Analysis Overview
SHA256
672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b
Threat Level: Known bad
The file 672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe was found to be: Known bad.
Malicious Activity Summary
Panda Stealer payload
Pandastealer family
PandaStealer
Blocklisted process makes network request
Checks computer location settings
Event Triggered Execution: Component Object Model Hijacking
Reads user/profile data of web browsers
Loads dropped DLL
Executes dropped EXE
Installs/modifies Browser Helper Object
Checks installed software on the system
Drops desktop.ini file(s)
Adds Run key to start application
Checks whether UAC is enabled
Enumerates connected drives
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
System Network Configuration Discovery: Internet Connection Discovery
NSIS installer
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Modifies Internet Explorer start page
Modifies system certificate store
Suspicious use of AdjustPrivilegeToken
Modifies Internet Explorer settings
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Kills process with taskkill
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-01 21:30
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pandastealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
98s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4400 wrote to memory of 4800 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4800 -ip 4800
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win7-20240903-en
Max time kernel
28s
Max time network
17s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2272 -s 220
Network
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win7-20241023-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\Z7EOU439\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\07LS3MEV\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\f767cbe.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f767cbe.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA60F.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB38A.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9201.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8B475115-532C-3483-8333-FA1CB6A620D7}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\1.0.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\Implemented Categories\{62C8FE65-4EBB-45e7-B440-6E39B2CDBF29} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F41E6981-28E5-11D0-82B4-00A0C90C29C5}\1.1.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3C4EE674-4A82-3318-B48B-B24A8FD7F44A}\7.0.3300.0\Class = "mshtml._CARET_DIRECTION" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F831-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.BlockFormatsClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\ = "IESmartBar.BHO" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLUListElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLButtonElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F48A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.CEventObjClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLOListElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F27C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLDTElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FEC3343A-E3E9-3639-8ACF-00DC8EE87864}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11B2663E-7AE0-3DF6-9847-F53250984108}\7.0.3300.0\Class = "mshtml.tagPOINT" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34B4F646-3FC3-3CA2-AF86-BDAA6F9167D8}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D3D8E1F4-DA09-32EE-87E1-36C4EFBD899A} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{48530DAB-FB60-3959-8AA4-2110A2344EED}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTextElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{84385E4D-357D-3D36-976A-725E44ABB78E}\7.0.3300.0\Class = "mshtml._styleBorderStyle" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C550EBDA-A045-36DA-AFB8-8A96C202334A}\7.0.3300.0\Class = "mshtml._htmlMarqueeDirection" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB776950-4C2E-3534-974B-B8092FCE2FA3}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2C4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCMethodBehaviorClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF6904B0-8485-3B35-B2DD-87E6EED62C7A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A7B7923-55BB-3079-B47E-AC73CBEDCE77}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{36839DA9-AFF9-3D2A-AA97-D2D9B74DBC5B} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDOMAttributeClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDivElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D48A6EC9-6A4A-11CF-94A7-444553540000}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F284FEA5-89F7-3A68-ABCA-110332EE3633}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F831-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.BlockFormatsClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71F13D44-7694-3B7D-B713-6BBF9930501D}\7.0.3300.0\Class = "mshtml._htmlStart" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A93A6C9E-D601-3E81-81BF-6C1567B89288} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.CPluginsClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}\1.0.0.0\Class = "IESmartBar.BandObjectStyle" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11DB2688-F17D-3058-A5A7-9108BB274DDE} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FCB7A29-B2EE-3458-93FB-68B840DF3DC0}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D48A6EC6-6A4A-11CF-94A7-444553540000}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\ = "mscoree.dll" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC20047-2388-3184-B6DD-B543825CA72A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\Class = "IESmartBar.DockingPanel" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A35A5F3-DC55-3491-BFB3-38D3D78CA9E0}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E107CA26-9F34-3EA3-A2F9-C8844CC4DE75}\7.0.3300.0\Class = "mshtml._styleFontWeight" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLMarqueeElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{24C4088C-1A39-3723-810F-ED9FAC488494}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe
"C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:d13811c3-be3c-f963-4eca-e759baed3971
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EF11C76A851964E274749DF819F3417
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9201.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259428960 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l06dukcs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9628.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9627.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmufdktg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99B0.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA60F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259434015 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB38A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259437462 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\605qibqb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB53C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB53B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9zxcujrl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB5A9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ks0z2wb4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vkqqtfd4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES159.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC158.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwyj6ael.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-slnzlxv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES224.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC223.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd5dxaql.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC31C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltf4ilyq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f6dft4di.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h-v4zyts.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES465.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC464.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfnooaje.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h6bxo4fa.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES520.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_zwhvxrd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B4E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ur94engn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E5B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E5A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmr9lbh6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2128.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2118.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 99.83.136.84:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 76.223.54.146:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsd69AC.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
memory/2636-27-0x0000000000A90000-0x0000000000AD0000-memory.dmp
memory/2636-28-0x00000000740F1000-0x00000000740F2000-memory.dmp
memory/2636-32-0x00000000740F0000-0x000000007469B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\Cab7DC9.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar7DDC.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
memory/2636-99-0x0000000000A90000-0x0000000000AD0000-memory.dmp
C:\Windows\Installer\MSI9201.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSI9201.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSI9201.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSI9201.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSI9201.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSI9201.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSI9201.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSI9201.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSI9201.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSI9201.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\l06dukcs.cmdline
| MD5 | 726bac8d892b5f9ee5c22b6a81c6c4de |
| SHA1 | 2418ecacadfe98beac68d10a9d0002a1c400a882 |
| SHA256 | 20c4fd4d31db2ca3158def20283d14de4a474f57fb13449384cafc0038aaa430 |
| SHA512 | 5a5ac53e484bccc03312a0bdbbdcb4390de7d18a2b318c3343a5b62bcd1a3c8a48c6bc06c52484c4cd55cfdd3aedd9dd661806bfb6d46721fa36b6739a644fef |
\??\c:\Users\Admin\AppData\Local\Temp\l06dukcs.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9627.tmp
| MD5 | ca433768a5e0e715a251042f7af9dce4 |
| SHA1 | bbe368cbc6fee0c13527bbb6937a6a830e283ba2 |
| SHA256 | e59e20d0fbdf24630fcc57a3fc0875d9bcef10004a8e2be12eee0e9763880b0b |
| SHA512 | ac6fc6e99dba512bb136c94f5b7e2df4c42c1114966b5396e149d892b460f4c0470125e8fb981e80213620b34cc039435f06f86e3e0f0c4871c8f03f3be1f12b |
C:\Users\Admin\AppData\Local\Temp\RES9628.tmp
| MD5 | e038823dc741035f911e9dcbfbf438b7 |
| SHA1 | 0e772549632087da3df594b66fff908e90d2a791 |
| SHA256 | b33f99e10e151ad86990503f74a4ee33267d131aa2e9f37b3a950b734ccedfb4 |
| SHA512 | 9c76d8f1be7fb354e0e3a21c9bcd1485130dfc232caea98b033ba757c9dec2c8d9acd39355b1b301ce43d6c4f430956d336361de8cddec24e24145a2a0292784 |
C:\Users\Admin\AppData\Local\Temp\l06dukcs.dll
| MD5 | 3f813c0283537a6f08e52f01975a23e7 |
| SHA1 | 4dcb5f402e6f38be0ab096165b98ad5bf6046bec |
| SHA256 | dfbc829a6788fada1bbbb4cbc8f4dbeef55b038cd9edeb1db6d113631d350158 |
| SHA512 | 52a56ce58b76fb69d5694489217813f47c8d6d7ae87464877d257c1a38132c96e118ae2eba5bf3e042bce630ca119a75c3ac684fd711c7463ee9afd331d1d37d |
\Windows\Installer\MSI9201.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
memory/2636-229-0x00000000740F0000-0x000000007469B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ae921ce158f90b87ccc2a8b18e7365e4 |
| SHA1 | a76b778935ddc2e1393a7032cb7a3f21e2051169 |
| SHA256 | f9cb1d716f9b3093222128b15e917c50bcc8510ea5fea77dbb4cd378d51e9133 |
| SHA512 | 66cf1f29354b2555a54146f5d62af8e791e18ae8ad38687077b44c84e600bb29795f2c7af39dd1ead148dcfc3de94bc31143c1fa1f0c44c660d96a2991c142c8 |
\Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\jmufdktg.cmdline
| MD5 | 7643571151fa232a63fed779af372d28 |
| SHA1 | fa3da7009b31d695032bd6de337289c6a4134e7d |
| SHA256 | 9734505caad6e8c2961342b14056b1ce2987633e38f49c8e1df8b26d446e24cc |
| SHA512 | e773b4fc803f73f3d1608712f91fecf7cf2723221260b0eb2e2b5c7b5a1d314270dcd0006677fc93e0a78eeeea3d800fc016e0647e5d636d0aa2614b302e2865 |
\??\c:\Users\Admin\AppData\Local\Temp\jmufdktg.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC99B0.tmp
| MD5 | d73ab2ad75ae1d8a9e99da940bac29c3 |
| SHA1 | 8fe790c497a580f0c698e98da46e697c065e2e70 |
| SHA256 | 9b6dd5bee09cbf8a4225b1b07f1408b924c9e1419282f7b90f3e750f11e92e26 |
| SHA512 | d87f89ffe3e6af3f23bc732ef4e7061670bebe754d77d7359501c2811a04c62221ab26cf94ebf874319c5a4e5271c9966653757fa7e1056522f9dc15778ad7aa |
C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp
| MD5 | 7aa06b1aededf4d984b8648e93bae6d9 |
| SHA1 | 9a294a0baf480637eb38acbe7977cf647a13ea50 |
| SHA256 | de1b19f7494ddc3c6302e86fed7d0511039527f2baad7a8a31c05fc04aed1097 |
| SHA512 | 8c5061a12679a46cfdabd55a88f2af5827e9ab734cfc8010b94693a9c8489048403811869bc4afbddac683890db0cb631846a8b1d24b53eeb2fa06ac80840f00 |
C:\Users\Admin\AppData\Local\Temp\jmufdktg.dll
| MD5 | 0f181c6f835839c90e24a0c0f2c4b83d |
| SHA1 | ec16c8a31f09ae7acdf4c67f443959bc4e2ee769 |
| SHA256 | db90578934ebc6345aa3681adde0507ef309281b409b1771c9bee83532ff1fc6 |
| SHA512 | 0de2903ef856df0b0a8e04894b2f511ed95cf2b5ab6b43083512fe724f857f6cd1f9d23d8d3921cc54b58682fa5337808017505e7eec34b8d5ec217afafdf582 |
C:\Windows\Installer\MSIA60F.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
| MD5 | 04c049137ff6af8a4d431c2af2cf40c6 |
| SHA1 | 7da27d2cf242e901ce4e78afc55991eebd7c6c90 |
| SHA256 | fede235a455fc4499059a69c6f2d1558a0c351e8a7e287c730249c06b7e375a9 |
| SHA512 | e87fe42834b5829f69acc9d524ac41615256237fc7848df0fc7f41e798d9aa3226e4a6be0dfd84a5ea67c9e80bd84eab80491224a25fc81119d7e80308eddb1c |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2572-1158-0x0000000000430000-0x0000000000456000-memory.dmp
memory/2572-1185-0x0000000000570000-0x0000000000590000-memory.dmp
memory/2572-1282-0x00000000032F0000-0x00000000033D3000-memory.dmp
C:\Windows\assembly\tmp\GB9WB7KO\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 1e7d78e6ded52cf44c40d27326fd93c7 |
| SHA1 | 20c92fdab87b050571805f45c3375908e06a925f |
| SHA256 | e7df2fae7fcda21cfce75ae7edefcb3d662d27d87beb7227398591cbe28ac68a |
| SHA512 | 808a36b130adb2b658f0576bd11b69803cef8af573b77892eeb4a5e56723a960d72544ed6f01130e17ee0d86c1195bf5851ae0bcfdd0091304eaaf47bb420059 |
C:\Windows\assembly\tmp\Z7EOU439\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\f767cc2.rbs
| MD5 | 995d77c62a8e6db96e5b83a1e37285ce |
| SHA1 | 91d3ccf3355dc45f179d42212f3604b5dc153aa7 |
| SHA256 | 275463a0c39b2bf121d505483d762ad2c698f41a2bb2ad0061535b6f2300faf8 |
| SHA512 | 37309f696ef73a0430c9cfcea1a6c97c7e1a90c7370795961da05653500c391e7464aca089da3609e512411c7d14c93fefae7647fe4e86c3f9c943f99806e6be |
C:\Windows\Installer\MSIB38A.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\xp-iooqn.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/2292-1538-0x00000000022A0000-0x00000000022B8000-memory.dmp
memory/2292-1537-0x00000000022A0000-0x00000000022B8000-memory.dmp
memory/1392-1591-0x0000000000A70000-0x0000000000A96000-memory.dmp
memory/1392-1592-0x0000000000A70000-0x0000000000A96000-memory.dmp
memory/2100-1619-0x000000001C490000-0x000000001CC36000-memory.dmp
memory/2100-1620-0x000000001D3F0000-0x000000001DB96000-memory.dmp
memory/588-1648-0x0000000002560000-0x0000000002586000-memory.dmp
memory/588-1647-0x0000000001020000-0x0000000001046000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 68c249afd80a24444d93dd0086de55f8 |
| SHA1 | cded3bbb9555986e5f735b6c4dfe1c56f396f5ee |
| SHA256 | 32095edbabcc75c6dfa5575400fe3ff7014152c24ce682027163e10ba19ce0a2 |
| SHA512 | f406746a1d58e7eb35d0df23a13a13d94ef17b9e8d572dd002843edf12b448514d8afb19e91c85fc6d6a7a7b5f46ab4208996f00d61a8f005d23a95f38fff278 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | d9a9e45bbbde0c27d858bc69bde23cef |
| SHA1 | babb7af0f2c8edd88472d2c7d186979e6aa1a0ac |
| SHA256 | 73f81c3dd8b552516d88b1c24d4d6f590f58acc51cb746db0a73cdd866aa446e |
| SHA512 | 79060a8a74fa2eae3976dacb412674ceb36c955bfd9c5c52ba9d4fff1e7dc71c5ce37343b2f4a054c15c2df621df85add07ab17f95115dcb7022668fa5d43482 |
C:\Windows\Installer\MSIB38A.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | cd4cb3bdc9bd3fa91bd29db176f6e684 |
| SHA1 | fd306c48da0d0135f8b78ed6311e5a6a64332baa |
| SHA256 | f42179b10d60f8e523dda1051607bebb086698545828c76084b01ed77799cc7a |
| SHA512 | 659fec228f1fa9397a111097d070d27407dc3b9006728cdd1e0db55b8ddfbfd5965595f341a22480459a62eaa0f14ee553346c97202cd5e22126315b59709437 |
C:\Windows\Installer\MSIB38A.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
| MD5 | f9a57423959e53e9c6ccebca83edf191 |
| SHA1 | 33adc838262b185a6840fdc6081457de1c975fe7 |
| SHA256 | 17bf8aada9cd06c1f87a90516dc203d56a412da596d17bd45a35c8bf11e7ddbc |
| SHA512 | 9f1d10ee78a6b94c612441ff02a26cbe043e079b07f56229a9c73e185d8657295238c7392ea285e827bd58c33f2f6465fa32ac6db0a8dc57d3058aed3d76117d |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 988ea61855eab89ff1f69e884a6bee04 |
| SHA1 | 5d4792d34fe3939301eefa968ab5b5e8d415aec1 |
| SHA256 | 010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1 |
| SHA512 | eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f |
C:\Windows\Installer\MSIB38A.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 27bed42dfd398b71ca98be3c1a5ec4fa |
| SHA1 | 29da20abe8d1d4f966635f94268c7f9920f1bc0f |
| SHA256 | bbf438f488a152c9668653b80006832b20982ada5d9262ddad083ab8e2085112 |
| SHA512 | a8c72a24b0c1ec00d7b18b4966ab4e0b44be2a2c766378f31e452a638a5988149d86ff9c855d4d8cfc649080cf7ee45c356272ef78b214d59f3132b6e5b41292 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 90198218b9f7c07d733758ed6f277452 |
| SHA1 | 5efcb3bd9441f4010abd524ccdca9f96977d4956 |
| SHA256 | 0b4900912cb5446efafdfbebc1f048d2d88604cd5e4dc594b2ada8b593f263c6 |
| SHA512 | 94cc27189d679d712684578b8a2fa257bfb5e751c1005135f6ec31763f78b205cc0d25da4f16feea5fdd1b2176751cbf295fd9aab11232150998d26082220dd8 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\rok8qwio.newcfg
| MD5 | 0ae89e12abf939d9540548d83706ebea |
| SHA1 | 44e708e096db0e69da4f0f1a411d7fe17b7c152f |
| SHA256 | 1431f981de966e65116fc9794117b2aca12c12de0dd67c9fe090bb140d9bf176 |
| SHA512 | 984c055e2288a3fb49dd39c7f0a684fb089453a2702d14941deb0fd4f611f8e850db8cdd8746c084eed958e4ee60aa4b88b5eee0e11912600598ef8fdf697edc |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 01739c98dd538a62dd230c9969399120 |
| SHA1 | 7655d4d7eaea9f0eb04e7e5d9d26f00f9a806cde |
| SHA256 | 8201499a6ebd7dfaff1baaf83cf0c2147fd262238e6e21ed66548169caa76fbe |
| SHA512 | 1907c627b89703a9946e4785ab86affbc66b8e0fd6f584c85596f6f8a3749416e1f09b63783fb5c90bf3bd35d6e7afc86ceacb493ecc22081073fc607196dcf4 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\vj375i-2.newcfg
| MD5 | 4d6a8ca4026ebbbe8a42c0edacc43164 |
| SHA1 | a36bcf6c60eb24c00952576c4fc0739d2b6a4978 |
| SHA256 | db4d901d858e80473b4da105da2af5c6c76e2f6255be63717508e8ead50f90ba |
| SHA512 | 965eba9b24ecb1d914980f86b22134952519938bbb2054225c9132073581a7b85adb8a5f0f52339dba67c2105e1ad6207851651072ac60bc786e46543f71c676 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
| MD5 | 444dfcb62fb09ad8de699a5d55d95b79 |
| SHA1 | f1cef14842b4791879318c31aa79d38d01a7290e |
| SHA256 | c0a07d63b5dce56a498bdae1c6729182d736f2592151232d8df3ce7162f865a7 |
| SHA512 | 8dc97ff55ae760728afd046a2ec0fe7947ffc59ded6830f0f8aa2ec4cadb063843b3eefabef4e29dbf7986a5caffc003373ad4abee6fcc47f12e51223696999e |
memory/2636-2653-0x00000000740F0000-0x000000007469B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsd69AC.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win10v2004-20241007-en
Max time kernel
119s
Max time network
107s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC2F3.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9726F9E3-EE13-4601-B2AF-81B1413BD8AF} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC313.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147064" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1732595495" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "1735876919" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147064" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\3DB9590C4C4C26C4CCBDD94ECAD790359708C3267B = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000005763394f27976b095a54ad3ce995a6209096b69adbf7ac333422243133fa64ac000000000e80000000020000200000001568edac4d69f4bfb596e7dfaa2d3b1c2a4a77cc4a6b828f405329271ee2c2d5500000003716885a647188a89248b9f74e702e367334517fca571c9f8d86ce1fdb0d90886ff5e679e93c275db7a4893e130fac4b83dae6e74f15cbcc93c027edd0c68f420faf3c83633bf65c4f7c92e40b83e4614000000073bdffe8ce0ab86abc83329c81b904c48d6e94af68e5b7c19284c254d6f68dfd01dc04c1a1efdb4a9d5efc68ce344aa10a4f107e560bd1027f202df911b794fb | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "439853642" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\MICROSOFT\INTERNET EXPLORER\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "1732595495" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{92C8B1BE-B02B-11EF-AEE2-DA67B56E6C1B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000086445aa8a430244a91c2b800ab210a51000000000200000000001066000000010000200000007c2b5e0a943c26932f3893726c4d711f57a400be6864867aad1222f69c520377000000000e80000000020000200000000de0cb7252925b7afe07ff06b143cd1ddd1e0cef1bc66f8e90e969c917d97cf620000000b3515b6b530145cf96e787aa4624023367fbc7e555b2864fb827289d407e5505400000004777f9d59063e86f1e79704559ac06ae272cdbf34c668f4566531810d3262e670bcf86205a8d46a8a5a27649845df832b2764763e01b7530ea12f3303c739285 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20d0506a3844db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147064" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ProgId | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\HelpText = "Shopping Helper Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLUnknownElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{41CE25A3-364F-363C-B344-545C1A43472D} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F312-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E683717D-A679-364D-BFFC-FD1EB7F22DBB}\7.0.3300.0\Class = "mshtml.__MIDL___MIDL_itf_mshtml_0250_0008" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2BE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLOptionButtonElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8BE8AA32-4245-3E8A-91E9-CF037C41FC74}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLTitleElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F284FEA5-89F7-3A68-ABCA-110332EE3633} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8BE8AA32-4245-3E8A-91E9-CF037C41FC74}\7.0.3300.0\Class = "mshtml._styleTableLayout" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ED785CBD-B02D-3BFC-8FBF-4CDC702AF748}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F314-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A7F279-4C73-3BED-B5BD-0AF6F30E0639}\7.0.3300.0\Class = "mshtml._styleFontVariant" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLOListElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTitleElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0\Assembly = "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=84542ff99aed6a4d" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{09A8905B-CC7D-3853-93DB-56A686FD72FD} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CA2452F-D24B-374F-A6AB-9334BE066F08}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A7855AF-528E-3692-8F4E-E6AD67AF1BF2}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3F5-98B4-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLSpanElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{48530DAB-FB60-3959-8AA4-2110A2344EED}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A8317D46-03CB-4975-AE94-85E9F2E1D020}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\ = "mscoree.dll" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F70614F4-B26B-3812-8E29-C822C4810B14}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLListElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}\1.0.0.0\Class = "IESmartBar.POINT" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2A7855AF-528E-3692-8F4E-E6AD67AF1BF2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A831E80-8858-3805-84C7-C9D0C3D12E92}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CBDDE76-4C5D-3B59-A31F-45B59186510A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{85C95AA9-39F2-311E-86C0-D2610A00A85B}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{84559181-4149-3992-B3AB-31C84AB30373}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.ThreadDialogProcParamClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4330C207-19C5-3435-80A3-11D4E9322285}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64AB4BB7-111E-11d1-8F79-00C04FC2FBE1} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8872B56-D98C-3C12-B8A9-9F81495D11D3}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B105EDC3-7FEE-32E9-BCB5-B7D3314D03E0}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F285-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F6BC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLNamespaceClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5F5-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCAttachBehaviorClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.IESmartBarBandObject\ = "IESmartBar.IESmartBarBandObject" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\Implemented Categories | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F31A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLRichtextElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe
"C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 73E6E02004F7B9E1082366A99F56D70C
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB565.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629359 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vbkklkzk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB9FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB9F9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x3u9v7r5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCAA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBCA9.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIC313.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632609 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID4A8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240637156 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m83l2zay.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD756.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD755.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuvqhqva.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD821.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD820.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hxax0dti.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES914.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC913.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kepcaij1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9DF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9DE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qch2g3_.cmdline"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=01/12/2024
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA8B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA8A.tmp"
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=01/12/2024
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\cp3lwybo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mgi-0b2m.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB66.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB65.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB76.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB75.tmp"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4572 CREDAT:17410 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hm15y3e6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfn22udf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF1E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\b-jyyiog.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFCB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFCA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\crioyg3l.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1103.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1102.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gy4xzo6q.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1317.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1316.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vdot2ee0.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1597.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1596.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f13zo1ca.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1847.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1846.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltc9fojn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B15.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 99.83.136.84:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 84.136.83.99.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 99.83.136.84:80 | ww12.snapdo.com | tcp |
| US | 99.83.136.84:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | parking3.parklogic.com | udp |
| US | 170.187.143.93:443 | parking3.parklogic.com | tcp |
| US | 170.187.143.93:443 | parking3.parklogic.com | tcp |
| US | 8.8.8.8:53 | crt.sectigo.com | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 104.18.38.233:80 | crt.sectigo.com | tcp |
| US | 104.18.38.233:80 | crt.sectigo.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.143.187.170.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | 61.8.111.131.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.thetrafficstat.net | udp |
| US | 8.8.8.8:53 | d38psrni17bvxu.cloudfront.net | udp |
| US | 44.235.38.186:80 | www.thetrafficstat.net | tcp |
| NL | 18.239.102.197:80 | d38psrni17bvxu.cloudfront.net | tcp |
| NL | 18.239.102.197:80 | d38psrni17bvxu.cloudfront.net | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| US | 8.8.8.8:53 | 197.102.239.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 13.248.169.48:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | 48.169.248.13.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsp9386.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/3472-27-0x0000000003250000-0x0000000003260000-memory.dmp
memory/3472-28-0x0000000073C92000-0x0000000073C93000-memory.dmp
memory/3472-32-0x0000000073C90000-0x0000000074241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
memory/3472-61-0x0000000003250000-0x0000000003260000-memory.dmp
C:\Windows\Installer\MSIB565.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSIB565.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSIB565.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
C:\Windows\Installer\MSIB565.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSIB565.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSIB565.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
C:\Windows\Installer\MSIB565.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSIB565.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSIB565.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSIB565.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\vbkklkzk.cmdline
| MD5 | 4731e3af14c6e8a4c005b5be60adb176 |
| SHA1 | 076d8242c2ff0312001b5f1a83c8e0b1991985b2 |
| SHA256 | e1cccf209e7b89d6cfd7a4c5a449447721a4186975400b5a568d6b9ff08c9590 |
| SHA512 | 96b2d21608b08920691f3f1ad4c2499564dcc42731d984ee4a9232fe1c897489a53e2f48e31e0960dcc951498c2b239bd5c78432a65fb2c7e54f7cf26c421ad7 |
memory/3472-184-0x0000000073C92000-0x0000000073C93000-memory.dmp
\??\c:\Users\Admin\AppData\Local\Temp\vbkklkzk.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCB9F9.tmp
| MD5 | aa029e74416c9d33c0a1ad742878ae8b |
| SHA1 | a91595e219c8cf7ba6d8db182749518ac9500425 |
| SHA256 | 38bc53d9e38ffd6b13155ab5b345fef2a84354ea7950587f3667657a977cb0e8 |
| SHA512 | 08d95cbb952a3b9cdf598d994b993b24e198933221b0a09915a596fb222031e2b34a81a79235f1d83d67e8ce156a97048a484fbc9592a650f55e284c5a8e146a |
C:\Users\Admin\AppData\Local\Temp\RESB9FA.tmp
| MD5 | cab474d7b2544769233d7ff71db51d3d |
| SHA1 | d3ac16e9d47f2e9e93e0242d089edc4f7a7fb44a |
| SHA256 | 0e6bb6ab546b2a4303fb381b9e1538ec7553cdec612c13fa6e93feef964329a6 |
| SHA512 | 8bdaa3edde3645e45715ca821bfcd3aab6f977face1de046ae25692bcd852ebfcefc84d3302607f446837ce1c0941eacc3d5ea8429986a9c979aea2c025f7394 |
C:\Users\Admin\AppData\Local\Temp\vbkklkzk.dll
| MD5 | 3b29bc3478b5e453cb292f23c7eaaee3 |
| SHA1 | c4860b3270124c6db77f1f1232e8da768ef6adbc |
| SHA256 | 20d9a238fd65d5584f699882f38af447438e95bca95b1972042508c7a3ec6d13 |
| SHA512 | b1d16404018e825ca54a6c4201d6c89d82f8520d2352aa740658faa66c20958a299ce81474e519e321e383690951563aec937adc75fdf2e56ebd91d5849f49fe |
C:\Windows\Installer\MSIB565.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSIB565.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\x3u9v7r5.cmdline
| MD5 | 2285a0772a117aee2abde155b9bb6310 |
| SHA1 | 5b0a1f16c01b3a43ecd7cf3f6119e49175694394 |
| SHA256 | 53e8da4458144dd4e0a7fc7386dd7a37105e45514f0ebdd3f935d0b2e47f4b7b |
| SHA512 | 37cba6b2eca9efe70e1e32ddd533b19e54d55f09ea27e50733672d1c04fa51d2f92d3d37d7ecf892af1dc3b765cc312d939acec035aeecefbca6d9b04ca23627 |
memory/3472-215-0x0000000073C90000-0x0000000074241000-memory.dmp
C:\Windows\Installer\MSIC313.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/3448-1113-0x000001F69C210000-0x000001F69C236000-memory.dmp
memory/3448-1140-0x000001F69C240000-0x000001F69C260000-memory.dmp
memory/3448-1237-0x0000000000710000-0x00000000007F3000-memory.dmp
C:\Windows\assembly\tmp\TZ1UP2ZH\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\QNJHDCPF\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\e57aa5c.rbs
| MD5 | a3c4f7721e3c92b697ad263068871292 |
| SHA1 | 81bc224c7cfdd9e17113e86d72d25d01e1419789 |
| SHA256 | 6904d6e4c0364d4e4a94784be7d27d2595c1ae35ecbd6180c07e1e7c399abadb |
| SHA512 | edc00a6e1345406ffb16c6eb0e817622c3a12158e9d1647f3c4d446c2133ead92e1afd3db13c0f482e94f9cd3acf9f84079270122c8937bd3529b35105b70a70 |
C:\Windows\Installer\MSID4A8.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\gj1cx02o.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 1af25bd4eca4d2b89f9f670548534f8d |
| SHA1 | 821b200de53207c723d40943ab426e2facd6c812 |
| SHA256 | 920f316807182172f3200057fbc933d9896a85a71d17586f6f6a160af1cdbd14 |
| SHA512 | e18859fe37e189ebb7ec0108857be9f501b1af6caf3e22aad6a7f6779a090437dffe42fcd9e498259541730f50e03d1493cde23737599b2a6cdfffe831b6406a |
memory/4724-1396-0x000000001D260000-0x000000001D278000-memory.dmp
memory/4724-1404-0x000000001F8C0000-0x000000001FD8E000-memory.dmp
memory/4724-1405-0x000000001E490000-0x000000001E52C000-memory.dmp
memory/5052-1414-0x000000001CBF0000-0x000000001CC16000-memory.dmp
memory/1436-1422-0x000000001D7D0000-0x000000001DF76000-memory.dmp
memory/1436-1423-0x000000001DF80000-0x000000001E726000-memory.dmp
memory/1312-1431-0x000000001CD30000-0x000000001CD56000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | afa968029549ac47b14fa98b83245f64 |
| SHA1 | 965f0ff140852f6fc51d79036af96d0fe222c4cf |
| SHA256 | 1194a6e34532de3659fc92e0badb87000362073efe95473efb0c60fb066bdd64 |
| SHA512 | 4ee98d275a9ee4da3c188521997fd07c5d2e43947535655d6d0d408e3a77a92f2acaa0372c023fe0b707d23a8060a748b5fb3e6556220f40682ab982294d2612 |
C:\Windows\Installer\MSID4A8.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 1d3a09e5afeeb520728e7102f1fa5320 |
| SHA1 | d47dbee68eda8c7ca94f0784ef1805cec4d96c16 |
| SHA256 | d406cc5d234547938ccf915393842210c913fe0ba30d9ae0ae60cbc99cbb8429 |
| SHA512 | 878286eb62b1add66668dd61ca48b73a6c0c7af76156b888b4cc8de1bf8ff2f0f8d12e2de8aef559de3fe794cd4f0231f65104dc3f13a45f1b6a5f5bcb4b2539 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 9d7039357a9e8a8cae1cb2cb641228a3 |
| SHA1 | 42e3497b93ebc5fd5a5d129f4313dd038e351e32 |
| SHA256 | 90e027f942edecbf36fd8213bb3b7239babade85f5c0b3711d128413af059d96 |
| SHA512 | 51c362c55be01cd8fb26814faae414a7602e7f32bbd7ff3ab1246eef00d25374c33b011d050e3e70a051882528730d7bdcadd9dfba961f85a7601a0352a8b5ea |
C:\Windows\Installer\MSID4A8.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
| MD5 | 7987cd786f2ba1ec8a09b2ce8ae694c9 |
| SHA1 | c1b9dbb86c8e9c55374a130d8dbe7bb9cd119f96 |
| SHA256 | eb6583b8007410a1a162d2140c5c27a9d066d80b27b72d0e11c410d517c18d83 |
| SHA512 | 3941b73f09e2fe5f0e6401bc23822577c8d86266ec0089032fe2fd2555616e8be7a3985308bbd64049b8a73737d9f12e3c9d4482a961b8f964de1fff417d32cb |
C:\Windows\Installer\MSID4A8.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 37a136c3a857169dd68c9173177cadbc |
| SHA1 | 9aa71d6c034eb9080af3a372db0bfa6ebc226d25 |
| SHA256 | e345c334be1fd3491acd03cd8c734b87cba038714cf83af3d801acc5df13bb4c |
| SHA512 | 9c39e8a1b0939b3e46b5ad9a0968d2676f9d5be0e569e4bc0829fd258f812062c0ee8a9214c73435b2b4065a9bade3f81da72fd62c34bb71d56867bb60f67ed4 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\gnh4gpjl.newcfg
| MD5 | e187e9c2522ffaa68d4a7eb7aadc2932 |
| SHA1 | 7df9ecf518ff31918936e154df67633a42f4de60 |
| SHA256 | 8a9053399b418fa91c21a42777a52bd344961f79ee75ea6a7ad1b7edd7e214b3 |
| SHA512 | b29a6080237477366c176f1516a2471a50c058fa1525d5bb33576a06f92d5177bf8f04846b5de45112d6090c4d59222287480f0255c3f1609b7416564a5d5129 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\iiowqqm4.newcfg
| MD5 | c10e6db7760dc1d917c9212e6ad21aef |
| SHA1 | 60cf5a0e3dedd343a07160920fd3d3d92b6429b4 |
| SHA256 | 7db2698ee8eae380b4e1fe518d94218a986c8f2c0f60ea32267503d5d7f0e723 |
| SHA512 | dbd82d8357a40547bcb2d5a49bde797e98746497c9f8ba8ec728698d1ede896929e72602d0c49f0c50c8d6c0c0c75467a97cef4d60774b265e3054446450f5e7 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 71d676d78d56ccf902648fe35ac8812a |
| SHA1 | bed07aa9ef6b8ca9148154b2129b4e52edd34526 |
| SHA256 | 4f39c591477308791f5e5ec2933290b7bb3ea4434177983a38f9b783fee21e1b |
| SHA512 | 6f785b7db14657f8d9b149d7699e022b9254cef8af66c5de0021ada59d5cd81c9367fabc3b78989f7c955602599f84e8c9498c459d1acb569799c52519df8877 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
| MD5 | 2ba42ee03f1c6909ca8a6575bd08257a |
| SHA1 | 88b18450a4d9cc88e5f27c8d11c0323f475d1ae6 |
| SHA256 | a14fb57193e6930fa9e410d9c55dfe98e3ae5e69b22356e621edc73683a581bd |
| SHA512 | a1f32c22f0d78cba95c04c432e2a58ea47fb34942e70bfdceffcc2ac1e91b87a3da2cd9f93793427ee09a623c7da700e1c16977d41a44286317e8fc20502f035 |
memory/3472-1917-0x0000000073C90000-0x0000000074241000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsp9386.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FGDWJGSY\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
18s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 224
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win10v2004-20241007-en
Max time kernel
94s
Max time network
100s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1084 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1084 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1084 wrote to memory of 2032 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2032 -ip 2032
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2032 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win7-20240903-en
Max time kernel
119s
Max time network
110s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f76aee8.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\assembly\tmp\8SW4WOBO\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBA8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\6US6LT9U\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB5E5.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICBB8.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID443.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\1.0.0.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{226CBB7D-24E2-3F95-B762-A7EC52DAC005} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B105EDC3-7FEE-32E9-BCB5-B7D3314D03E0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{41A45DAE-3C9F-3768-B837-B785DDC401F2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8A90C764-D139-3B38-A216-98888E73B960}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTitleElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DF98BCAE-1E01-3B0E-BFB7-793C5635D867}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D262540-E3FA-39BA-8441-FC8751122B5F}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F6BC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ProgId | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\ProgId | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{872F6F14-D7FF-3B44-B523-BEB5A0D167C8}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F285-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F281-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E296BC2D-5A31-3831-BDAB-2F2D2F05CB8B}\7.0.3300.0\Class = "mshtml._styleFontStyle" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F278-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLIsIndexElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{18414891-2AC1-3457-B4A1-248A55912A51}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B105EDC3-7FEE-32E9-BCB5-B7D3314D03E0}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A7F279-4C73-3BED-B5BD-0AF6F30E0639}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DB157C7D-FCF1-3208-84BA-910CE2BAFC75}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3DC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2CCE3E1-31E1-3A80-9E94-3F818328FB20}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F281-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F402-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.DockingPanel\ = "IESmartBar.DockingPanel" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\Implemented Categories | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD371A4C-17BD-3FE8-ABCE-2515081859E2} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{18414891-2AC1-3457-B4A1-248A55912A51}\7.0.3300.0\Class = "mshtml._DISPLAY_BREAK" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A93A6C9E-D601-3E81-81BF-6C1567B89288}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FBD9527E-ECC8-3BE0-9E67-6F5F3360B24A}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8482A40D-9454-3073-B93B-3ACF16C38DD6}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDefaultsClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3C4EE674-4A82-3318-B48B-B24A8FD7F44A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0DD42D81-4F88-3FF4-B1FE-51BF0C074D80}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E953F92-B7F6-39FA-A192-FB2BB7299F3A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E0ED74B-B69A-3F95-9FD8-66006DB3972C}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C550EBDA-A045-36DA-AFB8-8A96C202334A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}\1.0.0.0\Class = "IESmartBar.DBIMF" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D0A77F11-94B6-3863-BA84-FFCC85309928}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{35F0ED97-3328-3F26-958A-A8E5FAB21405}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8B475115-532C-3483-8333-FA1CB6A620D7}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2EC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D3D8E1F4-DA09-32EE-87E1-36C4EFBD899A} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{794D9F34-06BA-3B05-8C7C-C62CA154BE00} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5ED36A62-17DA-3BB9-B488-FAA297521C88} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F271-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLMapElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3D4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{78C1BD14-4E05-34D5-90D8-E821FB657DEC}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3CE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetRuleClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F83A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.FontNamesClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{777BF24E-A6C1-301D-8F59-25FC964EEC68}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 71C08C42B274DC9F3251DDEA2756AA64
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB5E5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259438102 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7y9t15yl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCDA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBCCA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hpwms3kz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF5A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF59.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICBB8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259443671 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID443.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259445824 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i-40ebxv.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD55A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD559.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vzb9kxd1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD5B6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mto_uwnn.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA5E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA5D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hl1f6skq.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB48.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB47.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\na61dzhl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBA5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBA4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w3rl7ncj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBF3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBF2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iaey9in1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEA2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEA1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jh_bpwf7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\enivwolt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF4C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\led-ujah.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1009.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1008.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dehy1b-n.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10A4.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\66e74pb4.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES172A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1729.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\v8pj3dow.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES21E3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC21E2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\othh2flj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES233B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC233A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lp-y-uwd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2E81.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2E80.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | api.bing.com | udp |
| US | 13.107.5.80:80 | api.bing.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 2.19.252.143:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 23.192.22.93:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/2388-16-0x0000000000E20000-0x0000000000E60000-memory.dmp
memory/2388-17-0x0000000074221000-0x0000000074222000-memory.dmp
memory/2388-21-0x0000000074220000-0x00000000747CB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\CabAFE1.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarB032.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Installer\MSIB5E5.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSIB5E5.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSIB5E5.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSIB5E5.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSIB5E5.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSIB5E5.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSIB5E5.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSIB5E5.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSIB5E5.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSIB5E5.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSIB5E5.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\7y9t15yl.cmdline
| MD5 | 0589db238861bc21bb467a5a130d7bc9 |
| SHA1 | 2bc70270af5402d4d3941dcda11652f9bca369b6 |
| SHA256 | f816b21ce6bd72c2206cf2e84c4ab21aa2ad2376f041f5c8fa19786ce7bd920c |
| SHA512 | f4de298c5d0d3725182f566d82cd59ac5430e26bdfae14d3c57ad2e2df064c27ad3239afacdce0595ee64b8e91137ec9b71ef30d87a455ce8bc55991a2a80e3f |
\??\c:\Users\Admin\AppData\Local\Temp\7y9t15yl.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBCCA.tmp
| MD5 | 725d9486c212a7c42607bcfc62a750a2 |
| SHA1 | f3b53cdc48571a7cfd75510a8a95ee071487e739 |
| SHA256 | 0e5f7a22e67e30a761ed1c483fa94fc531b80acc8239215fead206462d0fba46 |
| SHA512 | 0d7b834a7f371d7d0cb5333eed162172eabd51fc6d148edb12411c33972c0feb4ece44de0052e17ede9e387f2c58d32f32098add88dce5d421c8c14eeec3ccbe |
C:\Users\Admin\AppData\Local\Temp\RESBCDA.tmp
| MD5 | 755bc4099616d6fdf1094df4757fe180 |
| SHA1 | be69b1280d2a7d3e0aec3aca1c658f4270029f06 |
| SHA256 | 97f1b2bce8bca0c15a3113d24a007e240594599db80d3ceabe502280890747d1 |
| SHA512 | c729f35a899008f2e0c63c585831245e2de2261addb3aa5b0a7b6a42c757254de7490460f62e4c588d36754467fcd7ff33dba47fd97013fbaa0177093f85e112 |
C:\Users\Admin\AppData\Local\Temp\7y9t15yl.dll
| MD5 | 9b7bda5f51e9ecef9f0e36ef0aa83580 |
| SHA1 | 29fcdb00b2feef948b95a541f8175862752637dd |
| SHA256 | 4d8e13adb01869437dfbf9aeb636f793e030dc5e26d53b9310daddbad772f6c5 |
| SHA512 | 1e9f5cf8e8e1b4ebd69b4ed17377524eddb7ddd37a3ceb844ac817ceda2dc4c94dc4f4c27077ca08c0f8d85d99f6fc75eaf5dca7e9441fa4c5e09ead3c1fb0ae |
\Windows\Installer\MSIB5E5.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 60a7cb46c03eb8fd58310d24741d4d50 |
| SHA1 | c7b9886b69e58b728702fd1280b57e9a26f80231 |
| SHA256 | 1e33e1a8b01b8a774df1bfcec8ecbeb9a48201994a87d7f97d2d73d992a918f3 |
| SHA512 | 849e209f3abefeb250f6d621905e895acaeaa058aeb36a9eae8806ba5cc4a09eaf7e3916d3e34977f98e309f2345b6cc24dbfe8e5dbcca421735bae3c8654e1c |
\Windows\Installer\MSIB5E5.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\hpwms3kz.cmdline
| MD5 | 98c05aea0a82ebca45fce354c4797c4b |
| SHA1 | ef79caba2796991635075588b8f7aa943685c437 |
| SHA256 | 3a17b1642f2ed13810cb4f71b6cffdababb4bece876f9678ea338c93178bbd2b |
| SHA512 | c3bb9f37d1ea5fefd07b869736824e50be5f339235859830781681c14aa10cafe58572e06430c1cd518744afa3435a79df7475c6c577010d941426b92503facb |
\??\c:\Users\Admin\AppData\Local\Temp\hpwms3kz.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBF59.tmp
| MD5 | e84ee3e3026b96a60e1edbc20d8a5c5c |
| SHA1 | dfc8f05d2224868c726e2d2b50f3f06d7c850854 |
| SHA256 | 593d03eb5f5bf8c06c0af384406aa1a4ce12199a1ead061b80ecc8991e11d86a |
| SHA512 | 0b5ef087b72b0e778c0d8cd6eeebfe0844d156cd0c1294b07172ff06f8fbdf039abb9d1647cd3b005851d0ef3eb22d6d7672958ba7280561b0f3b2ebc77e318b |
C:\Users\Admin\AppData\Local\Temp\hpwms3kz.dll
| MD5 | ed7bd81cea448c0ca728f15ce60a7cf4 |
| SHA1 | d276be56200f2c7a2afc2a1d7e536a6283cfb5b0 |
| SHA256 | 18620ffa0cb55cb4f10ff216a905bb18726cd2eb474a4b7e982c7d5901ab8ad6 |
| SHA512 | cae4d1d1762305c5e136711c3da2da044e1104720018afa823e978e876aa50e163583952835710d7acf26296ed19bb1fd1633238815c5d7740b84da10d30e45c |
C:\Users\Admin\AppData\Local\Temp\RESBF5A.tmp
| MD5 | 91371065139b174afd5ba9bbd39162f2 |
| SHA1 | c0f4904193f9c7e12f2900006964a53706e77c0d |
| SHA256 | 69cebd70f6e0b73f51f8305de4977402291c5f5846d0ceb943f85b55cb6a4540 |
| SHA512 | ff9ce4cf4b956e7c53612efb3be1379da15b6ba38584e3bd397aa341cf1b78bf60eb436b98b86b0c89f3367e997fde15e21fb0a9c0c2f29f1f9e249cec340218 |
memory/2388-249-0x0000000000E20000-0x0000000000E60000-memory.dmp
memory/2388-250-0x0000000074220000-0x00000000747CB000-memory.dmp
C:\Windows\Installer\MSICBB8.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
| MD5 | 4323b6a270235104f98471ad45dc874a |
| SHA1 | 2520f39bc8594e0b5aaaf93d9ce2c299ade1dc3e |
| SHA256 | fe63fec5904fc3bd4993695e0a61078aa70cc62fdb6d65a89fbb9ba491371308 |
| SHA512 | 336d029a7642516aa738f92412daae4bc1bd2557fa824246458a2f9686f84fb96b79e8a969035ffc2b02bdcf6bd507139f31e60d96ddf091558323e37ef83459 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2924-1151-0x0000000000600000-0x0000000000626000-memory.dmp
memory/2924-1178-0x0000000000630000-0x0000000000650000-memory.dmp
memory/2924-1275-0x0000000002E90000-0x0000000002F73000-memory.dmp
C:\Windows\assembly\tmp\YJK6VJYE\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 0c58d52b45ab3c2d6924d0e61a99ed9c |
| SHA1 | 770494d934af3e2715de00f10ad7cbff21d4db70 |
| SHA256 | 7b613b099da7ff54df229949c9a13fbd4f8e70ffd039764de9dde3ba140c1527 |
| SHA512 | dff8c55e32b98fa26b66683ef6ccf4c26cdc0043a421f3f9bdc4a53a06868e699ebb17f6abec9e5d77a78dc0e8cf079afa0651ac172406f4ab3342c9d0299713 |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Windows\assembly\tmp\8SW4WOBO\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\f76aee9.rbs
| MD5 | fc8932332539d50bd1b1de640ce85401 |
| SHA1 | aceb907a5e90c53ff0270f642bcc1051678b428f |
| SHA256 | ccb31a86ea225ea294e3be99bc3363541c120e793806880a235a138af20c17bd |
| SHA512 | 81fc6c4b7d3fa5ea0f8e717c53c963e688f3eb1226b197b003fb20f870c19a838fc7674f44b8715779f0126db5fa371160a849361f3c99fef4a3ab5ff4a48de1 |
C:\Windows\Installer\MSID443.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\ufvywrsm.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/1936-1529-0x00000000023A0000-0x00000000023B8000-memory.dmp
memory/1936-1530-0x00000000023A0000-0x00000000023B8000-memory.dmp
memory/940-1583-0x0000000000B00000-0x0000000000B26000-memory.dmp
memory/940-1584-0x0000000000B00000-0x0000000000B26000-memory.dmp
memory/2320-1611-0x000000001C230000-0x000000001C9D6000-memory.dmp
memory/2320-1612-0x000000001D190000-0x000000001D936000-memory.dmp
memory/1404-1639-0x0000000002370000-0x0000000002396000-memory.dmp
memory/1404-1640-0x00000000023A0000-0x00000000023C6000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | a4816728c888d140f460223f0255573c |
| SHA1 | a775f71065536fd7545c15471dc1463ceb489088 |
| SHA256 | 462346c8b6a85f26921755ea964b6c369822a771ffeb1193b303dfe7b9a60c8e |
| SHA512 | 382a17c9fbdf2b6c4bc1d9350c3bfbdf3fd77850118f995407f391005f2f71da3172d1edeed4b8169d1555bb8cea7e063261afc7107796b893865ca655bb13e0 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 710903dc40f1347c52c78ce03eb2d9d1 |
| SHA1 | 217d4affdbd3626308abd3cfde8e8cd9b56c89c1 |
| SHA256 | 438598731adb466c3ee256f7c5bdd3fb25cc1457337127a7a9f72eb26046bb7c |
| SHA512 | 4ce2dabfc62659ab9dfed8ed17bbf56a4aca1628f448d517369fd6b8c58d4bf8fa046899a56865c71851619dc68621f7b34f75cb6dcfb856c234e6e17c089883 |
C:\Windows\Installer\MSID443.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Windows\Installer\MSID443.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
memory/2388-2616-0x0000000074220000-0x00000000747CB000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 48c23d0f15c6d9fdfc1038b7107a2b4d |
| SHA1 | 9e00f459a39862d5c31ba95905352091732fe876 |
| SHA256 | 3496e6869626de28d4a44345622b396dc648833be6ec416375282e2b4b45a566 |
| SHA512 | 86a5a5d7f47a565783e0bdfd9462f1dcc5046092c8d6dab0a4081b8e7f124e502f952b03c1b5fa31207dc82f831f7c8b1c1d49c465f7ecb0276f86c0c97724c2 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\4rlxkl3y.newcfg
| MD5 | 89b5c44904c9e1819dd7b1e962f812e4 |
| SHA1 | 1bb90c82540ae15ec203b79106f4b96019d30f0b |
| SHA256 | 957ac7929f1afbf819418c3306355a320bc2360eb21f99e15ccdbc22e190b884 |
| SHA512 | f5304b464931ae1a12cc0944598ce1f7c942a04c066759196cf83b04d9c4ce71d36a20fffe9456b3634e2e655f2864d516228e854ef8ebe85471fd769f1b94bb |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\jzyxcou2.newcfg
| MD5 | b35065cbcb72f52cefd17ec17eddc59e |
| SHA1 | ef99df37b163f9b846c143a329982e415224b768 |
| SHA256 | a42c6558551a7beba56de0c55ddae6d98d6933822eb9364cb50e1384051e8714 |
| SHA512 | b58647bacbac041c1975f0bc216d8234d7da7cbab740d81b67a3b0ead053a54ffec6104d95d5db45e7d238eca028f9b12549ac6950906bdb3c0fbb5bd5aac28e |
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-01 21:30
Reported
2024-12-01 21:32
Platform
win10v2004-20241007-en
Max time kernel
120s
Max time network
105s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\D9HRJDDJ\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B37.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAABA.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI89B2.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9B67.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2AC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{226CBB7D-24E2-3F95-B762-A7EC52DAC005}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A7F279-4C73-3BED-B5BD-0AF6F30E0639}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17EC906B-6004-331A-8325-B4422D1ED446}\7.0.3300.0\Class = "mshtml._styleLayoutGridMode" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C77B0461-C344-345F-B41F-C1352A3E2B36}\7.0.3300.0\Class = "mshtml._bodyScroll" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.CPluginsClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FD436F4D-7C7B-32A4-A6B4-97DDDBB938D1}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{84559181-4149-3992-B3AB-31C84AB30373} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ED785CBD-B02D-3BFC-8FBF-4CDC702AF748}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5A9A8984-9B4D-3A55-AA8B-3793F97436B2}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BFEDF92D-C312-3962-BD20-75FCA98DA96C}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHeadElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3BBE5145-9284-3874-A8B3-8E6B7E0DC27F}\7.0.3300.0\Class = "mshtml._htmlDropEffect" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E1132F27-8818-3C98-81A4-C9B9B5F28E8C} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F831-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ADCDA984-74EE-399A-B8C7-F16E1D96115F} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\ProgId | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F27E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3052B1CC-423E-34EF-9804-DD42899A26EE}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17B23D75-CAA8-32CE-9EAF-085AE53370A0}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F31A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLHRElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8F54FA54-1DF8-3B20-890C-CDD95364BC95}\1.0.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}\1.0.0.0\Class = "IESmartBar.DBIMF" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C77B0461-C344-345F-B41F-C1352A3E2B36}\7.0.3300.0\Class = "mshtml._bodyScroll" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F271-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B6227CA2-999A-3A8A-9F23-574171378ACD}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6D55083F-D6FF-3028-A8A3-95DE56BB6EDF}\7.0.3300.0\Class = "mshtml._styleRubyOverhang" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLParaElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ = "Shopping Helper Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\Implemented Categories | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB776950-4C2E-3534-974B-B8092FCE2FA3} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2E0ED74B-B69A-3F95-9FD8-66006DB3972C}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8D262540-E3FA-39BA-8441-FC8751122B5F}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\1.0.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\ = "mscoree.dll" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0\Class = "IESmartBar.SmartbarDisplayState" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FF6904B0-8485-3B35-B2DD-87E6EED62C7A}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0002DF01-0000-0000-C000-000000000046} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{12A025D4-7210-3AE7-B626-DAFACADC256B}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F83E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC20047-2388-3184-B6DD-B543825CA72A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6}\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8872B56-D98C-3C12-B8A9-9F81495D11D3}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E44B9A01-2579-38D0-83FC-BE0284A316E5}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C77B0461-C344-345F-B41F-C1352A3E2B36}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding BA8CFBD8EAA8E9D677530C0F7B8A65F8
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI89B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240618078 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j_akrhh6.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92EA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92E9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\odeeml2y.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9943.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9942.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9B67.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240622453 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIAABA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240626375 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnzpxy_g.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESACDB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCACDA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ygzlflv2.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD96.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD95.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fhqqteui.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF118.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF117.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zvifrc0r.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF1C3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF1C2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zm77pd79.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF240.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF23F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vovn-xuw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2BC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z2dep1fs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF34A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF349.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\sns-5kze.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF3E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF3E5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uubvn7be.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF483.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF482.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kjrkxhqt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF56D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF56C.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fmi9rzir.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vih05ccs.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF686.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF685.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF6D4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF6D3.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xkt0q46t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF907.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF906.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dkzisjut.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFB59.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFB58.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j1wbrr5d.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE95.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE94.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 75.2.73.197:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | 36.52.31.44.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.73.2.75.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/1852-18-0x00000000031C0000-0x00000000031D0000-memory.dmp
memory/1852-19-0x0000000074FC2000-0x0000000074FC3000-memory.dmp
memory/1852-23-0x0000000074FC0000-0x0000000075571000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
memory/1852-46-0x00000000031C0000-0x00000000031D0000-memory.dmp
C:\Windows\Installer\MSI89B2.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
memory/1852-121-0x0000000074FC2000-0x0000000074FC3000-memory.dmp
C:\Windows\Installer\MSI89B2.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSI89B2.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSI89B2.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSI89B2.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
memory/1852-151-0x0000000074FC0000-0x0000000075571000-memory.dmp
C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSI89B2.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\j_akrhh6.cmdline
| MD5 | 163524f7c0cb1e5287cab71a4f696f5e |
| SHA1 | 94f9a09e91ec92010828ee7e248e2bde11204647 |
| SHA256 | f6c057f252268927db26ba461e92f1a249aff38a11bcceafa99e9fda6eeeeec8 |
| SHA512 | 764b113bac03cef6473cbccaa3b39e7475bf8000fed946977c1380b9f88623509dfde5f88199ad8fd7275308594f65c3716d736e183496c6b364bf04b7123063 |
\??\c:\Users\Admin\AppData\Local\Temp\j_akrhh6.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC92E9.tmp
| MD5 | 4cc6cf9afe063be03d301c576c93f819 |
| SHA1 | eafc77421b93f296d7424fe651c5dd2d1cc4a57f |
| SHA256 | 4df41a71225b2aaeb3e72dc692dfd0c7913680f45a18cc542d01a4cd8790b1ec |
| SHA512 | d850d1b2f90f0a3713bf0f34582c5e14e1f34cd98d933cc32a81d571ec1f959490015388cb04b092aedbe79adc4b1e3b643e4b0ee2b091ee676e49f372dd6ca3 |
C:\Users\Admin\AppData\Local\Temp\RES92EA.tmp
| MD5 | e01bb0996be82d64faac14eb229a5da6 |
| SHA1 | 44f733824c6b98c67f74a809e5f619dda6138d31 |
| SHA256 | 61191c64c255a5acc18fa3531bc9fa2147c0e54d1b8902e4b0de2bedbe407665 |
| SHA512 | 8ba48a2041d55da8f4b0e5a7012f294ff8fb4a07975a924fd9abedfd5c11df5d7f873079bd98f2e030c34d3aa9f31885263d86d77769c4795c91d405c9dd2914 |
C:\Users\Admin\AppData\Local\Temp\j_akrhh6.dll
| MD5 | 4dc7603093c2b180c349b65e202f7b4a |
| SHA1 | 1b0d82cf3afd0ff76622fdb8d05be14e1f53ff2c |
| SHA256 | b6ec6519a569d1d8510311700f7d489f43628f0f74ee809edca1fdcb3487fae6 |
| SHA512 | eef2c5dd1337723c311a815cad444b6289ad8f296509e56e6a25e557b16204623e447a47599834ee767f34e53b6e169f9af6f1b6e1fd5816ba799b31e7447e0e |
C:\Windows\Installer\MSI89B2.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSI89B2.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\odeeml2y.cmdline
| MD5 | 250bc084fc24f2762cdae12b1f31caff |
| SHA1 | 6b34da0621d047fc257c73e3e945ab98479b5518 |
| SHA256 | 36c50f1cc0058857e5677cbb50c042e1fd66cb95fa06a734eb023650e8bbd8bc |
| SHA512 | 36d5d48689edeb94409f7be83a40534a088978429c4f351c815e2f1e06f8b484cdeed3719aff0048f5ea52131025c431c136895e8361085404b4240b97a8a6e2 |
\??\c:\Users\Admin\AppData\Local\Temp\odeeml2y.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC9942.tmp
| MD5 | b87915b49cf340d083f55e1085366fb8 |
| SHA1 | 7075832f93872193514766720630b1563b774834 |
| SHA256 | 203579fadcb187f30acab395d172327e10b1423aba552f852bcb0b3de6db471a |
| SHA512 | 335632cb2cb249002ab3d8bc5060538a6047cb7d49a34a8f785e4c8a06124af20fd493700cefa3c4b9935f6e0e0645ba723b1f16d0e218687afd326948024c6e |
C:\Windows\Installer\MSI9B67.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/5080-1107-0x00000138953F0000-0x0000013895416000-memory.dmp
memory/5080-1134-0x0000013894D50000-0x0000013894D70000-memory.dmp
memory/5080-1231-0x00000000003E0000-0x00000000004C3000-memory.dmp
C:\Windows\assembly\tmp\S5DU3O5V\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\QFKY9B4D\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\e577c38.rbs
| MD5 | b7748b600da7cc7f211a6f80f94ba408 |
| SHA1 | 6b0403f8144a77542559a27853e55f8b38901bf9 |
| SHA256 | 6f37b78d84562020e4191e43a4856d2c95ba2a7baebe1b95b4310ae9cffaa2a5 |
| SHA512 | a24f6256d089bddc3b118fa84b83d07c86a2931542e558e654ef2b4d527e684752312763be67a42e95676594a71cf6fe1fab13cec0da70d16397495b9f437fc4 |
C:\Windows\Installer\MSIAABA.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\r145z5g-.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
memory/5076-1389-0x000000001D010000-0x000000001D028000-memory.dmp
memory/5076-1397-0x000000001F620000-0x000000001FAEE000-memory.dmp
memory/5076-1398-0x000000001E200000-0x000000001E29C000-memory.dmp
memory/3468-1407-0x000000001C750000-0x000000001C776000-memory.dmp
memory/2964-1415-0x000000001CE10000-0x000000001D5B6000-memory.dmp
memory/2964-1416-0x000000001D5C0000-0x000000001DD66000-memory.dmp
memory/2224-1424-0x000000001CC00000-0x000000001CC26000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 132d435eb0471613e3f20264da1087f6 |
| SHA1 | 7ad019b45b993f1994451d5d5a9e164735140e69 |
| SHA256 | 682098286ecb3d337bbe7ac1f7977e0ba1365065e517160caf9fefc1c602ee7a |
| SHA512 | 226222a95365cf843314cfde9d8310400e58fd2e6f416232940de35268e14181b0fa7d1d0823d269daafebb161b32a1670957e3f42adfcf79643f468339dd5c5 |
C:\Windows\Installer\MSIAABA.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 560208155e5022654b5c0d6849cd83a7 |
| SHA1 | 1e1654308427952bc8d289b211cf9aa19fcf0842 |
| SHA256 | a04698fd13be8c7381e7ed0f80812492ad6f66219d41ae721aa7a8a800e6adc2 |
| SHA512 | 4007f7492359010f874340ac07ed57549c857830edfc846acb2f654795852356f7282c092bf844abc6503920b38a18ac128815e24e316974c016eec3b1891df8 |
C:\Windows\Installer\MSIAABA.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\lfbsnnd-.newcfg
| MD5 | 80ff384d21f7492c4047ab3deca8407c |
| SHA1 | 46c674670b324f179d1e5e866a05f2f8596381d4 |
| SHA256 | d97d83fb39ff7da3211b8f54032cd0286bdc7ee92dac1561a2ea24ef648cd3e7 |
| SHA512 | c1acf460f688ea275fe10dfcccf0b12f1cb1d1449cbdb2cf07d2281da772f38286bd22bc15e9a2aeb5bec0ec8444e81ea2dd0b528b14f74422fecd51337a85c2 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | 3ce07db04a4974ad1946405822d31642 |
| SHA1 | c85c4bb39a2b626d837bcbaa5c77a3ed2db75c7e |
| SHA256 | 2dd83bdffdc0edd7fae4dfb290403e0d4608e84f41d717264b65590e5aaf1098 |
| SHA512 | 9e5947dacd23541f4af13353abb08ef1bd7c2b2f428f2d4e2abb5f4fb821223c4d11571d7c3fdde7eff4192b4b08caccde9b7ab986946f2f4955346f156cf5a6 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\9yyc0nzm.newcfg
| MD5 | 5f272be2cdb58867cecd4a88ed235899 |
| SHA1 | 1f7c757613530a899931d55db3e5311df5431503 |
| SHA256 | 97dd6dfe85424193d8d6a8a2d7cf51584c7356fda5b12703d5012aee4cd92855 |
| SHA512 | e4bbf44130db80b68e7877391e7fb29d26089c381104ca1d30a5c2a2940d314b2bbb97c3cf297592d6eca01798b030d261d344a925036f9979c2b5bbf02789ce |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/1852-1852-0x0000000074FC0000-0x0000000075571000-memory.dmp