb1bfb3e872e78ecc3b874ef75
SHA1 c41bc9ec2b1f0f1dfd4321687b7737f7be0285c0
SHA256 675f59b30b61f5d86c184fa9f53f1225815b8f446df43dc70882c10d9825fe1d
SHA512 8649e604a8ff5ee1ae150d6762e8d8f7f45babb29d9924bc49ef7d00462b2a8be317be06e9f6b8c20fcc54c88f6027d060d55ade01639694e9acf80eb9558a66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 02e9b944828eff10b77acb872929f6b1
SHA1 380110d567e60a27e445f597aa230dfda124d774
SHA256 6498baf30d446b4089621d9639288b416b21a936cb2f0bf9642f077089e0b9df
SHA512 df21edc859195ab6d011498e5d25896c22592bcdb76e6180ee3750122a6654cd96eafedd1670fc976650b26b6706717503b77466cf900be8456161d94bfaf2b8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfaca32856814f9e252f19ac610788b9
SHA1 08e2947089e3c45e006e79574f65841a474698f0
SHA256 ec0315eeae9fbdd80f4b0036599cad46b37dd0f871390138d8bffbf3fd78e6f2
SHA512 3287f45efcf4dde14b4a89ba414bfd481ce189069cd6b5de2c365f52c9741d96bc7f4a11f8fd9db853f15561c22abf00a3bdb902208fbbdfd6dd053a19c60671

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 47ab50611cddbe2643e5316c3218b7ae
SHA1 e52b4f2ebce1bd238981c880b5aeb5011f4222c2
SHA256 9d15b551f5f5f6960759941fd10347dccf40fea8974176256c83ad776032576a
SHA512 a196d4210140fe1e94131f5d6d4bced697b4790ceae730aa5cc19a14023c87498fc7b2b8207eb23ae80f56f61e3d0c5833931a19acd3e62d5d46955069d405c6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 784320c407031cce4e67ffa7fac55ddc
SHA1 1c865a28d9cec084198b6917c9eed651c27f41aa
SHA256 6b2c9a47bbb7adcfd87a2ab5205ab54dd9e1f2982f9201ca1e3603275fb08005
SHA512 0cc22b66a80fd71694c04d7b8978de048ada1e302071dab2d29fea5290b50f37d8e75fad7df7226ba6211f929e24b6c008eb811697f0c1cd0a039e3eb83ad11d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 d9afcdc7ea2d16d13f6c4697075b6056
SHA1 f3b69ea1644dd940710249eab77793648053f35a
SHA256 250b9f31e81061e679b24d6690447faf9832bd218adf3c3727cb6c28a6e7300f
SHA512 0c95249921b8f8434e6790676e48bd80868830ad065999cd632132294394e7ca871dc4725d62f00c88e87bd85a83a9537cd2ec0a717ec87f8c1a9c3ed7420051

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3a0cbc732540dabadcc4e83e2aa86f97
SHA1 93598733fb8fdf492f0f6730c79786a8586c64fb
SHA256 c0e9be6d52a6db5b2e7162bcb4e89ef67d736d62524fa0d150dd8bc4e297fa33
SHA512 6edbc6a99559ee6b7ad510157914b6f44cbadf28b85d0a28e812b6ca818814f604596a2e1293cf2b97afd24e85242f405eab60c8f748992417f0b041ce535b61

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

MD5 620b5edcb28975133b1b84eed3cd2336
SHA1 9238e176d1599e97c41dd647fbfff719d791e617
SHA256 944cb5fc08eb1e407c2a788f59e7c9fc36c4380c1966523c1f9c6f03367b8316
SHA512 6dc78189956bd401feb1d8849396edbdfa91423b8f78324f283ba80994deb78a946b21e80d1f2dbd0776e9ea660c3a58912399a13a7a0a988502db8ab1abd4ad

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8f587be3785c44f890ee60cd28c81c1a
SHA1 bbc58cab254f7a27cacb511de0abb2ced668adff
SHA256 46c4ae4299979cbddd2f453e82adcacd0adc8a6e7ab82e721d66e528f5fcdf25
SHA512 cdec956ad1b480ebffee27728a49ff6f42b592896f959eb8d30402d4672050ab4c472a4492238099de179c640f283e98e51171fd47008d2a4501328df11b6772

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da5ba5fb960f735f1c3ecc6fa579ea99
SHA1 08c297e751898abd27b799bd16ebd7b9f970ace8
SHA256 47f8b007f0ab43419f108f31aa144edf86de78d20d52ed27441726281193adce
SHA512 d8544326c976566332cb3d2544809f3b4ee35d2f3ee01aef362ae6a124b6728b6446e9ee39bf14550bccda4d1f21a41078f470fef56192f0a76da2aeef2dea97

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 80cc30952d9fe7641b09d5b5dac1d544
SHA1 154257227bd540ab5cfebd79ce48f575f9af7395
SHA256 7e162c5ba59ee446057a8ad96ef2737f9e35061dfd29d271d0a44df9d96f74db
SHA512 a90340a37841860331c3049fb8b4dd73b5615d7e5f735182850a957009af37846dfafa81f7ad80a4f2bc34a9e972dd6a5a9fbaddfbc3aaec95c9d3e21f7efc7d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3525d69920224bb3c5bd6f02b467f1b
SHA1 74834db6251bfdca260cc38fa7d3dba97e813457
SHA256 cc62d1c616e79f6254844e4396411e52dc62e9eab65b65358f57d1e630db191f
SHA512 c15796530ece0f66d0657d13321bbc1185197395f55592b88e547a3d8d9e81881f22ebfca58e7976c3bc7b468a23234d193fcdccc4c4422244db59a95053353c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b5d5b94d441685c0b673eff524c6fce1
SHA1 6d411286e9344ca79f6ad10638cbb68f75f2591b
SHA256 4fa7ae5a4c8ee408dcbce51bcb6f6704d4bfcb52c9bbeee8f497b1048fc05cd2
SHA512 09215e14c7daa71a07538df22e5517754b29eb33f23b9c7249911a41c94c4414410c0565c5a4692a72c128348e3dfcd1c67bbda29b514bbde93f279d1a4d3030

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 43269b0c0f93a917a3ef07e79d643ac4
SHA1 56f89a6577463f4473d21a4aaae9cd966688b456
SHA256 338b4d8f864611694661d94e59270f35653114e056b7d0b767472bc5ac7359e8
SHA512 cac80c9af8318fc142f0523506415cad561fc2f33fdd77b0abacd06e1a5ce193a6b59054ee92a00fd8f440b46059f08a2f746e6c92d29da6edcb567bacb1678f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 207a25607f9b695ce1223da4088c8300
SHA1 4a94478c9572de3a71c96bfaf4959420f8e2ff44
SHA256 ae5c010da735def93b6dce27dc54c06da222eea3a14cbffd3020e856ee83aaf3
SHA512 4c0afaab6aef532e9d8ef3dd25185699bc45f15e8183df387efa85bc87720772d8136bf87a90600aa387d9a7738b1d10155258826c26a983083986abdf83b168

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04be89bb66eafa2b2b64663573323b81
SHA1 cb5cd2ce4b36d08eb40642e35bb7669cbaa20230
SHA256 419ea4ed30519d306d7f5e81640cee2da6a59fd5325d54725503849344ba1c73
SHA512 07f62ceb37d16deb3cf176115ce52e8a6a2cb3eb9c1d6420a5a6f9652d88b5c42765d9c635333d2ca59a288579aaad4cd8264676245ece814c14d9614f2a7bc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee6a5ba39b5f3972d6b701d4c481e0df
SHA1 274e32dbe52b99d3fb4a1f504d211d5140caadf8
SHA256 f76698ee7bc789ec1e88c9c53a71aca2391eaae277233a89ffdfa34ca2ad1e7b
SHA512 1d59918236ade4c34aea19a827f89b1e44c6e4bd20806ada522d2cc87cbbf25f47d34537e8cdb692b6138b021169b6b686bb1735c71495d3741779836cd34abc

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp

MD5 c38ea50a9d1b652272fdae5db82c9404
SHA1 d7444179c921d090b4e5d954997087bc0004e69f
SHA256 b5e3708f123a02f980e4e8397a055b98dceecdc754bbb67872e8bf3651541742
SHA512 b91d23e89ca310a4cc9bbfc9537880e1b0c09d0ebf28fa1514258110f3fe33493f24145430093c9d1eb6ddcac8ef25ed74eb0d0c2c8c0544c1cfe2dcf206e2f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 79cfc8f2d48200e50e3fda7b33dcd6ac
SHA1 8dcb2d589a96bb0f41781b18b15ba5c13da4d46c
SHA256 223797290280fe522bd2f5bdfa565ee83709cb6bfb703bd94c335430caa0440a
SHA512 be5c6ba15b6812966841397f7901ba41d02b9172599f1d578a3b23fc9c7c63292555d39a5aaae644a7265fe5ca82a6046a1dc91dae45427b19c0c361fd371982

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71f9323cda209c77519f58282e59e0c7
SHA1 67d533660bf5731fdc20783740cdfdca023e89ba
SHA256 ad15633639555850e913f127fcd3a68d5bfc9bee567e7941a1de38941b8c15a9
SHA512 82edce745944f1c31a6da1003a508cb15618a8ce315118b1b4ac38ca480b118797668eed25a78e44d2828b34b83f5c0a3a58fd9b257052568c48a4bc05f9e928

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20e5abe6dd3fede542904dd1af32d9e1
SHA1 8b213ebeebdd5b2a25722bdf352e65870f40bad9
SHA256 1556c679c639c052ac0048d73ffd9d40d73b52c4a8f34329da0ec7866fbab34e
SHA512 5362cdc6092301ed066ae5f05a069957c91fcbfeaf4349dd6eaf39a8d8807c561321547263ffedaa64655a33955bc0d70a05f33dc960e015c31b2e198ebc4ddb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a642a67b2e56f4d4a7df33c1ac0b88b3
SHA1 ab353fd7e1e64baf43056ec948fa3a35ed67edf4
SHA256 cf4971310e0c1034523ec8d182e44e35626d76101d0bf32efe10b3217f0eb60d
SHA512 d143c013da3ff86a609ca70ff1039c05c26200a898642b7a1a1a4858b55a110595bfe88b87206bace9438afba0a9847be0472cd974bdcbfa3031127b1233c1f9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 406febfbb8ef2ae8643d5d7ab07bcbe4
SHA1 7eff5bc5301384b7478ac4c47b58d286d1d063a4
SHA256 264fc90791662e168b46dd7dbda8ff6423e5acc5e74f84c490957cad091fcc7b
SHA512 e5869be10b1ee83360baafbc9bbd6a7f3ee7d0f13b8a6bcd9f914d7ad2f0d3195aa8ac0f5b2a06a84fa483f4a321fcc564b49f2073c5a71a175555c650df6af2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 08a4183eb651d926deff036cead91adc
SHA1 a072b247936c1390c962cd643a46db6765856f66
SHA256 95f902e6030c92757e8f30cccec3a2f07409a9ba2f83231391b189c604bd6a05
SHA512 4bf8f38354efb8343797a9865f0c9d17136c8be74e5a467042d516d43a23cb29ccbefc7744287d394069dc0822b521c1f3e326200b43a17d1244c191d098314d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1LMHRUFL\www.ynet.co[1].xml

MD5 b5c92c186122a944772a03dc0b2f6d01
SHA1 8d124cf5bdf9d614f8c7ff324322f40bc5dfd87e
SHA256 c679056b007637425a44703257904fafbf8ef1d599f500b45f429c8740699616
SHA512 777a432d4083dfebc891f9f7a5a192c79338df213339cf7b76c9e02db32bfb623aed8de34905d1c17cfc3b267f5a93d7ebeb5976928cfd8acdb03d4b6647ccd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0b70610066c356a5f006c8702286fe1
SHA1 cd359c63a5f8c1ce066a69a1d86b64460f3fb7fc
SHA256 abfa1f0d4fc590f948fb1b3a450e55171b0e6c2c6bc791e4c7dba0a9c13e7853
SHA512 bd90b50ccacf2019936f3328ef47d8557d312e7a735e54c51671794f560751cf8674ce4e673e13ee78d7c6619737f24b820f16c5098ab101990dc325e48ba4a1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b549945915d808f7b983309fa3df5fb3
SHA1 5cf4150e05a8b478e0be7d700b3b94ddff0b77d5
SHA256 09280cc547795b4345b1c177f04319c623c409967fe1b396144b524710d157d6
SHA512 371046918b43f19607931926378b55a585b6dd74ec3313d4da3983aaa389c38addee8ff87014bc1d5f8fdaa6b825016847d3fd54d86addb482c3d9c344177745

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31572ec39eb0a47cac065be8c14d3172
SHA1 b97a4933e4814be130dd1c8d9e64da771c61ef64
SHA256 dca918ee1bc1c55413bb29525215de41813a4c855922824399cd2c53e82d122b
SHA512 3b6ea8809e73f982531ebfe04d1763158e9748ae15f8ce8355f267c50f5404887cf703510c7ba15b83b6b1ad9b3283cc5fc0a7c25b078b0e74f02455c485e5bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6856c8dc091c66c9226aee9d414d97f
SHA1 6af753cfd366782b08ab7a5f8e032a189b6e510f
SHA256 8d53c60eac97d8b9fad1c3a321739bfc8c485937ecd245fcb396c4aadb97edc8
SHA512 5bd68f273f29a443b48a6878646295928693716945c3bc2e6e88e588f8071f9f43242c6141de0248ebc6652d9bcd776385af40b9aa5d3cf9c86c9db78e45421e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 760455c7a89e658719447e8bd2f35095
SHA1 b1d845a4809cc4e2cbece0dc11834b06b467c814
SHA256 e656aa25955e4674cdedabc18fe107bacbdeb097f8e642205e3e2bfada9b117b
SHA512 3bcc050fc4306d535a8f6089e1743e613543216185177fc1aa9467e44036122d279fe0362ff806b6027fc3fb2f3cd5c13d2630c4de4cc13b099e600de37cbd1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4387f0d5fc99dd458396f532bfd0c048
SHA1 42268ce38428e4103dce9c89a61f451622f6f9f2
SHA256 93ba9ef84cfd145036a99622f94696d7e847ec10fd2cabf15e156dc45a064ba9
SHA512 cc65ec20141df192207668e620f77443cc3f4d3cbd1bf9428fef09f99565a341ddd1162477422f9da2b9c669113cb09d2a245e253e8be723477f0977a8bc3005

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1LMHRUFL\www.ynet.co[1].xml

MD5 a290a04673437b09897cccb46045567b
SHA1 a67744eb33e43f6c55a686f1914d9a5e4f2d77da
SHA256 9a545c62f600cac9de23c800a535d3bb48ea0acfcf36be549fdadd304a45a5a7
SHA512 de6dd2728f5b61596a03612402da024b69be7e589e941286486bd259397623784ec5207e99fddf0e1e42b6db5bdb5b3d0d7df201c4a511c3de00f7f084b656c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4591af713f42e0c7ec1748b019425756
SHA1 cd792d68ad777f97f01106a43011ab05871257ec
SHA256 a1ecc598daabde156f333215363622df7ee8a7eef3675fc9c476c30212c6545b
SHA512 b7e76fec48dd309022d7a96dc362a5c2d4a2f99161e87add12b1db2458c49e0b26fdf409f952d7db375b871d1e22b6099cb8f59029c9a087f3df95dc7e85fa7b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1

MD5 c5dfb849ca051355ee2dba1ac33eb028
SHA1 d69b561148f01c77c54578c10926df5b856976ad
SHA256 cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b
SHA512 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1

MD5 b38f1edbebd16e757878b490843de552
SHA1 e721d65f279d8b6cebc9996eef2df5cf21afe48d
SHA256 f955219c02e525addfd3ff813b360b8e6439efa39818f5c56d9b69c3d3c8fc20
SHA512 b0e588afd8e3b3083a9aa183dcf4775de38521452fe0a843c42dab61c520cc0188ed386c8d5cea7cb6f07f6b6ffec250ebd9de145119dab3aea213f32c974525

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6e48c3552eb7bb3881665e8855de0063
SHA1 01f066643c424b137ec9486a5205d5122e392331
SHA256 1703494ce7c07c97d9fd288611864f3469d3f3e2fa4e7f756e9d3509ecbaab06
SHA512 9e623ac85c67d4568c163cd015e21c4cf696c72a68969cfea8a3680ac140c00c96638d58ddd53743e6dae485272f1c40e8c7b61b8e0f56c58c8ee53fe9a3fd0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 838c21c6ad2ea008e17404957d1a795b
SHA1 b8096c24ac613417b07629f68d813fc1056c7b1d
SHA256 21407b4baa88462b7aee8053f8d90c2c9d5881a2b94557cf971721e4589c5840
SHA512 cdba01165bb6b7fcf17b352f969751bbc51fe7439e91169a7e73fb61d678a573f849d89f2bd88283e02b37d861c6839891fac8ba87d2a18e90193de7bdd4cc86

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1LMHRUFL\www.ynet.co[1].xml

MD5 853d77219c5dcc5204ecec33c89ecffa
SHA1 16e58e21e841b91aa70d0274a5d3236c73f91196
SHA256 5c8ffcdf354d01960a740794fe644b35700931cba14e3325a7049b5a383766b5
SHA512 24908e8d68322178772d7e3c3000fc57af318927204756ee51b260d2afbd893a2759d50fe2bef06b2026f64184d681544d9e3f30025990a67d63c224627b59e3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f20d76bf27741290d736c545398d9149
SHA1 c1d0aee086ae56082aa534799110f46a8a50e5bb
SHA256 4896ddd679aa4be93e9ad211ff3ed981427bf2971cb3a231d20ee796bb93d999
SHA512 3930919f4fcadea31ccd4c05dddc009e255835d64d660f9175d3a41a759fcbb0bd59450fb8c8f668f616ce243dadf7612f31739e56279aecf31202d39231f875

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6cc1025c5a597f13fb49786853267b6d
SHA1 e6240c62312d73c7fcee20f7fb8fcd9e7cb34afb
SHA256 fb7ef9d36a2e6b2e70fd8ecf00c7abb7ac40e7988bc5516fc1b7414ad6c37e61
SHA512 41ac9714ab56f77f81460c249be93fccc772e7b2d628f6f3113ddcf3b9b4d4f0d0b053195bb2a4f8b44baf390027c1463f529df59dbbe42e9da954bd3c413a72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_8BB34D7AC6ADCC019FE5325FE9DECAE8

MD5 0de4b1e877cd28f29237595c0e9bcaff
SHA1 05e55e976ea7ba88d8e9ee08c425bcb1de86afb4
SHA256 2d95f56e9d83aa94e5994a64dcf7545cccc47fc5c4f5e32693a854bbbaab4e97
SHA512 fbcc57a8bacbf1bd8235fcfe441cffeae75a00890d923ed6f2d4593605f9dae5ad88fcdce327079d319f6cd351dd79f3b153f43b891f0caa90404963ddd10b6a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e7a8874260e4b3ca6065cb6db532c58e
SHA1 4b875f0c224977a683c759674295cd8b77c70e6c
SHA256 675c7b311a24c5b5eb557083607921a9b7a4fab30e7c9f3f0ee8ee6f537f3a41
SHA512 9d3e223dcc58f0529fcba190507062d540fc4781c660a546cb2fb32d55d442d1f4f822b1c0a0a38fb9b4adc8441f51cdb8a8935177e6935200adfc4af7f4b688

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c57b90fbbfdf3c2ff62654ecc32cf80a
SHA1 7da272357bb88feeca72574881deaced187e08f2
SHA256 4af7ba0032639913050e7229ea8f64a9ff37d4444133639bb2539a8930263b6d
SHA512 0f99ce5e3305515b529449e72f509265977c2fc52d97ee2eec06d0d31455c27665b232472c8a0382a19c031a612b1fb480d3b1cd0e81f857d1e7359b5cff003b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b949145f3e20638e947d2bee80c21da3
SHA1 8aca88059ea92b237fa153a658b3339bd5e6fd4f
SHA256 14c9723dbdbfea1c4a5b2ea74b0a6fee3285f16f836441c8a1da68d7638869a2
SHA512 3dd637ceeefb4f00e9e7671307008e6508714fa1d6206fa54a7a321fbc4c6e8d99ef89b60a2ff2f2427add2f785199141be150f1b54d7a7bcc37cff138f24045

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e5500d057cf3b20eab5c66bf47057984
SHA1 4167e4f60fec930e07ffc5bf72ddd273412909e2
SHA256 e079fbca15266aa1c7786e5c5cd6899bc44b6ded93e0b40f5345e2484c15c19a
SHA512 8d74649ab88c580f1253d8692c63c5e3f26f6e4995007db57811d080c5ac0bbe89fb4b52799f32e7fc9ea79ea1cb3bc4782a9cdb1ce1b2bb919fc722d48901d3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a492ae09e1546b94822f23fabdd68f90
SHA1 10a0c7552fa46f7b64064f9de0fa7c45c30b298c
SHA256 02af7660a15cbd248d0c2646454e8ea778012c81acf232df9d1109557a14a91c
SHA512 2e39d95b696fcfd055021c8ee7520c76b813b7342dfd88c93f7e71a974c67a116ed3f5eddba03667e1fb3f345c577665a8afee229dbcbe385b3e2d25d5dd0830

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b707fd492fb559fa53d278f1e48e0ce
SHA1 9166164bc208e311abcab525370f1adcbc0e0da4
SHA256 f7a1de4ce023ac22d5da84beeca3583cfe6337a328aa96f7cc1a63b797eaed31
SHA512 cd19328f35ea079ffb8c26e003547168efec8188c4a2db1d6dcb4ba013bed70d13d14b6e1c5ea93240e62552b4783f545a988c1748c4c8085b710b238026a8db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 97b07f3577582920a64487b5bf1d9949
SHA1 40c0f0d019e7e327e8895c902ee02133afef952f
SHA256 875df9f46a705e6a5a5472a6c4ac108cd7735f7d4b746204fc905079f19fc4e0
SHA512 437000da6d38a979e7886d77f873a92e677c6c9c5be5c5c709bf3ac11c0c0b2853642fe511abe9d442226b300148f263658df78b63a8c3e65b8fd2fc675b937d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15112455dd77c1ce56ad9fb99cb40222
SHA1 03253894e08a5887e1d8306e2e48a3ec2ff5fc8a
SHA256 4ab0bd88a2874d71fd629fba3161f58a7624f285184fda70dad41c1678143f68
SHA512 991d7611b6a5d0dfc9127c038a4757b5cba1df97c4a193f9524ee119c146b693209a69cc355dbf62d856d89405f7aa2b756e3c3d8252929d278424e51d85b13c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dec927b89b57444110fc3cf7b83b3708
SHA1 ab91d48a3964fea33b956102e2c2ac2321e3cc4c
SHA256 507e3246438ab4446569155b185e8b71a0ee37bce8a7e503fa13c0457976b2f3
SHA512 3682de1935c810781292a3dad4601e5f478c2809198d1d052f22adaa5529fa8bf66980638b6fe4c26b2ad09f30894f1f9f43d94b7a6d232bdbc689140281fdc9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d626fd651e053830b2721ca475133336
SHA1 52da5cb3f3a14f0a115940949fff719752bdd6b2
SHA256 9997828eee29d50531348bda1eed39d4b88fbcbc61274da13f3e7960235f3ce1
SHA512 8ee9644fd3feb3ee7df26cf4009f025f94bc3cebd1c9869058ba9c87083a2cf3165c9cacbb73d6244bcfc68827a17e55d5bb8a1688f81921d393990b937c10f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 047bc368fadd6bd156597e85f92246a2
SHA1 6d644266963b5047a3c5b0416096d2c4bc283f1b
SHA256 fce47c4f25c9d82bb443f9571af3f8b81a85e22721c33c6812f098529cb5668d
SHA512 2401613ad5f115dd3310b3684bb882b2867e581bf0ee45ee2fcfef378b8029679e2f348573eb76727c358fe3a9376cfa532f9f478e721eb076006649e43eefb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8094782da4544ec4a63347750559cf25
SHA1 d8bcb87e25b1d45ebf5cfd470fd97731591b2ee7
SHA256 af7d23583f9e3cd7923ee356f88d51c274c13041e86a03ca018504f24250ed60
SHA512 9261e11433fcc1b9e220d8db42db5ca1e06a38b0ef5f9bf17e861fed7d1a1d7e977df1f65f8ce87b8d3767039b1946612527186ae50b9d83cc231c293e7e4914

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3bb185aebb7e9b2704ef72b10596dbdf
SHA1 0399d2545bd2658665e0391051011c2cca2db7b0
SHA256 f5c8a5b9d386e4a4dd446ba40c5f83b6027eb18fb9826e04753fc36cb134d136
SHA512 fbe3965c505d2755c784a3b7d89102f0b8a27dd33fc6960217f3f5ecc06de437319d95b15d39b09640a5eb209c9eadd429ce1ea095d39f0c7414b1963f930d1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d63c17da7848afd20343e5d88a01fc05
SHA1 581a8971029837adae0b792e749588c9897b0f21
SHA256 688de740557ecce0d498ec220e531652ce9c6f33f3a61cb445cbf451fdb11377
SHA512 68927285a7d968e7a69e2e63f9c4f54e8841565283c92eff283687b067f05ba7f1f5ef5cfa04d1b18097ed987098ebd938a6693788feec101fa24332e3eb4e40

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fd8bea8e67636bf28c0918227315819
SHA1 b7e90fd01d8f8a1edec12455e1d81257cd671a29
SHA256 2c81ed99cc18cf8e6d0c1733991accf39cdb45bbf9a16ddb43409a8ebfa4fcba
SHA512 691faec0c45191390e5b298fe8d0fdb30afe288a65777ed9021c38f43507974dd2ab0314a7ba87e9848b1148f518e2f75cefcd2c1388f89605ce1d98fcae8314

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d2c38ca69b1688b840d60cfd27d4107
SHA1 eb61952d7428afafd842a10a1815ee2ae54265d6
SHA256 7b00e9e11ba17f4b0769701b8320240ff3cf2713335d02aa088c2ef062fa31fa
SHA512 81903d5d94d6c823ecf583dbe98b0c7569bc48afb8859604a3548af17a9ad5763cba6c6256f6015bcb1baa3f9727a3fad1c77a26d66e4716c93903804e897950

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\favicon_1[1].ico

MD5 aa8b619b8e59f1ee68257102a5057404
SHA1 04c442f5f1560d1517cb98e7648ab6668dafb407
SHA256 d5411b56d41f9150247c86b997eb793aeb160f730481d6ed5278dbce73976750
SHA512 f08b4b913bdf229df02482d0dfa1cc4e935f2af6fe62043793124d49d804fd8c4437fdb6b443e87ac14eaeb2e00d6de4ad2c6c5a1dfec39756411219a67c152e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 00ef6d3b7944d5da50d246bc6e80d7b0
SHA1 f001ca31620213291539261d66a28111ef95607b
SHA256 637c8e3f648ec022f41550d17890bc973b8f59711211284fd7308ce9673a1c9f
SHA512 7957d61d9daf37f82cfdc9846268b297f203b1792c85a03e89c9075ec2d4e99000aad8f377f9c8b46f21a40d7944dcbc0909251b769cba8be5645ad73ab51ebb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 31edca7b090614712eae64bbb9dd6983
SHA1 25cb9ee21a873daa7c133ea0bee03a348ec023b1
SHA256 6d34dae1adc66f96c6a0683c3952b73378ed0ea12e87312bb97f27712a26e585
SHA512 fa7e7cfa5351d356b8e6f38eceac0b0f0e374af9a3773d5df7885ba368c327bd99c84f8ca8c739f938999e7be2e106d6a152903df05c905d714738f1b6c4c2bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b0bf517b1f2e0fdced52ac7d64c867ff
SHA1 c1b368bd60c268af1bb17bf6c5ecf0005c8b880f
SHA256 2c962eba52da811cd2c3fda9f0b8544933f34ab0a56891222359770e1449356e
SHA512 5ec4a9d22a921eab293ae0d264e9604b53432b68b5678a6105feb0c7598d2b124241900ce217cc89b5b86c61d83c6186e2ee603eedd341bac44a8ec2c69bb3e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5b55426c41c46f28467e6df962eeb00d
SHA1 c547b7058a5f5caa293ace7e5f939c8da378b748
SHA256 702ef6820e8af2ef053682fa503aeef80b2660502595c158561466eacd113bd8
SHA512 1bd402f0207911a0a58e9c5fcc53eea01938b8d6a1818144923c62f0ef4be0ebb567a63631feb6fe8d39a094f13ebd96a05451a7171c9a9d476a80bcd2f66fb5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 fb9f2a32df72bfdab162d6ad96fc6186
SHA1 8e9448d59f6c6c970f2d816914f4976be60fb23c
SHA256 fce808a76446ec0c74ec48a4fc13a5eb7d99629bda41e2247d4c8473143d2269
SHA512 765297467923c7f56c4052b060f12b61a88645f8759a54d6b6af0a200eef84ea14894c789575aa8e35ead57839919f82069a4a3fa35d24aec645be7efd4391b9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 20e8b99069f9c28c97b50ee0e32b8397
SHA1 b113f3bec9dcfe99e30ffc090a4612b8849eae70
SHA256 7ed560d1f0bfa5e607dbdac8a6343aaf41912b9a10582bda14e5c261377f46be
SHA512 80effa703ef0b90c44364ee25d0837b8a4c132712a1debdff6ee1504c55180f35f8daf4dab44a3ce7b8ede7006aaef6b0a08c48ca0d78b635f8e8d81704b682e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 abea1a44ea52123a5edb5e8bdb16d4a1
SHA1 b3601117f08913a6b8652fdd4471d3609acfff7d
SHA256 1d12722bf9dde8d00c8d8c8ac503a89136b7e0dd60bd59cd5e61b42071e0c1c3
SHA512 c63b4fbdcebed8ebc7c04b875c6df01fae738ca07571d19e2f2bd15814c12379de94018e37515f418370a8e01039c72015271e5d3037f7edbc7628205807e877

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 03d8158ba51e2b04989b1fe72ce473fe
SHA1 281c809fc885cb811f33ad82960af26b63a3b26e
SHA256 bb99ac7433b89f4c240da666135d1e0dbb39d0aa8cd04e6fdbd8ab4a122ce5c8
SHA512 3ccbdee26417658100106c754f215c9f6f5f6024b58206a7ae4f8324e0fbdd101ef6f865d2532aea300c622702bf3855c94826d5e4528131fb8dd4c34f077bff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7ab7ff0ef43cafcce89ab649d2e01e6
SHA1 8a7ac644bc84972623cc5127d46311c4b114b048
SHA256 18d0f0f3a4cf5c26fdbc7e7727ae845e7f82f8b2786b8c42806e0d6054084ead
SHA512 21341843192e76650fff1c1486526cf444237b7e50c14d1d4312f88db21e08e2708788927637d71197cc22cc5c4b778238d52384516314f1f20e2f421ceab41d

C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.556\zl1oqn5c.newcfg

MD5 9a2cf561bba09bf7994f7e43a1773e10
SHA1 a493dec2f6e09ba989808d07667289430a459324
SHA256 b1b2ff36422a873dcf773cab24bcc6d36214509791514507165888f4e7037b04
SHA512 9214a0d31c2c00acbcafe8b928b882d7a772395200eb4db21c3697c86af1c32508677027461e57390ac05c26a25e846f9be72a85cd542d97bef537e4bf373791

C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.556\user.config

MD5 4d30935c3599295fbbb5f8a76c28429b
SHA1 69a3d871bc28c700872186cb014eb6774d49ca5d
SHA256 71271f0df306df3169946128b80c4402c23082354b93757313f80f63b5ee00b0
SHA512 4d9d45a2bf177a30c92480ca962d99ca9443b83b7f1bf2564ed6f58c32663e42a53e4406185ae8df8ae8259766675a7e596db1f7869cbb2b3a794d3dba2fb5da

C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.556\s6c_uokd.newcfg

MD5 1789246fbb3bbab5acb485ebf57ae6b8
SHA1 7e8eba143010e774f62485a53855bd8b34212063
SHA256 aa2afcc61c82169604c0e002d0bfc5ce1458e476acb5349245c123df40540aa2
SHA512 7200289f3694f1e4bac8a95363f13796491509f525951fabd8512822dd9574c0948822ac5f642f01e950363eac246e3a5c0f81e5989c1bb6953a6e5c1c47f79a

memory/2896-6749-0x000000000D060000-0x000000000D062000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\1LMHRUFL\www.ynet.co[1].xml

MD5 e4b31369d1756e86910d408b3344c977
SHA1 34217aa5730344be60d983a7c50d2957de8881a0
SHA256 646e663208b82779ad526bc66250b1a90a10e1e64341332b71f398318ec1b890
SHA512 feef211e5188394c49543bc904a9ebc1bad21d0fb95e8c72ce3ec67b8a83b03b465db11ef5b7a9300b901e12cb26774ce2babf4ccad14855b95c7987755b200c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 995c7bd3a6cad4694c85a47f6acf8d91
SHA1 91ff7260515f7ee1e1e4088852bac2e01549fd1f
SHA256 bfd03222b884f5d8363c576ac7653b45f7a84d28c307428b2ff09cc569fcad80
SHA512 46d1e0c0be0429ddfa89fb5badeed058968a16f24725eb2b9de7f32440426dc470a7d5de547022a189c4dc5110d28e7836e509be964e1d8258752c32437bf471

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b2e38a289ad9c30f73a102e060ab84c
SHA1 c7393e205c8043185f1c37658cec944dd15d9d0f
SHA256 6a8f73db3ced9ad19b9d6579d532bed3aa913b6958f5f98b74764de54569523d
SHA512 c89d444edf3480836e89e816189f65dfcf2490f2a601d44a98f6e61dcc289f8a1ed86c466a8199229ba85ab0e1b78ea3a38fc29c3c4ad93b57f5e27ca2f5649a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 5cc0ffd3c1eb9f87d14bddbab3077f6d
SHA1 4fbd37c8c9aa44e9ef4641823e55317e06479e20
SHA256 dd63fc6d8011bc448dd4727a26dbd72a703da1b8b7b64d9f2cbcd60454c593bf
SHA512 027cdf2a458fce23be75c3152246634dcee096fcf5e6e70b12eb0147681f543bbbd3ee975f1d472d5b1154be60cc70f18d01c977516ace229a763347bc634a46

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2115c6e56f68d44470436948ef2c044
SHA1 a5c1f524e18160fe1d45b7160b3e701491fcdf48
SHA256 cef8ced8d2b71b615b3250a105940e8e2e4d7367fb47210e8400754d5c3bb30c
SHA512 f5775b8c229167ce7ba2507983f307e6eb26b9af4f91d41e737239dc47ade5fe48dabdecc342c8ec4b156d568f18b392591c4b47a22389914db6ef861d688361

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7d28073c00a6b042fabd764e47e4f970
SHA1 581c5c2861ca291f7db02251effe824ba3bf8d46
SHA256 88c54966812ac8d36cbe0f08794d86c770d664b2b18524faa899c7952793e066
SHA512 e2833ec9b944e0ed00bfc34353e42dd7d624bdcc9697e5d67c3c9bccd7d7ba0f21173e6a5cb02892cd57af15875a17d24f30e39be8ffb5631f6faa52497f67dd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 659ab6f07fb0e82ad9972637fda14803
SHA1 4f41b362246c0245ada7c2ce99db18d6075ea3a5
SHA256 ae94a50db63173722ac1eb397aa2d988b904ec8dc9c62d5768a77238c029e660
SHA512 79e6895af7816d18c3c067cbad64dbc0486a94d59f14811b26ee832b7d6b74ece1f25de0937880da76715313f1731e893054059d8335f22a977a33bba3829dd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3e8f23ce90c94a16c973b50d03a5f4b8
SHA1 5d397b75cd501a6c9a124063e8bc6b643941dab4
SHA256 c3497af21f6400e2abcef96565e5a228b74bc094f3cf22e5f0041c38713afeda
SHA512 55c6e95b80ee255965358dbfaac5c10974e9f140231121b23b8cf7be5d9d959ac4fe03c09c78a61850d0e8be8f79f5635f231c103182c171abe79dc5ce69f63b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 59c8e7af46213a2680eb3d7f9fc98523
SHA1 ab25d1a07c39ad0717cbce6b60b245909d59770d
SHA256 6be71f036657d7e89697f82c5f7a87827f0a65936394da12d2d043dd95ff0815
SHA512 7bef30299f1219b2fed914601d35e8fda8af96965367cc11dce9e1b7613477f162723964600af2444340712b239fac1b8d4e814abe88a175d5e0d54e6b071811

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 0dc54c619108ed600b8785eccebefa69
SHA1 c3bc14c0cd6b681abd4fb5bd5b9876cd7cecbe56
SHA256 fea6357be10d9759fc6f7d84de536eaa3b44821238664d99dd54b61036c572e2
SHA512 6f7b8e9b905af50f33d5b5386c0aab053e5de386e6d5e68d8ac4347a5533b0651a48a742c93b5405012bc0056487c449d2131261fe43a60f912c5f4f6c6c53dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 404ee50b7bd307d62cb191e33bb761a5
SHA1 8160d5800db75e76ceaa2842999651da4da0ee78
SHA256 5e9817cfb0a0ea305e3c739a7ae7d98bbc96f7ea5deda69ada1b5c7ff460db2e
SHA512 2595d6851928ab7c94c14fb8f615720974d41c5ab401c3f7f3da00bf306a7de6d721a3984aec43b98420f2de13688262253d374388bd447aee96d28a0e3b66af

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a2f6fd3a262c29b9c6a4815156cfaae3
SHA1 25ac39d781d16d31a28d7213af4b801a8ad35cde
SHA256 649e13625c63c8267db87c1cd606b4ca15c0012473ea19f80a76f3428ddd291c
SHA512 ac9ddfa964c5cc378de0ac006f9ad324559a2c9ee5470ab7c6cbce4410ca0858c9b8d230eb035c4fd5415e0f026b8e765219e2645b63a3c2173e11284116776b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 88a1590b98445a7848e39a645cd76f73
SHA1 c1b82c9df43ac567717ecb726444e54aaec159e1
SHA256 196f622e482402a5b93badd7e8d78837dbce0e2aa4b18d951fbb29bf9a2fd9ca
SHA512 b3a7ec715ae8d0bffd0e59eb550500ced438a5378509368a6c11f8534b60193bceedbe6991b6fec5a21b3e4be6c801200d2f1b099d49941b49e5b86e342c254e

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 11:29

Reported

2024-04-30 11:32

Platform

win10v2004-20240419-en

Max time kernel

148s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\rundll32.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHistoryClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D48A6EC6-6A4A-11CF-94A7-444553540000}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCDefaultDispatchClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLDDElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\ThreadingModel = "Both" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDOMImplementationClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetsCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLUListElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLLabelElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.CPluginsClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F273-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLNextIdElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCPropertyBehaviorClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCDescBehaviorClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetRulesCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLRuleStyleClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerBHO.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHeaderElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\RuntimeVersion = "v2.0.50727" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHRElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" C:\Windows\system32\msiexec.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A

Installs/modifies Browser Helper Object

stealer adware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\assembly\tmp\BBOHUJHK\Interop.IWshRuntimeLibrary.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.LanguageSettings.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\RegAsm.exe C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA384.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.ProductUninstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\e579b17.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\RegAsm.exe C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Installer.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.LanguageSettings.resources.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.ObjectBuilder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\VLKXDRPP\System.Data.SQLite.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Infrastructure.Utilities.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.ObjectBuilder.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\GACLock.dat C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Infrastructure.Utilities.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Installer.CustomActions.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Personalization.Common.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Deployment.WindowsInstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.SetBrowsersSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Infrastructure.Utilities.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.ProductUninstaller.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.Translations.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.UninstallerForm.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Smartbar.Resources.ProcessDownMonitor.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\assembly\tmp\4UBBP24W\Microsoft.VisualStudio.OLE.Interop.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\e579b17.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.LanguageSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIA395.tmp-\CustomAction.config C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.BrowserHelperUtils.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSIAED1.tmp-\Smartbar.Resources.ProcessDownMonitor.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll C:\Windows\SysWOW64\rundll32.exe N/A
File opened for modification C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.LanguageSettings.dll C:\Windows\SysWOW64\rundll32.exe N/A
File created C:\Windows\Installer\SourceHash{978D004E-4180-440E-B657-E1BB5694C950} C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\Default = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchUrl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\SearchUrl C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\Search C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" C:\Windows\SysWOW64\rundll32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\Software\Microsoft\Internet Explorer\MAO Settings C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" C:\Windows\SysWOW64\rundll32.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=ds&babsrc=lnkry&q={searchTerms}" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies Internet Explorer start page

stealer
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2860750803-256193626-1801997576-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://linkurytest-feedrouter-westeurope.cloudapp.net/?publisher=LinkuryTest&dpid=LinkuryTest&co=TJ&userid=0eed6503-eef8-4be2-891a-c9b8324f0ad2&affid={affid}&searchtype=hp&babsrc=lnkry_nt" C:\Windows\SysWOW64\rundll32.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\ = "mscoree.dll" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{35F0ED97-3328-3F26-958A-A8E5FAB21405}\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E0ED74B-B69A-3F95-9FD8-66006DB3972C}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ADCDA984-74EE-399A-B8C7-F16E1D96115F}\7.0.3300.0\Class = "mshtml._HTML_PAINTER_INFO" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2C4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B105EDC3-7FEE-32E9-BCB5-B7D3314D03E0}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ = "LinkuryTest Smartbar" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLUrnCollectionClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\RuntimeVersion = "v2.0.50727" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E107CA26-9F34-3EA3-A2F9-C8844CC4DE75}\7.0.3300.0\Class = "mshtml._styleFontWeight" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A94470-9C4F-3A47-AE2F-E6BEDB44F52A}\7.0.3300.0\Class = "mshtml._stylePageBreak" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17EC906B-6004-331A-8325-B4422D1ED446}\7.0.3300.0\Class = "mshtml._styleLayoutGridMode" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLRenderStyleClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA6-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FB5C8C6-11BF-32E3-9F5E-6F95AFA8D553}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCPropertyBehaviorClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{47A03182-4FA3-306E-AF15-902E10310178}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD371A4C-17BD-3FE8-ABCE-2515081859E2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLSelectElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTableClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A5C76C0B-A22F-3565-BA14-863844C9570C}\7.0.3300.0\Class = "mshtml._styleLineBreak" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F277-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F28A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F31A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3D4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F248-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLAnchorElementClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Class = "IESmartBar.IESmartBar" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.ThreadDialogProcParamClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CA10143D-B4E8-349C-9E3E-C78AC463673D} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerBHO, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLUListElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLInputButtonElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{78C1BD14-4E05-34D5-90D8-E821FB657DEC}\7.0.3300.0\Class = "mshtml._styleWordWrap" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.DOMChildrenCollectionClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F172639F-F18B-3756-8450-06866584ADEF} C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6D55083F-D6FF-3028-A8A3-95DE56BB6EDF}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{31C3DCFD-A426-3D6A-A085-C8EBF166715A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3E8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLFieldSetElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A982E8A8-31B6-3CB2-81AC-2C185D16EEFD}\7.0.3300.0\Class = "mshtml.__MIDL___MIDL_itf_mshtml_0250_0006" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHistoryClass" C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLObjectElementClass" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DD05F906-C219-3916-B377-597EA9E255C2}\7.0.3300.0\RuntimeVersion = "v1.0.3705" C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Windows\SysWOW64\rundll32.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\rundll32.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 3724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 3724 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\taskkill.exe
PID 3724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 3724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 3724 wrote to memory of 1008 N/A C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe C:\Windows\SysWOW64\msiexec.exe
PID 4892 wrote to memory of 2748 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4892 wrote to memory of 2748 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4892 wrote to memory of 2748 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2748 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 1924 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1924 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1924 wrote to memory of 3268 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 3268 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3268 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3268 wrote to memory of 2444 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2748 wrote to memory of 992 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 992 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 992 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 384 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 384 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 2748 wrote to memory of 384 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\rundll32.exe
PID 384 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 2388 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4276 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4276 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3544 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 408 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 408 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4340 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4340 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4340 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4312 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 4088 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3008 N/A C:\Windows\SysWOW64\rundll32.exe C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
PID 384 wrote to memory of 3808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
PID 384 wrote to memory of 3808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
PID 384 wrote to memory of 3808 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
PID 384 wrote to memory of 3556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 384 wrote to memory of 3556 N/A C:\Windows\SysWOW64\rundll32.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 4368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 4368 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 384 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 384 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 384 wrote to memory of 4920 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4920 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4920 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4920 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3556 wrote to memory of 3976 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe

"C:\Users\Admin\AppData\Local\Temp\2024-04-30_a513b78dbeb8812f596aeb483ee18fff_mafia.exe"

C:\Windows\SysWOW64\taskkill.exe

taskkill /F /IM msiexec.exe

C:\Windows\SysWOW64\msiexec.exe

"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 46C158A98109F82C495A0ADB6DCE0FEF

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSI9C01.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240622750 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e_sfu0xz.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp"

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIA395.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240624546 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe "C:\Windows\Installer\MSIAED1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240627421 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"

C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe

"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"

C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe

"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.ynet.co.il/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe4a946f8,0x7fffe4a94708,0x7fffe4a94718

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v-4kc_-f.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC7A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC7A5.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3000 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7c3ulrem.cmdline"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC9E7.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lq4tl7vi.cmdline"

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ieku54w7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB20.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB30.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCB2F.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cpqadejx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBBD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBBC.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\psix0ynf.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCC69.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCC58.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l0oqnrzs.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD14.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gkgh7eqo.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDB1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCDB0.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6gdgd8mj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCE6D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCE6C.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q2h9jkvp.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF47.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF46.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mlp0_klx.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFE4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFE3.tmp"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1yythvym.cmdline"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD0CE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD0CD.tmp"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2876 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,13271472420706213379,3322700476435103447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1

Network

Country Destination Domain Proto
US 8.8.8.8:53 cloud-search.linkury.com udp
US 8.8.8.8:53 linkurytest-webservices-westeurope.cloudapp.net udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.4.4:53 google.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 linkurytest-webcomponents-westeurope.cloudapp.net udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 pool.ntp.org udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 www.ynet.co.il udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 time.nist.gov udp
US 8.8.8.8:53 pool.ntp.org udp
US 8.8.8.8:53 time.nist.gov udp

Files

C:\Users\Admin\AppData\Local\Temp\smartbar\Setter.dll

MD5 8b809d7fdef6c276791186b0d97ae839
SHA1 ad1202b0578aca08feee0f6937a14ec66fc7d653
SHA256 ee7ce728fc421cd33250ad55c5ef0effa3ecc71a0f2ac3b918636dee0f5f84d1
SHA512 aef7f1eba4fc8942c67873fd48377bbcfff83aafc0f7a5a32d85df00f13ceada6c60544b57c674b4e9595e7f67ef24f5855b9ce27bdab045fb9502b349f91539

C:\Users\Admin\AppData\Local\Temp\smartbar\sqlite3.dll

MD5 fec17d5fb09a03376d3aa204c65562a7
SHA1 2966508d76523b2c2d28713612b472e7256c66fc
SHA256 1e384af4479ba64bd2fa02b00603205c4b0a99a468cfa4cc33cdca7bac845bec
SHA512 4e250955a0b6e2a22d41cf24eecc88d3a36de1308c089d8f8ab02beed434f0ed44583f048ca2b436788b7c80ec1c7f0cd79166b3e62d040566c99aa536b9c11e

C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll

MD5 0fb00dcd1887e0e1339c630137c422f4
SHA1 40e83a2b22610e3d718dff15955cca69b54d7d2a
SHA256 d9cc21c8899168bbd783d8488405af97f19a18f2402d76683fb3f08733f402c3
SHA512 66ba4cc70217ed30f3a5c203e0515025400e03ccd605ab4151ebcaaa078a67c8e9d36d5c7ccbd1883a1a75de5bb5b5c04dff1a975d3e1c0a5cef4eccae4be4a1

memory/3724-19-0x0000000060900000-0x000000006094F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi

MD5 ab3c448a172f887a9a41a98bc37baeb6
SHA1 4f564531b856433e34755d5f28ed91db09238fb0
SHA256 e59bd7fa9ff296101ce04bbdff361af630a4dbe5fa2020d5da11e9ecd8e490fd
SHA512 413960883fca3da12fbef69b6501a114fa9f7e9f2e420fc6bca69a8feb19b110745fb22e8709058ac187c13932efb84921e0e31d0adad99ec2f0a6b1d063e6a2

C:\Windows\Installer\MSI9C01.tmp

MD5 50431b75630bbf6b3c245e3c675a90c7
SHA1 3e99780baa1447056e63bdb677f4d3248e65d855
SHA256 4bbcb65193711559141311b1bbcde46471a3836248a96b374c4316e1e0cee161
SHA512 62377d84c8db9ef2361db6adc65efd6835405b945156e7680d6c102b4184d5a259dd61ca3822173781ec09d2f2d7784ce62bee256138b0918e01768629257050

C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Deployment.WindowsInstaller.dll

MD5 34d4a23cab5f23c300e965aa56ad3843
SHA1 68c62a2834f9d8c59ff395ec4ef405678d564ade
SHA256 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c
SHA512 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Installer.CustomActions.dll

MD5 6e7e63c2978f2139fc480fa3987c2454
SHA1 494c95837404aea3a17f558a70124350cbe0b665
SHA256 ef4fbe7fb8ea3db0a6c1d2e3ea85dbdc3b2fe9e203eb4f47f286f9686b70b0c9
SHA512 8201f6808cebbf8054fd430605d3f792ccf30816d115cee6087b856d07abb7198a028155113ca66d39a6aaf9c8cf33a40c50e1d40a358050d70a7cac8f8ff097

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll

MD5 5828e61533ad8765e34c8bd5b2684768
SHA1 819ca2ba6ceaac7042f0d106f9bbd5b299dea954
SHA256 026e85591c1d8f9f6f9103ba5aa1c18ba23c28bd57e56823f4e11ac0abacd4f3
SHA512 b5fb79e30c3ca749a5478231ca3bcdfd558db9ef0d87852849b29e6554af305b4eda4f4be9b24e0fd4fa3e371d413f19b0b5f1e1f913b9e31dcb8e5b0b1442c8

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.SetBrowsersSettings.dll

MD5 68462e5ccace2103619f9501c7accf51
SHA1 54e402eef5863227eb1128e17ccfc96bcc1b0c73
SHA256 bc31faeea673328c8624334b8d9f699a71221a570043d43f90d1f4672939e776
SHA512 162c45d1775e0c77ec6b7c7bbf483142a020193f6f07812e4e48c1686cd791758736d75317f3c796bba30464a92f41fd95c80d8a1d176f13aa7aa6623a13066e

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.BrowserHelperUtils.dll

MD5 528b6340928ec73f7d3726396e3b8607
SHA1 36fececd456ed486e83185a39266aaa93d9a3851
SHA256 aaecb4c15e8a307714a92d2d962c12b35943058165369140abeda750fdc2bccf
SHA512 8cc45713604754832c6f70883f67996564d62e6c41f660fd3c69dd1900c50afa4360b97842c95e9a0fcb39007070549d8bbae069dedd1573511de99b33bf26ef

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Infrastructure.Utilities.dll

MD5 5514445cbc6717bc543e993a27b45614
SHA1 463fea10195dc9d95c3b185ddc0216154f138843
SHA256 515f391b52077e9c54f0dab77b39195378b12be557af43be4d60d078a9c59c2c
SHA512 1aceac5534980905717ea30424ef3c8822cec68093ff3dbaf4ea7be52efb2db7f2869bffe5a059c401c50c852d387882233bbba6db544ed77ee81ddd2eb613b8

C:\Windows\Installer\MSI9C01.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll

MD5 7868ed46c34a1b36bea10560f453598f
SHA1 72330dac6f8aed0b8fde9d7f58f04192a0303d6b
SHA256 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176
SHA512 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

C:\Windows\Installer\MSI9C01.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll

MD5 685a150a95abcc23eff7167e45b55eee
SHA1 7f6f6e6fb67b4eb578598f423ea284e01e12da00
SHA256 29feba57a0184ab164d6c5d0195c3b9c1f21e120a5853eee0afc6a66c5ef6a29
SHA512 f499ad24337adec2e78a6a4236877b27530d61deaf73cc09263f34c66c0ea84fbcdb057a70dd692c79e1608b69bc8945eff6ee346bb0a4efb3c8c5d4a2f8e703

\??\c:\Users\Admin\AppData\Local\Temp\e_sfu0xz.cmdline

MD5 e546e6ae42b4b4786fa021ea77edc503
SHA1 5cbe6e463fe9f8f66e40ff1fdba49058c7c0a653
SHA256 9a0f48304e2ab8476b08663024f785a4ecf7367e6797eae94c31a15e1b6047bc
SHA512 f1bb837932c77e4d0441a0b08bed1c6cae313f8cf989819e7fc19a0ffce71191b5f84ff80edf3ee15bc07b47d7cd5f1a9ed6f008d3c9a38d9fc8b81db4fb1463

\??\c:\Users\Admin\AppData\Local\Temp\e_sfu0xz.0.cs

MD5 80d63b882b411290f39d49cd220b9099
SHA1 c045a403ee8e63bf0f745ae71d573371cc5fd547
SHA256 588b5a7b7054402f78db94a328401454031310687eb90aa81871d3dc029c9da2
SHA512 df6ddc155b36e3440023b3cfe7b6f86aaa8c9a525d2154fc432f4db03068e8ef0734da57fede2606e011d70392b3ae4744ce11387d23267b656eca2028a207bd

\??\c:\Users\Admin\AppData\Local\Temp\CSCA22B.tmp

MD5 c69a91d8338e903c33dd770b64475cdd
SHA1 3d43390de94e7f82612b82f64fc031c6a575326e
SHA256 f4bdedce26245ea4519c4ff9cbf09152a1d7e3fe9201d9e7d5dafafa0840547f
SHA512 9153f29d6f1fcca469d98f1175502285b020cd67c705e172d1d4cef994feb363c9bf8825c7044b68d055a3ccca8ffaf8059f6796d0b7e1a1c3e863956f66f8cb

C:\Users\Admin\AppData\Local\Temp\RESA22C.tmp

MD5 8736a294d7874b8c748ea60f45682ffa
SHA1 c758e8c09e1563f58fdd28ea350f867e51d92600
SHA256 d87487d65506da3e8324ad597dd3aaf6731617fb5edeaf15e00e17509d4fe108
SHA512 a1a4ac0024d6679b5768301d40964a1c05828730a25bdd9b5c79c821a6cc52ef72860128fd587867e52a6ef399343c42c304d4bae02a08e0525026ce830ebebf

C:\Users\Admin\AppData\Local\Temp\e_sfu0xz.dll

MD5 7bd63fcd215fc1813a24da055ce47c68
SHA1 9b4b91f137440d3d966a00846b1f782e8c433a07
SHA256 555ef508e7ec207bc7da5c396a8e4fe1902db58c2129f9b842f05eb5b1c0b52b
SHA512 f1d2256ca93f90f846ed477d4c4c692ab5e83dce62b0f7f97d721cc72cb2bcc8a8722fe09962622c0413714ddc201a6c66d23eca89f52e48e1a328758a0dc8d8

C:\Windows\Installer\MSIA395.tmp-\CustomAction.config

MD5 796621b6895449a5f70ca6b78e62f318
SHA1 2423c3e71fe5fa55fd71c00ae4e42063f4476bca
SHA256 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84
SHA512 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch

MD5 5b7cf489957eb2952242bb4f1163b491
SHA1 133454c6f94d74d32b9bdf29ee6cc338c5af3652
SHA256 ef44f9f4fa3f70a614b768d0c7781e5d5084a7a86a085264569f0d95f45f7605
SHA512 88fe9e04aff1064f42f083be22fa516f1800903df47017b73b311ba506f074fdfc8dbf031693708a758dfccc6035bf8e57910aa735e67b5d018429564f78d5ac

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rundll32.exe.log

MD5 8e28079704db4d073e6c39636eadc0e0
SHA1 210a60b4d7139f1779c41babc4c7e7c6b71f26cb
SHA256 34462d5da310b13b1000c3ab514350bc17395de96f9bbe4ec161128ca1171b84
SHA512 a6bf25f6440d549e2547016f01dd16345fa04655d36b225e87a96bce43195f80d82a1664f001c5ed2db2cd155681ab8cd913834d96e9459ff342012857deff91

C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png

MD5 e6ab030a2d47b1306ad071cb3e011c1d
SHA1 ed5f9a6503c39832e8b1339d5b16464c5d5a3f03
SHA256 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c
SHA512 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

memory/4892-619-0x000001F775CF0000-0x000001F775D00000-memory.dmp

memory/4892-622-0x000001F776130000-0x000001F776156000-memory.dmp

memory/4892-652-0x000001F776160000-0x000001F776180000-memory.dmp

memory/4892-738-0x0000000000910000-0x00000000009F3000-memory.dmp

C:\Windows\assembly\tmp\VLKXDRPP\System.Data.SQLite.dll

MD5 5b3d3a627813bcef2d7a8651941f2a96
SHA1 18713ace817081d3b99bb71e01030842345dc750
SHA256 2f7e3f285a523b3d918fe8b3cbd3d42d2380835779a1a8b50ccf6bb365a915bc
SHA512 fc6754246a071a40bf64d8a66bb7b4f926f031dfe17c25a3e7d37d8421757afad99837f28bf754fb894ca0e19f7b13850557b208b21c4566479619e77cafdff3

C:\Windows\assembly\tmp\95WWNDTO\Interop.SHDocVw.dll

MD5 cc0611a32becda6d37695f38755a891f
SHA1 2b987c4cbe8de69b40f4096d424aca5469f90fe5
SHA256 9daf27aea3c266457e50501cbaf1485a81c15f2dc51a84609bb5417d286a2769
SHA512 bcae75594167257341ac903fbe2a7cb4da6b49044bfaad6bc523f2efcf8aac98a417564d48cdfc57fafa7a74c6a7041b725a7b5112082b499ff2d23d05bcccac

C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll

MD5 459ff9c6762b7fdd91c156ff3e096478
SHA1 7179debce9a271450b1241e7435a999aea1ddd05
SHA256 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c
SHA512 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a

C:\Windows\assembly\GAC_MSIL\Interop.IWshRuntimeLibrary\1.0.0.0__64637c62d0471340\Interop.IWshRuntimeLibrary.dll

MD5 7a5a5de7b05c00821ed6348afff2627b
SHA1 66f34183d38c9f4da9c9c669bda1149ebe766e97
SHA256 ff9d8658fa81697e8f51b105c067996e5aaff2c46cb147667bbcc9fc4929b959
SHA512 23730bd76ae297765fa8954affbd71437a7d7bdb5bdf246563a945af353ceca9abd5275d973d8c981fc6ab6d7e25032aab2888f04e33394d95474febee02a0fd

C:\Config.Msi\e579b1a.rbs

MD5 44e85f4a3a33fa519bb67fff1e5a2a3f
SHA1 cd20703e3b2de12ed18de4df577b8022884f5f0f
SHA256 db8c8298fad294ef3f08f8b40a518206e8ed1a802103615ab2b3c6d8078bf072
SHA512 2371e608ae951a285e4ee604b0ffd9c0e016d089a3e764039995065e11b0be2a4c221a9035d60d72e827bcc4a2feb98420725e17a933aeef2d75b59c67242a07

C:\Users\Admin\AppData\Local\Smartbar\Application\bf4etysu.newcfg

MD5 02afe6dc961f4498c6876a5e366834a4
SHA1 7d3b202bf1bb8fadc0c819b9fe9490711b2e1229
SHA256 38d819907e0a1742cce76a87ae62cd0d190935b8e69cb090abd281303519f578
SHA512 e297bb7c7a9097f822b6baec332699f74a7eb4e07631dec0908fd7565bc088ad21fcc0a5273ce9b1bc1a974938547872789f27297041744a77ce2953ed682151

C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

MD5 4a9459e0b5e0121b3c3a11c3dbbbd28e
SHA1 96ab18d756c2e6acd4849045a467793b7987f236
SHA256 144f5e442df25d9f34127a16f952590cfc118e060a03198934f1f5da5f7edf40
SHA512 86ba05da60608808f1e9ccb0d4676aa5f425003aad34367403fdedaee8d883ede476a0a1f8f178df1356bc5578fcdb1ab704e9d38d39e8da19f72ee2923682a7

memory/4276-833-0x000000001CB00000-0x000000001CB18000-memory.dmp

memory/4276-834-0x000000001CFF0000-0x000000001D4BE000-memory.dmp

memory/4276-835-0x000000001D560000-0x000000001D5FC000-memory.dmp

memory/408-837-0x000000001CCC0000-0x000000001CCE6000-memory.dmp

memory/4312-838-0x000000001DAF0000-0x000000001E296000-memory.dmp

memory/4312-839-0x000000001E2A0000-0x000000001EA46000-memory.dmp

memory/3008-840-0x000000001C7B0000-0x000000001C7D6000-memory.dmp

C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\PublisherSettings.xml

MD5 88b0468d9bd76c7c23f0b1d7b7e3a7c2
SHA1 c1357cdf8e2ef27419d7577bb47e1bf00d4332d3
SHA256 fc1209d341967e2d7b7e51d83a5f34cf49ff58308ffcd3266b8aa9d1f60feaa3
SHA512 03672d965fdf5319172492c7169ad3ff9852e40ddc36dba66f7f7fdaf3daf554af0a3a96a989ee7ce41a930c3817808460aff84a44d26ec34f69a7614eb6d475

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 1cbd0e9a14155b7f5d4f542d09a83153
SHA1 27a442a921921d69743a8e4b76ff0b66016c4b76
SHA256 243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c
SHA512 17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4e96ed67859d0bafd47d805a71041f49
SHA1 7806c54ae29a6c8d01dcbc78e5525ddde321b16b
SHA256 bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d
SHA512 432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 862fc3f1b1687e193d429ab842a63234
SHA1 0e82e2e6cc515cd8cb52c52883fde2bfa5431af9
SHA256 3790c09304fd640705c07a59ea7c703bf0382db389f7df7ffc20a74d870abce3
SHA512 a050e651dd490d995d7cea7be6ef2d26092bffe2e695432e873a1dacce7a1042dd6deadff23c9e8026aa8bc1bacafc54f4ec88018e24c2d5c414721b4534a758

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 24542a0e74871463f584c28daa990cf7
SHA1 7fe44004aae01912c477654f0627af949a65177c
SHA256 bc992c7f20dfb52f7ab859663b995234d341cabc2346962622e9e351b37df697
SHA512 10c059aacb4f98b1dc910d6f3f6a5a8a06e74d2955b59b9d2e9d447576b7ae059b03c6cd584c9c529bd7d3900add5209f65d8dab803fa124e4c45eab6938ad36

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 783a9e44702798479061fd778ef6497d
SHA1 50a0014106de40cc6ab01fa5f75a2c4323d4137a
SHA256 cd16296a4bfdea34985220ab2b1908d2cb8bdb7df6338cf994429c69605d5fe8
SHA512 21956e94d4691cf7987e8410447ee2c9e94c01888b180c9a4d5761efaba68b678712e8e5581d48e8bf95821312bb23b3e51f33d4b2da8ff6b22b1f9e18851136