Analysis Overview
SHA256
672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b
Threat Level: Known bad
The file 672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe was found to be: Known bad.
Malicious Activity Summary
Pandastealer family
PandaStealer
Panda Stealer payload
Blocklisted process makes network request
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Event Triggered Execution: Component Object Model Hijacking
Checks computer location settings
Checks whether UAC is enabled
Adds Run key to start application
Checks installed software on the system
Installs/modifies Browser Helper Object
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Windows directory
System Location Discovery: System Language Discovery
Program crash
Unsigned PE
Enumerates physical storage devices
System Network Configuration Discovery: Internet Connection Discovery
NSIS installer
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer start page
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-01 21:36
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Pandastealer family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\9P899CTL\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\tmp\ZNB5JET6\__AssemblyInfo__.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57789f.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9F12.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7F32.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B3A.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000002dc657cbb138492d05c4de1610a29e4ce3202b8e9e2807f26cdc0f4d1c088fa000000000e8000000002000020000000ea0848a3471242d4573c06823d7a1512ce855f366698b3f80db01aa856636cbb20000000e2c783f0f45f7117f26a323be55ef00255f787279786245d22ec52bf741e4efe40000000995acf6b1116eafc23682969182c86681d1234df56019e31af54d9098c051aa4c3cb89d5fad3e0a95e381722affee129dcdcc51f5f24c2d0bccd342d8bf9fabf | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e065bb353944db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d020c0353944db01 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\VersionManager | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31147065" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{603FAB9F-B02C-11EF-B319-EE8B2F3CE00B} = "0" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\User Preferences\2BB20B33B4171CDAAB6469225AE6A582ED33D7B488 = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d000000000200000000001066000000010000200000001fed82ecb37beee8fc991e0a48b87a938e3ccf56e70cd32ad2ca11cfa3377f6b000000000e80000000020000200000008e2c4bc6abed8b2ed59a17725c074a470f30aa915bc633c8a77c05e6a590dfaf100000003a3b0380fe8cf04a8992795f6eda5ff8400000000cbd98b317c1c4133cba0bf626639c7bfd581f576ce4c0df5348fd1108b8a297aa08992d7164b3b79804e469941836fcb88ba57848b27cbe7f665d3130baedb6 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31147065" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "884598571" | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000013f787289f1be14e87be8dc204ff715d0000000002000000000010660000000100002000000060c4a34bbba1b24b53b96d12fad22215ba0e524292c68a5ab6ad37effcbd07ba000000000e80000000020000200000007dd77a592a3beb4ba6e026b83ee7f4262a83e59259c1db7946fe1e89a3f06eac2000000082357743e9520528865b5f6a5995d69e5ff118988d792a867bb078cf10d944b740000000fcc2b0bd2b20bbaea3f95ce9a431fc115011a47d9320e913728f1084630f6cbaaa4eefb540631dbf4febc0250dbd0097d58de1a969e3f465c483844cc91516b0 | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\ThreadingModel = "Both" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2EC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTableCaptionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F38B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLNoShowElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{44F8A905-4739-3126-A4C7-C719CFD0F7CD}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Class = "IESmartBar.IESmartBar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F312-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D605E460-59C4-3D0A-9116-608B63FE300A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FCA45B37-4187-3803-BE3C-6CD2A95783AD}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D873270-8F86-3AE0-8173-7A61008EBF07}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B5F4933A-373F-37E9-B233-37FC1BC8585A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F172639F-F18B-3756-8450-06866584ADEF} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{71F13D44-7694-3B7D-B713-6BBF9930501D}\7.0.3300.0\Class = "mshtml._htmlStart" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}\1.0.0.0\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\HelpText = "Shopping Helper Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9778FF5E-CBCB-3A8E-AA0C-69F4540870C0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FEC3343A-E3E9-3639-8ACF-00DC8EE87864}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{163BB1E1-6E00-11CF-837A-48DC04C10000}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA6-8405-11CF-8BA1-00AA00476DA6} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5ED36A62-17DA-3BB9-B488-FAA297521C88}\7.0.3300.0\Class = "mshtml._styleTextUnderlinePosition" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4BA-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\InprocServer32\1.0.0.0\Class = "IESmartBar.SmartbarMenuForm" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2B4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8872B56-D98C-3C12-B8A9-9F81495D11D3}\7.0.3300.0\Class = "mshtml._htmlReadyState" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D4D9559B-E4D2-3397-9DB1-A68196A3302E}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{61C382EF-F351-3AD9-8266-80A59F647096}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A4C7AE7E-D238-3AA8-BFB3-04E2C443959B}\1.1.0.0\RuntimeVersion = "v2.0.50727" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F4CA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{42F3AEF3-2F2C-3EAB-8575-1A107DA7DA27}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D4D9559B-E4D2-3397-9DB1-A68196A3302E}\7.0.3300.0\Class = "mshtml._styleBackgroundPositionX" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\ProgId\ = "IESmartBar.IESmartBarBandObject" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5DE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.CPluginsClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D4BCD531-FE06-3383-95C0-F9199DFE8A51} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetPageClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLTitleElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F275-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLMetaElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLBaseFontElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FB2E65F4-5687-33EF-9BBF-4E3C9C98D3B9}\1.0.0.0\Class = "IESmartBar.DBIMF" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{87845C39-C387-384B-99ED-3E3701F86C1D}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F38B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3E8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\1.0.0.0\Class = "IESmartBar.DockingPanel" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ProgId\ = "IESmartBar.IESmartBar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{17EC906B-6004-331A-8325-B4422D1ED446}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F831-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe
"C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding FE2881A502345D9667D2BF69F77250B8
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI7F32.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240615265 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\s5dbhmco.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES84A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC84A1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ts4u0y5t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES881D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC881C.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI8B3A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240618296 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9F12.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240623375 73 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zfco2hhg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA181.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA180.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ecarwylk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA27B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA27A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=01/12/2024
C:\Program Files\Internet Explorer\IEXPLORE.EXE
"C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=5f91d3d2-c1ee-ded0-9d50-3d4a869ecfb4&searchtype=sc&installDate=01/12/2024
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rfybauq5.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4A6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4A5.tmp"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2732 CREDAT:17410 /prefetch:2
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-ae5vmrl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD6BA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD6B9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fckuuqhm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD821.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD820.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\c54zjwah.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD91B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD91A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\k31x8yv-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD9D6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD9D5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e5_u40ex.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB0F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDB0E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ostojsbz.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBEA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDBE9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ozuej1xi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD32.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD31.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\iwizbf4j.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE8A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE89.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ij5ecavl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFE1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDFE0.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9971kh9h.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE223.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE213.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ivpqxban.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4F2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4F1.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zpexh6bo.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE86D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE86C.tmp"
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.31.180:80 | feed.snapdo.com | tcp |
| US | 104.18.38.233:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | 180.31.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ww7.snapdo.com | udp |
| US | 199.59.243.227:80 | ww7.snapdo.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| US | 172.232.31.180:80 | feed.snapdo.com | tcp |
| US | 172.232.31.180:80 | feed.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 199.59.243.227:80 | ww7.snapdo.com | tcp |
| US | 199.59.243.227:80 | ww7.snapdo.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 199.109.58.176.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 76.223.54.146:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | 146.54.223.76.in-addr.arpa | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsk6D03.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
C:\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/3104-27-0x0000000003550000-0x0000000003560000-memory.dmp
memory/3104-28-0x0000000073C72000-0x0000000073C73000-memory.dmp
memory/3104-32-0x0000000073C70000-0x0000000074221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Windows\Installer\MSI7F32.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSI7F32.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
C:\Windows\Installer\MSI7F32.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSI7F32.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSI7F32.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSI7F32.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSI7F32.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\s5dbhmco.cmdline
| MD5 | d873d010dcdf9feb42c80c79e6671969 |
| SHA1 | 0ed76c70bfba10e148a265f5c4de2edf00f86de0 |
| SHA256 | 9795fc1c46c104d585ea2dc68002ce5f53b254ddd27abf1f6650b275a7abfcd3 |
| SHA512 | 1545ed8526bfb13ae523ece7e07119153f342147d4dadd4d02fe236cbe0b5dbbbc3d966d5b5c1fd8998948ffca2c7e5ed573e125cd0097a5e2c640366bf4e617 |
\??\c:\Users\Admin\AppData\Local\Temp\s5dbhmco.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSC84A1.tmp
| MD5 | 10e6b94db09b521f1e57249effcb3cff |
| SHA1 | 6085d990126409793b00bd291c46672b9fd53647 |
| SHA256 | b220fe47c6d3ac7164867622c9f5d4ede3701ed54c8671f34fdf197acb374f68 |
| SHA512 | ebea7c7268f14ce888b185954e4006ca2b58135ba98ae3faed48398c1ecd72a5668c81ced10d688b9e119f4127e2556321845d36c673e1de1e1231d2b1297857 |
C:\Users\Admin\AppData\Local\Temp\RES84A2.tmp
| MD5 | 9f7f4e70918a09f204c7e3d7f0b093d0 |
| SHA1 | 0231b79d88ae0dac80d87ffacc6eba2789f0d04f |
| SHA256 | f153b4433c37fc50bbb8e3f164b88b6d215b7065d27cfd271ba0d1af1604bfd5 |
| SHA512 | a9aec27f9f64bf9963042acbf59f8ba96cb9cd50a5531533fe53616fd517744a89560259fbb42f0fd4f1918b27056608bbf2eb7e3902d7452e259007a1cf9106 |
C:\Users\Admin\AppData\Local\Temp\s5dbhmco.dll
| MD5 | 826ac85abd17b71434f9014d78a76812 |
| SHA1 | e345bbf8ae42fadc232193f25321e974eae27d86 |
| SHA256 | 45a52e69d5454fefd0fbfb699c0b2b590eb3f38ce0a991bbe5d7389f941624c3 |
| SHA512 | b75ea9a4cd8597b418fb3d159b3fa2c8c93a2b9ecf0a59ed611304015256291f1b307bc48043cdb30f71ba87a1daa70a4044f9d099b0be95c8633385a22cfa08 |
C:\Windows\Installer\MSI7F32.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSI7F32.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\ts4u0y5t.cmdline
| MD5 | 1c38bf08e25453297ada2bd615de4c14 |
| SHA1 | 658b46c65d5d9022b7a926fd7a24ac2a622c5a1b |
| SHA256 | a8a12e2d1b43daa101a7907e02b3afc780ebe1e9785369a07780ea0dfb0072bf |
| SHA512 | d059621d0c80a8971ead30361f69557d4f3ecfcd2d81e02de410a4ca48a805849a7419b068d96e93574d03410ef2bbde7680b43cb06c2537086b7e39b19f92fe |
C:\Windows\Installer\MSI8B3A.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
memory/3104-376-0x0000000003550000-0x0000000003560000-memory.dmp
memory/3104-475-0x0000000073C72000-0x0000000073C73000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/3104-833-0x0000000073C70000-0x0000000074221000-memory.dmp
memory/2968-1113-0x0000019CC3F00000-0x0000019CC3F26000-memory.dmp
memory/2968-1140-0x0000019CC3860000-0x0000019CC3880000-memory.dmp
memory/2968-1237-0x0000000000EF0000-0x0000000000FD3000-memory.dmp
C:\Windows\assembly\tmp\9P899CTL\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\J9YRSL1M\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
| MD5 | 459ff9c6762b7fdd91c156ff3e096478 |
| SHA1 | 7179debce9a271450b1241e7435a999aea1ddd05 |
| SHA256 | 93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c |
| SHA512 | 8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a |
C:\Config.Msi\e57789e.rbs
| MD5 | c05f3905e6d27820cc02213bbcb363a9 |
| SHA1 | 3f1b11d5ba688ada67dc9e55114bbc428b3c3dc7 |
| SHA256 | 20c7371837544d46737a15f54e6f64795ccb04818a4ed5e326a973b6c262deec |
| SHA512 | 59998ae9543db44b10996a54173eda0f1d3c991a214186610b625e9a8db6808b38229c5353eef60853d9a984d2a6c41e67138b54c2837146075e0f0ed232e851 |
C:\Windows\Installer\MSI9F12.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\aflon-zr.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
memory/796-1388-0x0000000001DB0000-0x0000000001DC8000-memory.dmp
memory/796-1396-0x000000001F230000-0x000000001F6FE000-memory.dmp
memory/796-1397-0x000000001F7A0000-0x000000001F83C000-memory.dmp
memory/3068-1406-0x000000001CDB0000-0x000000001CDD6000-memory.dmp
memory/5112-1414-0x000000001D090000-0x000000001D836000-memory.dmp
memory/5112-1415-0x000000001D840000-0x000000001DFE6000-memory.dmp
memory/1056-1423-0x000000001D1C0000-0x000000001D1E6000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 1af25bd4eca4d2b89f9f670548534f8d |
| SHA1 | 821b200de53207c723d40943ab426e2facd6c812 |
| SHA256 | 920f316807182172f3200057fbc933d9896a85a71d17586f6f6a160af1cdbd14 |
| SHA512 | e18859fe37e189ebb7ec0108857be9f501b1af6caf3e22aad6a7f6779a090437dffe42fcd9e498259541730f50e03d1493cde23737599b2a6cdfffe831b6406a |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 9ed23d05084f524dacca6c2dd0d723e2 |
| SHA1 | 76c85fd4c1ebd189d91c6bcc4708d5e8af64a5ed |
| SHA256 | 1f91939cabe4637fc3f6fe9eb834a09b5bcd722ce49357e44438e3476cc8fc9d |
| SHA512 | 60e6d54f1cad8539a6ad82361906f709f31f112c5355af660f87c99ab6afd3c397c5dc33468c552e35d9b86610a3196c74ba71950d920a0be080d152679504c5 |
C:\Windows\Installer\MSI9F12.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 0679b4ba68bc37dbdf67110bed693cf9 |
| SHA1 | aed735f8efe821c7bcd6b416c627482b5451b9c8 |
| SHA256 | 90b93aa1b6cfa8681cd5c0b3d79bdffa73fc2674b47dbcb062f077c5afb26943 |
| SHA512 | 9f99d4b6becc829c4e9a0642f6b924d0c17fc4ff6f0025109acd14ca8bfc354e2a6d2f41e4ba23e07dfe11e150569b0a872616a58c67116d328b104b69728f71 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 2eba1ba9e84a47ab67e5399b19bbc380 |
| SHA1 | 2227d1834f10352f569bad37c2614f37ee8e2b21 |
| SHA256 | def82d4dc5cc34852b2f37245932fbe64fa7d0958ba5d7efaa7fd2d5a70f9f95 |
| SHA512 | 1a38f3ec71ad0dea2709ecb9081671be40385db4e455d86269bf22d402a926af958fb52fec2a9f085227de02a23d513708372c9ea54e1c942639556c6c7c81d4 |
C:\Windows\Installer\MSI9F12.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
| MD5 | e9eac2e03c9a278a2db02c1b3907b49b |
| SHA1 | 13dd987cdb4182d37fae987e5427291130932d4a |
| SHA256 | 4b5d3efc57aa33adf2b57ceb848d02fcbaa2c114e79733e2192b38f7204129fd |
| SHA512 | 4fe1c575072ed00afee830ad16c687bb8fff36d0a9c66749a958cad24366df47f7c07bc6b3ee2661e30b9e5f3195ea1bfe70d4ed831d1177478c31be1ed8990c |
C:\Windows\Installer\MSI9F12.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | d762fc5e37d9cb4026dc04c0f9f41538 |
| SHA1 | 42df0a7aa57a4bbe761c8d08efa3c48a1fef430a |
| SHA256 | 52bc9d75e813e3446b61be2e7f7c4579bd167d05e42e0b036005f4d918cc2e8c |
| SHA512 | a93f5705e06cb6b03ee53ed5664cee229748b9a58987d6ad283d9352aaf0175389b6e62a9f71ca04751efe7253c11d0c25c2c94a2303dff945e8e419e73d40cf |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\_rrgmzdt.newcfg
| MD5 | da9affe0a02300cf4cae49baf5f93cd6 |
| SHA1 | ae2ea4e71ea7d5f000db6f138450f374bda078a8 |
| SHA256 | abe11fb40fa4ded7b6f70a6fa53cee233031acbda7499777e037e9cbabf66a25 |
| SHA512 | e8721f74ea217a8e6dcf45a5134beca8e0f320148ee390bc1d622946bf45b55d340f6692499431bcd0527d56c8e54ab9c27fb9ed09501f822e949b4ca58182e9 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\47boajgh.newcfg
| MD5 | f3698db034563276b384442751630c48 |
| SHA1 | 36b9d9b2ee25d146f9972996a25f00f05e317323 |
| SHA256 | d49d71f79439b55e77757a91fe69416849761af0c51f50f47a12d67977a0375c |
| SHA512 | 9473e4da32f7e3eccf1eab0f190bac270bb9de739477ba7915c80cb8c57e833f18063cafaf04e4dcaadd90ec776cb3d68baa274bbdd1c2b1e0c3d7c31eb11409 |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | a266c15d4629a058acbf2779966dd1b2 |
| SHA1 | 8c4aa972f8d37fb8b24d3dfe75283a6ea1e44d2a |
| SHA256 | cbe3e9fce669aa9d4360208e45b880f8254b181cc8d95f3136ad026573dd28fb |
| SHA512 | 1eb926243ddd64e1ac659d16a21352d2c791a8211e3ab92ab7b175108884fcaada9f9a1c5463e8e1f3edb5f6428a34f2288f51096501f1816ecb7ed5a3745133 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/3104-1888-0x0000000073C70000-0x0000000074221000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsk6D03.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YB8IB6GH\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
Analysis: behavioral5
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win7-20241023-en
Max time kernel
121s
Max time network
122s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2920 -s 224
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
146s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Resources.Translations.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\DX9SDBHF\Interop.SHDocVw.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{9726F9E3-EE13-4601-B2AF-81B1413BD8AF} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\DWNDXHTS\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57ab44.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\Desktop.ini | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID4A8.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC18D.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB2F4.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F7F6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.FramesCollectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E4ED34BC-3CEA-317F-9CE5-54963005EBFD}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F248-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{915BB7D5-082E-3B91-B1E0-45B5FDE01F24}\1.0.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLBodyClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D873270-8F86-3AE0-8173-7A61008EBF07}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.SmartbarMenuForm\ = "IESmartBar.SmartbarMenuForm" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{31C3DCFD-A426-3D6A-A085-C8EBF166715A}\7.0.3300.0\Class = "mshtml._htmlEditable" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLOptionElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E953F92-B7F6-39FA-A192-FB2BB7299F3A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A66A524B-DE26-335C-BBCD-86250806FAD3}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F3FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLParaElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A7B7923-55BB-3079-B47E-AC73CBEDCE77}\7.0.3300.0\Class = "mshtml._styleBorderCollapse" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D9FB2625-1C86-34B2-BF13-E4BBF98C23E9}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F270-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0B9FE4F7-CA65-3C27-85CA-E351D0908E6D}\1.1.0.0\Class = "SHDocVw.OLECMDEXECOPT" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLButtonElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F26D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5A9A8984-9B4D-3A55-AA8B-3793F97436B2}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLBaseFontElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\ProgId | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A94470-9C4F-3A47-AE2F-E6BEDB44F52A}\7.0.3300.0\Class = "mshtml._stylePageBreak" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2AE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A7B7923-55BB-3079-B47E-AC73CBEDCE77}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5ED36A62-17DA-3BB9-B488-FAA297521C88}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\Class = "IESmartBar.SmartbarDisplayState" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E5C10BC-5FF5-35F5-A45C-078544CA9D7D}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3FCB7A29-B2EE-3458-93FB-68B840DF3DC0}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3C4EE674-4A82-3318-B48B-B24A8FD7F44A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A94470-9C4F-3A47-AE2F-E6BEDB44F52A}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34A226E0-DF30-11CF-89A9-00A0C9054129}\1.1.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F3D4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleFontFaceClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8A507758-725A-3C67-9324-D93FD68ECC5A}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{DF98BCAE-1E01-3B0E-BFB7-793C5635D867}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B8682952-DAFC-38CC-9852-58D7AB90FAD0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0DD42D81-4F88-3FF4-B1FE-51BF0C074D80} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D4F52BA-91D9-3585-B305-F8AAF0B1DBAC}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E4ED34BC-3CEA-317F-9CE5-54963005EBFD}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E107CA26-9F34-3EA3-A2F9-C8844CC4DE75}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2C6-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\ProgId | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9FFFC12A-7894-37CC-98EE-00204C83A696}\7.0.3300.0\Class = "mshtml._htmlCompatMode" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F272-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C550EBDA-A045-36DA-AFB8-8A96C202334A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9778FF5E-CBCB-3A8E-AA0C-69F4540870C0}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 5c00000001000000040000000008000019000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c03000000010000001400000002faf3e291435468607857694df5e45b6885186868000000010000000800000000409120d035d9017e0000000100000008000000000063f58926d7011d000000010000001000000006f9583c00a763c23fb9e065a3366d55140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff20b00000001000000260000005300650063007400690067006f0020002800410064006400540072007500730074002900000053000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b0400000001000000100000001d3554048578b03f42424dbf20730a3f20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\02FAF3E291435468607857694DF5E45B68851868\Blob = 0400000001000000100000001d3554048578b03f42424dbf20730a3f0f000000010000001400000009b9105c5bba24343ca7f341c624e183f6ee7c1b090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b00000001000000260000005300650063007400690067006f00200028004100640064005400720075007300740029000000620000000100000020000000687fa451382278fff0c8b11f8d43d576671c6eb2bceab413fb83d965d06d2ff2140000000100000014000000adbd987a34b426f7fac42654ef03bde024cb541a1d000000010000001000000006f9583c00a763c23fb9e065a3366d557e0000000100000008000000000063f58926d70168000000010000000800000000409120d035d90103000000010000001400000002faf3e291435468607857694df5e45b6885186819000000010000001000000045ed9bbc5e43d3b9ecd63c060db78e5c20000000010000003a040000308204363082031ea003020102020101300d06092a864886f70d0101050500306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74301e170d3030303533303130343833385a170d3230303533303130343833385a306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100b7f71a33e6f200042d39e04e5bed1fbc6c0fcdb5fa23b6cede9b113397a4294c7d939fbd4abc93ed031ae38fcfe56d505ad69729945a80b0497adb2e95fdb8cabf37382d1e3e9141ad7056c7f04f3fe8329e74cac89054e9c65f0f789d9a403c0eac61aa5e148f9e87a16a50dcd79a4eaf05b3a671949c71b350600ac7139d38078602a8e9a869261890ab4cb04f23ab3a4f84d8dfce9fe1696fbbd742d76b44e4c7adee6d415f725a710837b37965a459a09437f7002f0dc29272dad03872db14a845c45d2a7db7b4d6c4eeaccd1344b7c92bdd430025fa61b9696a582311b7a7338f567559f5cd29d746b70a2b65b6d3426f15b2b87bfbefe95d53d5345a270203010001a381dc3081d9301d0603551d0e04160414adbd987a34b426f7fac42654ef03bde024cb541a300b0603551d0f040403020106300f0603551d130101ff040530030101ff3081990603551d2304819130818e8014adbd987a34b426f7fac42654ef03bde024cb541aa173a471306f310b300906035504061302534531143012060355040a130b416464547275737420414231263024060355040b131d41646454727573742045787465726e616c20545450204e6574776f726b312230200603550403131941646454727573742045787465726e616c20434120526f6f74820101300d06092a864886f70d01010505000382010100b09be08525c2d623e20f9606929d41989cd9847981d91e5b14072336658fb0d877bbac416c47608351b0f9323de7fcf62613c78016a5bf5afc87cf787989219ae24c070a8635bcf2de51c4d296b7dc7e4eee70fd1c39eb0c0251142d8ebd16e0c1df4675e724adecf442b48593701067ba9d06354a18d32b7acc5142a17a63d1e6bba1c52bc236be130de6bd637e797ba7090d40ab6add8f8ac3f6f68c1a420551d445f59fa76221681520433c99e77cbd24d8a9911773883f561b313818b4710f9acdc80e9e8e2e1be18c9883cb1f31f1444cc604734976600fc7f8bd17806b2ee9cc4c0e5a9a790f200a2ed59e63261e559294d882175a7bd0bcc78f4e8604 | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 13B5C29964525BC9A034E167B46C6F0F
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB2F4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240628687 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylfxn5bb.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBBFE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBBFD.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\exoqjel7.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBEFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBEFA.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIC18D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632218 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSID4A8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240637093 52 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vl6lgz62.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD737.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD736.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h9scg1r-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD8BD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD8BC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6x2r5ptl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES56B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC56A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hmtfpbmp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES75F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC75E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kpblsar_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES943.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC942.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jakzvbmt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAB9.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zuqvd7rt.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC12.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC11.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lhiz86gd.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDC7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDC6.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ara0iuxa.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF00.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEFF.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yrmfkod-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1048.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1047.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6cq4ezim.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES11FD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC11FC.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1qv5cafj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1355.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1354.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\u0jjj1kf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1691.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1690.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rm7jl4c-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES17AB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC17AA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0e_vijgp.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B25.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B24.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 143.184.71.167.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | crl.usertrust.com | udp |
| US | 8.8.8.8:53 | 23.149.64.172.in-addr.arpa | udp |
| US | 172.64.149.23:80 | crl.usertrust.com | tcp |
| US | 8.8.8.8:53 | crl.comodoca.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | 233.38.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 172.64.149.23:80 | crl.comodoca.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww7.snapdo.com | udp |
| US | 8.8.8.8:53 | 148.25.232.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.230.16.69.in-addr.arpa | udp |
| US | 199.59.243.227:80 | ww7.snapdo.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 227.243.59.199.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.4.219.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | 161.19.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/5032-18-0x0000000003600000-0x0000000003610000-memory.dmp
memory/5032-19-0x0000000074F02000-0x0000000074F03000-memory.dmp
memory/5032-23-0x0000000074F00000-0x00000000754B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Windows\Installer\MSIB2F4.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
C:\Windows\Installer\MSIB2F4.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
C:\Windows\Installer\MSIB2F4.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
C:\Windows\Installer\MSIB2F4.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
C:\Windows\Installer\MSIB2F4.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
C:\Windows\Installer\MSIB2F4.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
C:\Windows\Installer\MSIB2F4.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\ylfxn5bb.cmdline
| MD5 | 88f84be0b501ba32c0b0a7932304c03f |
| SHA1 | 7bc4795c81b6473d495858e44d3653184da85440 |
| SHA256 | d23ed608e9fa8dc1a5e1c459e80e5e98f9e359bd2b8925ab5230a09d66a8786c |
| SHA512 | e69ac3ca68e6a2b8ebd7b86b8f2ccfd1197bfe90bd31de99f6f0885033eb30e0dc5b6aa4b8a25bbe950032be2649401c49f8604b59020ccad43080bc5d57881e |
\??\c:\Users\Admin\AppData\Local\Temp\ylfxn5bb.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBBFD.tmp
| MD5 | b4b13d8ae591a9cfa00e1471d8cd263e |
| SHA1 | c295eca9a6d2fef328bcd3b7b8b19e507f02191a |
| SHA256 | 1764893c25bbac319b9941b2016d8cd313976d0e5874a3068197bdd2a208e2d4 |
| SHA512 | 4c9c043673b41471f9d82adfffb8687f635a71f548a83099c1ec8b5fca471d8031c019fef55e785fce00cd932404ac32067b359de6686eeb6fb45dd17033c90e |
C:\Users\Admin\AppData\Local\Temp\RESBBFE.tmp
| MD5 | 0b124dade9e75084daae37df6ee06f3d |
| SHA1 | 00ff5930e9687cd04440f0b6856252d5cfe96368 |
| SHA256 | 62e46dcf766497d28c9922677e10a84651cc35ebc119251e0ce0967b472f8d4e |
| SHA512 | a96337094d3158c5dd9cc969a986734450a678df99d764b0ae68fc4cac03b27ffabac07bb55764bd5284533411de0118b523938f2c235c06eedfd37e4baefe87 |
C:\Users\Admin\AppData\Local\Temp\ylfxn5bb.dll
| MD5 | ef703018ef9a8f27f44f264c299c9b63 |
| SHA1 | ec83a5d3c6b2017387ebfef8b804ed9a275d4070 |
| SHA256 | c2a9eed61cb12bf5ef8783c3892146a37b283f5c271445ef43e5e768431cb0b3 |
| SHA512 | eea179ccebd46b8bae8ad0f2834683326526b6a34eab35b84595096b439dc57cf50a7f48e128a400d45c00a44d6d5bfda1a9243a1d93c1b84c1a135ec99fb820 |
C:\Windows\Installer\MSIB2F4.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Windows\Installer\MSIB2F4.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\exoqjel7.cmdline
| MD5 | cf9e80ec80498d5c8111de8cbf240819 |
| SHA1 | 3974c9b3684e6ead4bacbb684ac0076f01a6d031 |
| SHA256 | 427859b705ff23b8bee6a051423e787f91881ab44a5ba6ca5380055ad59f9eae |
| SHA512 | 3f4bfd705283868e1083572a2ca55193bc261b34037eef8389ba4b74c155532221b7570e13c6df72fd1b69f7b11b6f095b88a2ba96975f49dcceb7ad13d6354c |
\??\c:\Users\Admin\AppData\Local\Temp\exoqjel7.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCBEFA.tmp
| MD5 | 290102e87145b9bb8b4f5093031fde82 |
| SHA1 | 33af3062b1c9d848ae2bfdce415bef6298dc0db8 |
| SHA256 | 95eaa770a2dadb2f5ceb0cec018bc7c63f137087ffd0664e1834f073a6dba2eb |
| SHA512 | c04bb433959f345ab5f60c2e25ca192e28fbd34550120728fed7fce0f3955b4ea98974901bf7a2ea115e994065def07a6da45e90d151076d329f43cb2d2d734e |
memory/5032-207-0x0000000003600000-0x0000000003610000-memory.dmp
C:\Windows\Installer\MSIC18D.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
memory/5032-371-0x0000000074F02000-0x0000000074F03000-memory.dmp
memory/5032-439-0x0000000074F00000-0x00000000754B1000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/1572-1107-0x000001E370E00000-0x000001E370E26000-memory.dmp
memory/1572-1134-0x000001E370CE0000-0x000001E370D00000-memory.dmp
memory/1572-1231-0x00000000002D0000-0x00000000003B3000-memory.dmp
C:\Windows\assembly\tmp\DWNDXHTS\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\assembly\tmp\DX9SDBHF\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\e57ab47.rbs
| MD5 | 883e517da9460fe2817f73c876f548c0 |
| SHA1 | 834aba6f3847c238d017f36ec3b72dab3917b836 |
| SHA256 | a23cf4ea76d30b889675e3e6c9d8b576c4ca2f4b94af5e984d192a4ed8ed4bef |
| SHA512 | f8edd29d2a38b785c365d2f80be5059913c131a6312b780164d0255895876ad5e38e3fb6c2cc5caca7beec441211f2d2ab1fd955dadf28ae79d767c13bcef616 |
C:\Windows\Installer\MSID4A8.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 5bfa51f3a417b98e7443eca90fc94703 |
| SHA1 | 8c015d80b8a23f780bdd215dc842b0f5551f63bd |
| SHA256 | bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128 |
| SHA512 | 4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399 |
C:\Users\Admin\AppData\Local\Smartbar\Application\duzu0mpz.newcfg
| MD5 | ec3f05ac2148162ddb052f23299b8ecb |
| SHA1 | 6ce68e94fb7df83ae34094a85abfefce8a3b8d79 |
| SHA256 | 449ab9dae5f16f9dc9e70e37930aeb4c78e057debbb8fe25fb5460a9666ec016 |
| SHA512 | d166cb06e095281a4a26bdb78e7752d8f9d0e408aa3048eea2294222aa0b7e901364ba377cfc353ada392693b15736c96267697dcabc745f2e4b3d539599b70a |
memory/1648-1387-0x000000001CAC0000-0x000000001CAD8000-memory.dmp
memory/1648-1395-0x000000001F1A0000-0x000000001F66E000-memory.dmp
memory/1648-1396-0x000000001DCD0000-0x000000001DD6C000-memory.dmp
memory/3892-1405-0x000000001C9B0000-0x000000001C9D6000-memory.dmp
memory/864-1413-0x000000001D0B0000-0x000000001D856000-memory.dmp
memory/864-1414-0x000000001D860000-0x000000001E006000-memory.dmp
memory/1556-1422-0x000000001D5F0000-0x000000001D616000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 273fb49ea7d031fa69961d2b78039e74 |
| SHA1 | 822def11337cf6b5a4c5df0377ca6973c9c50978 |
| SHA256 | 80922c7f8bc4a91030a8c9a6b2168148a382e3f267d585b58161a45e04bedc99 |
| SHA512 | a714c082b9e7a772a0bd2c3bf4f437944d6cbd71b219c09f784d6ef46386f24b88275c5e24f46b52bcd16bd2dbddda0330ba9aca443e748845ce552f5f96b044 |
C:\Windows\Installer\MSID4A8.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
| MD5 | 2ca1131f56658cc0fbf6c6bfd07996a7 |
| SHA1 | 92975d39d4612012a560fc04406514cddd3dcab6 |
| SHA256 | 639e4feb12bc9ebd0db96bfa491fb038e6e2ed9632014c971b7c4905e8b8aa87 |
| SHA512 | 56276c8cecc6b9ab0f48a6a13e42883aa056d4dd088644b197ee5337a9b9920a8d5590a2be1accdd23356e706fb7e0e2f0e10e7d2773e49181965585f7447043 |
C:\Windows\Installer\MSID4A8.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | ba935ac68f82582a26ecfa6d5be3d055 |
| SHA1 | dda9b76075d7db0f1ff138e772bbcee8ded673eb |
| SHA256 | 89596c8f3f6c371df6f6a4231c561eb1d2954f7a4af6eb816c2aedfaf580c98b |
| SHA512 | ddfcfd709c7e39ec9e5ff7fe0faed7bf0668929621fa3d516577a08cbec529ceb9b2f309a57a8858579c472601064b275dd4e3b069175c0f5376979f2c4b8f91 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\kau0rng2.newcfg
| MD5 | 40ee820a0cd0c57f8ac53b7a2f9437c3 |
| SHA1 | 7c1342b8bc37988c8358a9a35695b5e6e86b8231 |
| SHA256 | 4d9b1ce2d53387338db88c5a612fffee4bf0922fec97b8d5aa7892dfce94f386 |
| SHA512 | 06c825db5c6d4969cd294b18ff6ced94c2fa19c73ca03a3bc8ad21b58a553a16e21b89a00a399187ecc1dbab469ff22d6364870639a602928f8c905dd6967dc3 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\u6lgapzf.newcfg
| MD5 | 94cffce20b520d91e771cc280928311b |
| SHA1 | a3022a3598e64c29f2994b9461f1e40e2319036a |
| SHA256 | d00c155181f6e79878a291da5cef209e5da9bdc628cc4c59bb8c9ea8d642cd29 |
| SHA512 | 8ca9dbd787c850be0d8d8b6da31f3ee1d6595954240e2f4c873c34dc75be779f2e4caeb2b46e0eb9432749c58148f0d5915b5fce10815fe1593c16162a53ac42 |
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
| MD5 | 7050d5ae8acfbe560fa11073fef8185d |
| SHA1 | 5bc38e77ff06785fe0aec5a345c4ccd15752560e |
| SHA256 | cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b |
| SHA512 | a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b |
memory/5032-1849-0x0000000074F00000-0x00000000754B1000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win7-20240903-en
Max time kernel
149s
Max time network
133s
Command Line
Signatures
Panda Stealer payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
PandaStealer
Pandastealer family
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f76e80e.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Resources.SocialNetsSharer.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\V8OM4YZZ\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76e813.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\MACTrackBarLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\sipb.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srut.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f76e811.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\assembly\tmp\8083H9C7\__AssemblyInfo__.ini | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICC.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF02.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchUrl | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\USER PREFERENCES | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}§ionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Search | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies Internet Explorer start page
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate={installDate}" | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate=01/12/2024" | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F269-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F279-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLRenderStyleClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F48A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\1.0.0.0\Class = "IESmartBar.DockingPanel" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{85C95AA9-39F2-311E-86C0-D2610A00A85B} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{FECEAAA6-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F7EF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLPhraseElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8872B56-D98C-3C12-B8A9-9F81495D11D3}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\Class = "IESmartBar.IESmartBar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BD3026D1-A1C0-386F-B46F-71131FA56E4B}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{794D9F34-06BA-3B05-8C7C-C62CA154BE00}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5E8433C3-CEE5-399A-883B-0FBB33FA9689} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLGenericElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E296BC2D-5A31-3831-BDAB-2F2D2F05CB8B}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{46B186E7-5F33-3B60-8B70-9D95A04C1A59}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F241-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLInputElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5D8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F271-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLMapElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CA2452F-D24B-374F-A6AB-9334BE066F08}\7.0.3300.0\Class = "mshtml._HTMLDlgBorder" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D48A6EC6-6A4A-11CF-94A7-444553540000} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{79CD6E7C-63CA-39D8-B871-342E17329B46}\7.0.3300.0\Class = "mshtml._styleStyleFloat" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLBRElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F41E6981-28E5-11D0-82B4-00A0C90C29C5}\1.1.0.0\Assembly = "Interop.SHDocVw, Version=1.1.0.0, Culture=neutral, PublicKeyToken=84542ff99aed6a4d" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\ProgId | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\InprocServer32\Class = "IESmartBar.DockingPanel" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0D4F52BA-91D9-3585-B305-F8AAF0B1DBAC}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F252-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F283-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{FD436F4D-7C7B-32A4-A6B4-97DDDBB938D1}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2BE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{80A7F279-4C73-3BED-B5BD-0AF6F30E0639}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2009AF2F-5786-3067-8799-B97F7832FDD6} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D3AE66DB-BEAE-3AAB-8FDD-28E7E2469120}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F268-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLUnknownElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6ED066F-77B0-37F9-A6E6-1FE856A9293C}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C550EBDA-A045-36DA-AFB8-8A96C202334A}\7.0.3300.0\Class = "mshtml._htmlMarqueeDirection" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLOptionElementClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F48A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.CEventObjClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A66A524B-DE26-335C-BBCD-86250806FAD3}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CBDDE76-4C5D-3B59-A31F-45B59186510A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4E5C10BC-5FF5-35F5-A45C-078544CA9D7D}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCMethodBehaviorClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{794D9F34-06BA-3B05-8C7C-C62CA154BE00} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F31A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLFrameSetSiteClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F37F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetsCollectionClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3FF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F35D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D48A6EC6-6A4A-11CF-94A7-444553540000}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F25D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLEmbedClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe
"C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe"
C:\Users\Admin\AppData\Local\Temp\Installer.exe
C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:d13811c3-be3c-f963-4eca-e759baed3971
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 312942498176D9E12E51545168B13FA4
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIEC60.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259452095 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lxkf4fb1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF068.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF067.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aexdekn9.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF43F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF43E.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSICC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259457321 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIF02.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259460956 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wgmfshvr.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1076.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1075.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ji5tbzlw.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC10D2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vmghv7vc.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36BB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36BA.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jsqfujlu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3812.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3811.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lmjk1bs3.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38EB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqcx3cew.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3998.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3997.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fts9f6hj.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A82.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A81.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gahgwzqf.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AFF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3AFE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kzkddsyk.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B5B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hxqkhtg1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3C46.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3C45.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t8ekcire.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3CE2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3CD2.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qqjsi8zm.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3D21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3D20.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kfloighy.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4B92.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4B91.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7lgqch3_.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4FC6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4FC5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uz3pljrx.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES52D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC52D1.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.31.180:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww7.snapdo.com | udp |
| US | 199.59.243.227:80 | ww7.snapdo.com | tcp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | install.outbrowse.com | udp |
| US | 13.248.169.48:80 | install.outbrowse.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\Registry.dll
| MD5 | 2b7007ed0262ca02ef69d8990815cbeb |
| SHA1 | 2eabe4f755213666dbbbde024a5235ddde02b47f |
| SHA256 | 0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d |
| SHA512 | aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca |
\Users\Admin\AppData\Local\Temp\Installer.exe
| MD5 | 564e47a3604ced3b7c18e43250226cd7 |
| SHA1 | a3eef8fac3617d048fb9fce2201937297e3920f1 |
| SHA256 | 12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83 |
| SHA512 | e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf |
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/2256-27-0x0000000000BB0000-0x0000000000BF0000-memory.dmp
memory/2256-28-0x0000000074711000-0x0000000074712000-memory.dmp
memory/2256-32-0x0000000074710000-0x0000000074CBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\CabE8FA.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\TarE96A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Installer\MSIEC60.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSIEC60.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSIEC60.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSIEC60.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSIEC60.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSIEC60.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSIEC60.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSIEC60.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSIEC60.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSIEC60.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSIEC60.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\lxkf4fb1.cmdline
| MD5 | fcd10508a51d1683fcd8a367a551862f |
| SHA1 | 67af011b5f4c8c6d82ed106c5efab61eb4cea52e |
| SHA256 | 0ca6d714319f5da0f2ad82ff93211575a2bf28ad9e21adfd7992a8e00b09c620 |
| SHA512 | eb685e7ad3ff72cdcad4a0709ecc6a4d4f5e1ed0c19a130fca1d78293af5f41674383d5d44f62d4ce63bbbe72cd48629048f6804c8d717be29b56ea4641150b6 |
\??\c:\Users\Admin\AppData\Local\Temp\lxkf4fb1.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF067.tmp
| MD5 | f2aa439797e456874e412c2ec77e1244 |
| SHA1 | 8dfee96d1ffa2088f899082b3a5ed166f54ddf26 |
| SHA256 | 93be8c92a51949b7474435e714b86f73e46f48ddf5ce3719ad4313b649001de6 |
| SHA512 | 2eeeec0e688de2f5240045d9ad28cbcc267f60488f21816fcb9553435e620ef2fa0fbc129adffc9fb14a78c06a75eda14212ca70dd8ef24fe5d380a74959c9fa |
C:\Users\Admin\AppData\Local\Temp\RESF068.tmp
| MD5 | e71edb2849359939f12d283f3e199037 |
| SHA1 | 928af6910fbb4711bb07ea7a7b98a1bd9202ebe0 |
| SHA256 | bb330c1a69e4381b92e0090b7212015183064e4d217bdf77afa3502839630437 |
| SHA512 | b71d1f6735263740442fa6083c71c3f329a485ec96a3361df9a227918327c5f045e66683bd63fd7b7880cb5150e0d5a90388194defbe3fa1c36b3cd6e6138d61 |
C:\Users\Admin\AppData\Local\Temp\lxkf4fb1.dll
| MD5 | 60aaac7db7900dc6aee6d454213b2347 |
| SHA1 | 7ebc273c8647cab85a4421a3e45392b2708fa09b |
| SHA256 | fb4c28da43805ca24f8fa55914cc9e277cef34f81293aa53f17e3567b9597bb9 |
| SHA512 | 1842ef90755c4578cb6f990125b152d0a787a84b6df729d6521c4ebdf10564c8fbe5b4be8f95483328b0cb2d09911819e04b95d0be92c8fbc964f0ee4d09cae0 |
\Windows\Installer\MSIEC60.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6a7b6c8bce6514092e690248dbab9f1b |
| SHA1 | 41f5730e2804c5d81c08b489043221d6598b292e |
| SHA256 | 076c7513a5b3bcbbbae5d778b1bc46747e4ae5c589a106790b1a26fdc2943af9 |
| SHA512 | bc0b0d044caf2748001dcbf6e6e8e54b10c0a2140948787b300c91729738ebfe09614db816e447533a61e1a6484e60eb935cdd79792504de7e0811a416ed8050 |
\Windows\Installer\MSIEC60.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\aexdekn9.cmdline
| MD5 | 36870e14af97646dd1dbd5571f975dc2 |
| SHA1 | 27e4fe3e442abb9416b95e88bf69c0ceb68f38b4 |
| SHA256 | 63aab97fc893372f6c0a6cad329cd429f60000c7be0441d2835ce61dc0cfef69 |
| SHA512 | 6fbde75e809ba3a3695955aa0cce75b0614e9966417a980b917c87ba41ea7d124dee45355584dd76d0e9a36c7c8d7d9a25625fbede27b611a236aebc3793c9dd |
\??\c:\Users\Admin\AppData\Local\Temp\aexdekn9.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCF43E.tmp
| MD5 | b1a8d9bf4d444b5a758e52b99d267864 |
| SHA1 | 09bc77cf0e18b18b05597aa174bb4b8d28297ca0 |
| SHA256 | c74d1890a0a9fab6dd9cd0cfe0728f31972b9d9d54e4772d6a36ba9750752554 |
| SHA512 | 2bf49bcc072af0f47aad053a5897a3ea1cc8b5708b53351af33f5366bd3b164941be0492e9813c8e011216f9b398c8abe4702534286909548cf32d0b68671c47 |
C:\Users\Admin\AppData\Local\Temp\RESF43F.tmp
| MD5 | aef1d00d2999220bebebe0c8368a34da |
| SHA1 | 72b79491afefd374ee5a78cefb6959f3f5732be3 |
| SHA256 | 32acb2fb9ec099285879faea025ec616fb2cba5f5eb0a5b105e459404761926a |
| SHA512 | 2f7ee08e36569a1957cd1de88c71e77c8bd65b406c27961982f31dbe27a1f605971ffffaa2f861ef04339b05b6b68961fab0af5a6e12dc35899bf712abb92166 |
C:\Users\Admin\AppData\Local\Temp\aexdekn9.dll
| MD5 | bd4a4779672c012bfff5ff5832b611fe |
| SHA1 | 28360f99d2a937e2dcb8a50cb08c374f10b6f737 |
| SHA256 | 12e86b01a43c43c4d621b3dc9c393068d52e14cf58811635fba9ecb15d6359f0 |
| SHA512 | 3d9340805d2dd94d629dbcce3e18ae622e0b9f8e2f095e7b3e854a0c314b3ee50e43171e3b59a1433aed1dc7c54e70ce7c757047d5f148ff4daba57b5eba9ea6 |
memory/2256-260-0x0000000000BB0000-0x0000000000BF0000-memory.dmp
C:\Windows\Installer\MSICC.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
| MD5 | b56c7b78b5cefef839723ad27e65b11f |
| SHA1 | 7b5fdc146dbfef9f85f3e44bc64a79a8b2d2b336 |
| SHA256 | 5321b0bf285df45121f78e61ea40a93db528ce574643689cb45271b5f067cbc6 |
| SHA512 | ab3b0ba81051e8366ad1b8400116cb3d3dfa022ee3caf8c0f7f708666059104842b5daf4c28f8fa68b6c3622755c79d11926ef00d26ebe34a89db8b4fffcdec9 |
memory/2256-424-0x0000000074710000-0x0000000074CBB000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2220-1158-0x0000000000AC0000-0x0000000000AE6000-memory.dmp
memory/2220-1185-0x0000000000AF0000-0x0000000000B10000-memory.dmp
memory/2220-1282-0x00000000030A0000-0x0000000003183000-memory.dmp
C:\Windows\assembly\tmp\V8OM4YZZ\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 770adf52ff5cbd51cf6a33ddbaefc6bc |
| SHA1 | c1ad8396ee43df000bc1318aaffe78705ac3b3be |
| SHA256 | cdcfd39bc9901c766dd7f441fc1f00492647e3e98e67db55954c7a0f88e63e36 |
| SHA512 | ded37e34ca958f8837a44d09f09ab372d71d1fdfa42f92feb1295c38e9216fcb0d68e9805e3e3db90bafb07a8027ce4bff77b0d276618a3abbb41a0589a3d51d |
C:\Windows\assembly\tmp\XI06K0HH\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\f76e812.rbs
| MD5 | dc9fa29ed872b0ece106f6e3d67dab9d |
| SHA1 | f520718f2cd6f6c915c478e17b6acd06645bd78b |
| SHA256 | 840db395cabc3e08e0780f2949d8ca181db80e892247b5ad1f10d9e041ac83bf |
| SHA512 | b4873ff3c9516fafea4338d057a6a6841f93216fc2ed6ea4fb4d3d49dc229d373c1c5f6e5092ec3b0c7dbe18291cbf393cc3439beca311ddd929fa93a278be20 |
C:\Windows\Installer\MSIF02.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\vrmerisy.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/1956-1515-0x0000000000B10000-0x0000000000B28000-memory.dmp
memory/1956-1514-0x0000000000B10000-0x0000000000B28000-memory.dmp
memory/2216-1568-0x0000000000880000-0x00000000008A6000-memory.dmp
memory/2216-1569-0x0000000000880000-0x00000000008A6000-memory.dmp
memory/2556-1596-0x000000001C540000-0x000000001CCE6000-memory.dmp
memory/2556-1597-0x000000001D4A0000-0x000000001DC46000-memory.dmp
memory/2456-1624-0x0000000002530000-0x0000000002556000-memory.dmp
memory/2456-1625-0x0000000002560000-0x0000000002586000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | 0f08b746f41ac63fead1f20775463ca3 |
| SHA1 | 20aa5d7e45c63c238795d912bffa0caace98ebce |
| SHA256 | b847433956047a33188a1a57f91a40211e7eda0053390725791359144a8f5fa0 |
| SHA512 | 22dfc7e6da4f7b8d1cce708e2ab77339894f2c4b0876e5c71f7b5aa8b3b393cedf610bcc7c2abe4a03ef9d7de672187660fdd86911db1378bb053286dd474916 |
C:\Windows\Installer\MSIF02.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | d9842f68e0bf4402c5ffb55e1edea3e1 |
| SHA1 | 1503dc815586a75ac144c15c71b1b026dbed626a |
| SHA256 | cb1d0841d41c634edc00c9ddec8ba6a239df76ef72902e5c8054cc9041869f6f |
| SHA512 | 7f45746b130f1a7f633fa953bb58652e92bac79cb0bf3c55f37b64043856cf942bc5367cef01fc4d01d19b435c44c17262de00a8ee0819b7bfc14f46d7cefc6c |
C:\Windows\Installer\MSIF02.tmp-\srsl.dll
| MD5 | 6fc50184e3aad7f4df0231da697a9da8 |
| SHA1 | fef8608d31e8e1c16ca7db402fa352ee7231585b |
| SHA256 | 58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf |
| SHA512 | 626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
| MD5 | 988ea61855eab89ff1f69e884a6bee04 |
| SHA1 | 5d4792d34fe3939301eefa968ab5b5e8d415aec1 |
| SHA256 | 010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1 |
| SHA512 | eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
| MD5 | b25022cfdf7ed87d9dc01b180c51253d |
| SHA1 | ee299d1bd14710ecfc0d58defbef2409dc0189ad |
| SHA256 | ce70020768d69288edc855486f76b8bd0e513bd174d4569e5e009af67da7c852 |
| SHA512 | cc7a2e6db71cb9057b5e49376b655c1595f2d28fdaa9fee6ec10a40772128ce6d8f7ea3ef9bcf048e19fda5932f3b0ac4116143ca0258ec00a6b15e038dceee3 |
C:\Windows\Installer\MSIF02.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\fuvk-ulr.newcfg
| MD5 | 3639e1f1593a0927f7cef5d5e69c9cc3 |
| SHA1 | d9d276a1bc549913b30edbed80b707db3576bb18 |
| SHA256 | 1818e6a5801a6f025def6a3a4cbd5697f5ae83a8396f749557114e11722332b5 |
| SHA512 | 78ed8040c03cc5c70db3ce50d5b936e39871bfd9497fe3858f9463da47bfb3b5b29efb0de13f3a20f1e41d59cee3a66912d4672c831924e6261af7d0ad7ebaf4 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | d0dbe09108fab7b8e534abf109a26343 |
| SHA1 | 063058dbdd20e25d45dd54dd007e1e44de9f92bf |
| SHA256 | 330dcb85c3767a136ddb37ab8e435f8d6680111db21dde94ec5f037bf1aa0676 |
| SHA512 | 0413e449888a9904093045f49faa7e83421b9fd04deb4b7b092f2bfa878902c3888cb5a5d9419e596bf657c03d4c78b017dce7d03d4901c29c9db781c0fabb00 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\qscpe8-p.newcfg
| MD5 | 5fe82fa5cf10d0a5b3cca9afd9abd2d6 |
| SHA1 | 0b7ce809fce6cb6d1676f032b56ba9cd04d6f390 |
| SHA256 | e5bdfee8be710b91a6745c6cea326ff14fb0b48225c8bf1bc989a4e3c945b00f |
| SHA512 | e7b91d649299ffd00623420e2d7a238dbc3e4f01fad6afe68743dd4a4c7d3542e356afc017815520aece782449a59c52cfdd3c716bfb76415a20c79c8fe30546 |
memory/2256-2543-0x0000000074710000-0x0000000074CBB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsdD4EC.tmp\Ping.dll
| MD5 | b0e9ba9dab60cb7a9fd886dcf440cac3 |
| SHA1 | c416f6e9ba379feb9008c775d8456514444b66da |
| SHA256 | 52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f |
| SHA512 | 90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win7-20241010-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 352 -s 220
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:39
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
159s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\system32\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3208 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3208 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3208 wrote to memory of 3388 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Ping.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3388 -ip 3388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 608
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win10v2004-20241007-en
Max time kernel
95s
Max time network
147s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2992 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2992 wrote to memory of 2152 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\Registry.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2152 -ip 2152
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2152 -s 612
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-12-01 21:36
Reported
2024-12-01 21:38
Platform
win7-20240903-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Event Triggered Execution: Component Object Model Hijacking
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup" | C:\Windows\system32\msiexec.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates connected drives
Installs/modifies Browser Helper Object
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srns.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Infrastructure.Utilities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Smartbar.Personalization.Common.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\spusm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srpu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\CustomAction.config | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srpdm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\GACLock.dat | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Newtonsoft.Json.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Microsoft.Deployment.WindowsInstaller.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\siem.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Microsoft.Practices.ObjectBuilder.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\sppsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\srsl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Resources.LanguageSettings.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\spsm.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srsbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\MLNYP096\Microsoft.VisualStudio.OLE.Interop.dll | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srbs.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srus.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\RegAsm.exe | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\srprl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Smartbar.GUI.Controls.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Interop.NetFwTypeLib.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Infrastructure.BusinessEntities.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\assembly\tmp\JEB7NEML\System.Data.SQLite.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Smartbar.GUI.Docking.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\srbhu.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\sismlp.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File created | C:\Windows\Installer\f7695f9.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9941.tmp-\spbe.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\spbl.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB03D.tmp-\Smartbar.Resources.LanguageSettings.resources.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIBB09.tmp-\Smartbar.Installer.CustomActions.dll | C:\Windows\SysWOW64\rundll32.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\Installer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113} | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000" | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\MAO Settings | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl | C:\Windows\SysWOW64\rundll32.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BFEDF92D-C312-3962-BD20-75FCA98DA96C}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B272899F-EB7C-3093-A531-BA9F69B31CEE}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{65507BE0-91A8-11D3-A845-009027220E6D}\1.1.0.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2AE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F312-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{E683717D-A679-364D-BFFC-FD1EB7F22DBB}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{2BDB5CBB-72A0-3779-B85A-B00325551F92}\7.0.3300.0\Class = "mshtml._styleLayoutGridChar" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLHistoryClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\InprocServer32\1.0.0.0\Class = "IESmartBar.BHO" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11DB2688-F17D-3058-A5A7-9108BB274DDE}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C550EBDA-A045-36DA-AFB8-8A96C202334A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F278-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6486D32-AB0E-3DAE-AF89-97CF6D371FE3} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A6ED066F-77B0-37F9-A6E6-1FE856A9293C} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2C4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F27F-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F48A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\1.0.0.0\Class = "IESmartBar.SmartbarDisplayState" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CD92622E-49B9-33B7-98D1-EC51049457D7}\ = "IESmartBar.DockingPanel" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F283-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F249-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C463D792-22F0-3935-ACE7-0894467F0B64}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11DB2688-F17D-3058-A5A7-9108BB274DDE}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4FC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTCDefaultDispatchClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{452C059D-B6E5-3DE2-930E-7FFE6EB6964D} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6E7B0F28-0DDC-3AFF-A175-CD28A181C7EC}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{CCB08265-B35D-30B2-A6AF-6986CA957358}\ProgId\ = "IESmartBar.SmartbarMenuForm" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ED785CBD-B02D-3BFC-8FBF-4CDC702AF748}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E041E037-FA4B-364A-B440-7A1051EA0301}\InprocServer32\Assembly = "SmartbarInternetExplorerExtension, Version=1.0.0.0, Culture=neutral, PublicKeyToken=64637c62d0471340" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F80E-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FECEAAA3-8405-11CF-8BA1-00AA00476DA6}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32\CodeBase = "file:///C:/Users/Admin/AppData/Local/Smartbar/Application/SmartbarInternetExplorerExtension.DLL" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC20047-2388-3184-B6DD-B543825CA72A}\7.0.3300.0\Class = "mshtml._htmlMarqueeBehavior" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F27D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDListElementClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F28C-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F32B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\Implemented Categories\{00021494-0000-0000-C000-000000000046} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3CD-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLStyleSheetRulesCollectionClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F38B-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{11DB2688-F17D-3058-A5A7-9108BB274DDE}\7.0.3300.0\Class = "mshtml._styleBool" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D9FB2625-1C86-34B2-BF13-E4BBF98C23E9} | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F26D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{3BBE5145-9284-3874-A8B3-8E6B7E0DC27F}\7.0.3300.0 | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4BAA75B0-E612-3B18-96D7-7B069AFFF5A9}\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F5EB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4B2-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLDOMAttributeClass" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3D0-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLRuleStyleClass" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2DF-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F280-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F491-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0 | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F5DD-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F7F1-98B5-11CF-BB82-00AA00BDCE0B} | C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8 | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5 | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Installer.exe
"C:\Users\Admin\AppData\Local\Temp\Installer.exe"
C:\Windows\SysWOW64\taskkill.exe
taskkill /F /IM msiexec.exe
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EF10527F8DB86DF5E27A0A86EDD514B
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI9941.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259430817 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfsesps-.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA111.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA110.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vrwf95lg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3CE.tmp"
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIB03D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259436635 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBB09.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259439412 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0frdzwg.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC2E.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n27g_y7w.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC8C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC8B.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
"C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
"C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bn9thfux.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD64.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zzmjqj8.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE1F.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52kpoxfl.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE6E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE6D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymqkszgi.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDECC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDECB.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvjbn8g1.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF57.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9v9k2rda.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDFA5.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ybwme36t.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE013.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE012.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvfc7nwu.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE0AE.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpp24ome.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE14B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE14A.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytmrarfa.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE429.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE428.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g09m7jma.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF8E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF8D.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52qv4qxe.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2E7.tmp"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0800jkit.cmdline"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF50A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF509.tmp"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cloud-search.linkury.com | udp |
| US | 167.71.184.143:80 | cloud-search.linkury.com | tcp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.146:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | cloud-search.snapdoapp.com | udp |
| US | 8.8.8.8:53 | ws-cloud.snapdoapp.com | udp |
| US | 8.8.8.8:53 | feed.snapdo.com | udp |
| US | 172.232.25.148:80 | feed.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww99.snapdo.com | udp |
| US | 69.16.230.227:80 | ww99.snapdo.com | tcp |
| US | 8.8.8.8:53 | ww12.snapdo.com | udp |
| US | 99.83.136.84:80 | ww12.snapdo.com | tcp |
| US | 8.8.8.8:53 | pool.ntp.org | udp |
| US | 8.8.8.8:53 | csc3-2010-crl.verisign.com | udp |
| SE | 192.229.221.95:80 | csc3-2010-crl.verisign.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.187.238:80 | google.com | tcp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 8.8.8.8:53 | az412542.vo.msecnd.net | udp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 152.199.19.161:80 | az412542.vo.msecnd.net | tcp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| GB | 88.221.134.83:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | au.snapdoapp.com | udp |
Files
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
| MD5 | 3cf46bae7e872a661721b0894bc076e2 |
| SHA1 | eaaa0a35e284908dd21cf245a38efe9d2e4c7532 |
| SHA256 | 7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043 |
| SHA512 | 47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2 |
\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
| MD5 | 4876414d51fe01bd8525df2f8acd35d6 |
| SHA1 | f9435c39e3029276e71a971e48f68d3f0298fe11 |
| SHA256 | 4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d |
| SHA512 | d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a |
memory/2088-16-0x0000000000C50000-0x0000000000C90000-memory.dmp
memory/2088-17-0x0000000074991000-0x0000000074992000-memory.dmp
memory/2088-21-0x0000000074990000-0x0000000074F3B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
| MD5 | e5314db579a141f6a5204f70e7073de0 |
| SHA1 | 3d2e28be7594fd754213e3ea19b4f900f6634c91 |
| SHA256 | 84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d |
| SHA512 | f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a |
C:\Users\Admin\AppData\Local\Temp\Cab9697.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar96A9.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Windows\Installer\MSI9941.tmp
| MD5 | 44c66c7febaf067ac2f96e3bb643a5b3 |
| SHA1 | bc83eb57ebb44206b467c4147a7f82d52662e9b5 |
| SHA256 | 641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383 |
| SHA512 | 41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b |
\Windows\Installer\MSI9941.tmp-\Microsoft.Deployment.WindowsInstaller.dll
| MD5 | 34d4a23cab5f23c300e965aa56ad3843 |
| SHA1 | 68c62a2834f9d8c59ff395ec4ef405678d564ade |
| SHA256 | 27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c |
| SHA512 | 7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c |
\Windows\Installer\MSI9941.tmp-\Smartbar.Installer.CustomActions.dll
| MD5 | 2120dbb0481374885af660346f503b9b |
| SHA1 | 0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3 |
| SHA256 | ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474 |
| SHA512 | 46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a |
\Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
| MD5 | 5dc8a7062040e05ad36bd83246954b05 |
| SHA1 | f6807be0413724076c8c384576ad9a5bc1413e8c |
| SHA256 | d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc |
| SHA512 | 43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12 |
\Windows\Installer\MSI9941.tmp-\srbs.dll
| MD5 | 7ec601a05f97c73fc2180e8c57efc9af |
| SHA1 | 7c99dcdcec211459b1d9d429e2ada2839876f492 |
| SHA256 | 982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8 |
| SHA512 | 119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b |
\Windows\Installer\MSI9941.tmp-\spusm.dll
| MD5 | e28c8d2fd64ba27d9b992fc325f26a9d |
| SHA1 | d9ed413265967b6ede8787aa8c5e5734a4ea1358 |
| SHA256 | 82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab |
| SHA512 | e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739 |
\Windows\Installer\MSI9941.tmp-\srbhu.dll
| MD5 | fcbe6dec3d2da2ac9fd2754cc9cf6ad9 |
| SHA1 | 7954bdf16f99bf843c5c8053a078813d87c94254 |
| SHA256 | 71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e |
| SHA512 | 5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39 |
\Windows\Installer\MSI9941.tmp-\sppsm.dll
| MD5 | 787104ad9dea702d115883c489be54cb |
| SHA1 | b24680d170c610203df5e3d1d52b2b04f938dd56 |
| SHA256 | 934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3 |
| SHA512 | 861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312 |
\Windows\Installer\MSI9941.tmp-\Smartbar.Personalization.Common.dll
| MD5 | 347b0b5d32b1a85b5450b08cfb6d2e75 |
| SHA1 | 7bfe1857974a6c6c3e882624d820311c1e3bf670 |
| SHA256 | 76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac |
| SHA512 | d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92 |
\Windows\Installer\MSI9941.tmp-\srut.dll
| MD5 | feba43763a9b7fe1c94d681055d10167 |
| SHA1 | 49d30dedf868accf07e6895e1699a4d751235fd0 |
| SHA256 | 0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d |
| SHA512 | 680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef |
\Windows\Installer\MSI9941.tmp-\Smartbar.Infrastructure.Utilities.dll
| MD5 | 562ac9921d990126990c2f0bdce7081a |
| SHA1 | f395458d8e328cf4809385fef3e225d01f8a8fc0 |
| SHA256 | ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738 |
| SHA512 | f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208 |
\??\c:\Users\Admin\AppData\Local\Temp\tfsesps-.cmdline
| MD5 | 2dd564aac105a438ece91669e5a25a27 |
| SHA1 | 13b6f5af3901b7bb7577b4593f8aad1a05fffbf2 |
| SHA256 | 76326491f2054fbb9fb90c85e57fbeaddad7f690fa838e7191a779f70df4a662 |
| SHA512 | f7011f9955bf0c028457bda43c88a9799b5613988045005ce9fe3ac6d27c77e25da0958fcf4261dcbfe0fd8064d93e215c0a51632adae111d7ad50b6c072b74e |
\??\c:\Users\Admin\AppData\Local\Temp\tfsesps-.0.cs
| MD5 | 6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c |
| SHA1 | 1dbab29ad6fb169fad90e963dd0c5290f27272fc |
| SHA256 | e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a |
| SHA512 | 193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640 |
C:\Users\Admin\AppData\Local\Temp\RESA111.tmp
| MD5 | fa5ab5b1ac5401d051e43f8bebe24563 |
| SHA1 | 9ad801d48c900a2f50ddeb74939d9341c54db30b |
| SHA256 | 012437b7f58641054d5f0f04e03fc1ddd3724a6651d5d1dfdaf7dbe05aee2453 |
| SHA512 | 952a22e20660b1ba7a6ea5e88b4b8f5211ffa7f9a2d3f67e0f2942a3f411a9640c095fc4b2af9b80d56b838623b4e783ebdd44a52af8c85c125a6e8bf689cfed |
\??\c:\Users\Admin\AppData\Local\Temp\CSCA110.tmp
| MD5 | 087d9bf55cc8695e0ae5c77212188624 |
| SHA1 | 987957a5859b4b483804712010176e83c1cf326f |
| SHA256 | 78896c1bd08d1965858f7e468447badfdb2af3ceb536e3b3174c5ef7113cb0a6 |
| SHA512 | 001c71bcc038ac9391fb20a3b573fb0745f8e2ecfa8fa38395883da1cdbce6a9a48faab8856a2a010a907453e71d8bb0442b72772ff8bad7918f3735393fa2cd |
C:\Users\Admin\AppData\Local\Temp\tfsesps-.dll
| MD5 | 7215dcbced6878b94a98902be12d29aa |
| SHA1 | 448ca0b64352a0453cc16378a0f243be5b808146 |
| SHA256 | 9518f84460063636ecf6a44adc3b4b7c006f0f0f08ed87ba54e27a8a4ffac39e |
| SHA512 | 2c5acc6e5d0126c8a3f077519ea69fa0826d1926ba8cf269971e5a966ef56aba42e5b05bcd9311b1d8e02d874ce07e01d5c78d4f637ef7985541d1c5ddd84385 |
\Windows\Installer\MSI9941.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
| MD5 | 7868ed46c34a1b36bea10560f453598f |
| SHA1 | 72330dac6f8aed0b8fde9d7f58f04192a0303d6b |
| SHA256 | 5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176 |
| SHA512 | 0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1c0c8398d18078098e08422769c998ee |
| SHA1 | b0eaf48d1248c15308b408dbc8f1ab35db84329e |
| SHA256 | 1abcad8ff800d0e270380f46e9c57308638cccff188086d4b25a41eb9a79ce5e |
| SHA512 | 67630b89bd80b32d34ea3e4f620b13e6759150e116c69d01e300c51da4a470191f32efb58b1a9a633e966cd6d4824fe9647ed8f0705ca9fc2312bc4289c37ee5 |
\Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
| MD5 | adb53ee43f74f430368449b98b2f6f86 |
| SHA1 | fb882d80da9ccf79c6817a492fbd686d4759bb41 |
| SHA256 | b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff |
| SHA512 | 8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a |
\??\c:\Users\Admin\AppData\Local\Temp\vrwf95lg.cmdline
| MD5 | 7516955537a11a4676f49f583886bda4 |
| SHA1 | 64fb5f8380edfd5b617641bc9dcb6c849a8661a8 |
| SHA256 | 75437e6324d3512509cb87263e7ea1a4e01041532d3281eb57c34e24f37b3b57 |
| SHA512 | 904d1562024a09da241dba127d93d836c5317fbe6185b874e0f361c598bfa0b89f5a0d3093f3e5962b48b4bbd0470baef080fe40914db89dd672771f1726e018 |
\??\c:\Users\Admin\AppData\Local\Temp\vrwf95lg.0.cs
| MD5 | 14ac60821b7e9508914fdf584ef23f46 |
| SHA1 | 9bc6cb0f7ea31050962fe56398213a48c5097ffa |
| SHA256 | ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c |
| SHA512 | b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5 |
\??\c:\Users\Admin\AppData\Local\Temp\CSCA3CE.tmp
| MD5 | b3144e2845dd294de8c6c3080f44ac09 |
| SHA1 | 31b6a2f5a4aa1e98ba483e7a7edeafc3866f1bc3 |
| SHA256 | e8427b5eb5408ee0b833fcbc76e4a87a5b5094c20cf7c94eb17f7440d3be6e68 |
| SHA512 | 474f794845748082ce701cc91436d54e60dfd6137cd1a3c09021bc41b9f720bd8c644186104abc7a0348671083c359e56f2e00a9f121a81275ded38df9dae301 |
C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp
| MD5 | f68986f12dee971f801375fba518d02c |
| SHA1 | 795e6502eac3489e33f3071873ff6cee5d05094c |
| SHA256 | 31d22970f2ffdf6a22800ab912eff96391caf091bba63db37aae8f04892b185d |
| SHA512 | 6f7188ed2d4122b97aee416488cc36b1b5aa6f6c5d103a2d8ebf61b1d280a8206f4fb777d4630ccbb522851ce4d22315d17c4b5d6e6df872608e79f28202dc27 |
C:\Users\Admin\AppData\Local\Temp\vrwf95lg.dll
| MD5 | e9aad950bf0dd6c34b980033e4fe399e |
| SHA1 | 0d4adf9fafec1fe94e30f5595ae074e6d609ece0 |
| SHA256 | 067e2da6e421dcf70c260729d9aa146a2e780c4a62218e264fa4e5fe52d92578 |
| SHA512 | f20cb4e8c44510c8ce8111fbb51a71fe9f64e57aa218c455039d30b01d078e9973219be5bef174a8fbf4eaddfcbceb85b7e856d6bcdfd362fab2d3cc493470be |
memory/2088-249-0x0000000000C50000-0x0000000000C90000-memory.dmp
C:\Windows\Installer\MSIB03D.tmp-\CustomAction.config
| MD5 | 796621b6895449a5f70ca6b78e62f318 |
| SHA1 | 2423c3e71fe5fa55fd71c00ae4e42063f4476bca |
| SHA256 | 09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84 |
| SHA512 | 081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9 |
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
| MD5 | 4fcf862e733f371e0005de4a917f3720 |
| SHA1 | 8d6f786cd77e88c93d4442286131a4f818baf88b |
| SHA256 | 7c8558fd215a241f7ff824c0bdc4e7c4facdf3bbdffe9292497824fdd1f5eed9 |
| SHA512 | 942dfdd22b532702582ac5bd4c7ec9700c439827274fa4454bb1e16fadaabf502b31b6af3aeb4a2f0ca9c8c6eae1ea67ebabc78eda05e9733f1d937968a2c18b |
memory/2088-417-0x0000000074990000-0x0000000074F3B000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
| MD5 | 5719ee7f6521ae142f0557f0706cded1 |
| SHA1 | a1d5694197827967aea5b3ccc88e2f91d465c283 |
| SHA256 | 0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf |
| SHA512 | cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
| MD5 | 2768222689e3585d609b5a2afc1ba52c |
| SHA1 | ee522df6b2e365857bf6be58ac7150cbc71cfc9c |
| SHA256 | 21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0 |
| SHA512 | 56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4 |
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
| MD5 | e6ab030a2d47b1306ad071cb3e011c1d |
| SHA1 | ed5f9a6503c39832e8b1339d5b16464c5d5a3f03 |
| SHA256 | 054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c |
| SHA512 | 4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163 |
memory/2272-1151-0x0000000000710000-0x0000000000736000-memory.dmp
memory/2272-1178-0x0000000000440000-0x0000000000460000-memory.dmp
memory/2272-1275-0x0000000003290000-0x0000000003373000-memory.dmp
C:\Windows\assembly\tmp\JEB7NEML\System.Data.SQLite.dll
| MD5 | c2e38bfe933c5bce36910fe1fb1d5067 |
| SHA1 | aac5ed2724e2f88c7af1a3bf56d73180ae709bb7 |
| SHA256 | 49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286 |
| SHA512 | 281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d |
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
| MD5 | 94e3ac6df72ab1fd30e3c74ca4515a81 |
| SHA1 | 2bc04974a0b61e327da79fe81959eddd88375f19 |
| SHA256 | 3435e9b1f96c208cadd2228421aa6ada11eeefff2f1067127486805e8fcf3417 |
| SHA512 | aa434cafdd5ca875c0fcc2dc758e6eaa471a152b1ba13f4823f5a58c6be072adff0576cbeb9da183c51881361a5fb5b623dc9980d214c024add809b0db2d140f |
C:\Windows\assembly\tmp\BG5Y0UEK\Interop.SHDocVw.dll
| MD5 | 030a99f9594434ea83d27b33a95c4d5a |
| SHA1 | 230882058a1d50e4e8f7fa4bb3144dec506c5967 |
| SHA256 | 0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3 |
| SHA512 | 529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee |
C:\Config.Msi\f7695fd.rbs
| MD5 | cfddbc72927ff0e524c25167b2352f67 |
| SHA1 | e2ac591373c716ab104706e746e022d126821dbb |
| SHA256 | ce10df1835451c98c245cc9904ccb77b269da715a9d93f4ad9328f5d8bba2117 |
| SHA512 | f73b4f93435320b65783c58a74f5eecb8635c29281e492550bc052842dfd466d11f02b69b9d0f3da711e6a16fd4a0e08e490ec9db8ba3aeb50ad5884eaedbe3a |
C:\Windows\Installer\MSIBB09.tmp-\srprl.dll
| MD5 | d8fa7df1f2cd92ad701bc23f86d89b54 |
| SHA1 | 72160fd5ad639c5a9c44305b06c98eb637399d18 |
| SHA256 | 475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4 |
| SHA512 | a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992 |
C:\Users\Admin\AppData\Local\Smartbar\Application\84cedsbn.newcfg
| MD5 | 51417498b55cf9dd3d2b06acca131f8d |
| SHA1 | e29cf97632afc31c3f33e92ec11aba4ab6af279f |
| SHA256 | 09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9 |
| SHA512 | 2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836 |
memory/2604-1506-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/2604-1507-0x0000000000C00000-0x0000000000C18000-memory.dmp
memory/2928-1560-0x0000000000AB0000-0x0000000000AD6000-memory.dmp
memory/2928-1561-0x0000000000AB0000-0x0000000000AD6000-memory.dmp
memory/904-1588-0x000000001C0C0000-0x000000001C866000-memory.dmp
memory/904-1589-0x000000001D020000-0x000000001D7C6000-memory.dmp
memory/3040-1617-0x00000000022A0000-0x00000000022C6000-memory.dmp
memory/3040-1616-0x0000000000890000-0x00000000008B6000-memory.dmp
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
| MD5 | a341b4dd3758348c69ad130f1dd9ad94 |
| SHA1 | ea6ba5a8c2d33420cef5d4be943207c063f1def0 |
| SHA256 | 3d5ac2908cc18d3e736774a491539c3701961cd0081b6d0a135dfbe8db810157 |
| SHA512 | 63a78918a9d081b3276dbdd7f498296396b175ecde7d05b262bf5aa6e918aa0fed2e1c42a0e892de7a5a7ac93baa647b05cd2cc8000b0586e18c9257f11124b5 |
C:\Windows\Installer\MSIBB09.tmp-\Newtonsoft.Json.dll
| MD5 | 0e32f5229d5ee7d288b6b3969a51fcbc |
| SHA1 | 54c09f07930525786fcf08b9c7aca24185a68fc1 |
| SHA256 | e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8 |
| SHA512 | 64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb |
C:\Windows\Installer\MSIBB09.tmp-\Interop.NetFwTypeLib.dll
| MD5 | a084b0c082ec6c9525336b131aeba39a |
| SHA1 | 45db1f5cc54a033e5df460b93edaa5d23a39ced9 |
| SHA256 | 7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d |
| SHA512 | 297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\lls-e5ou.newcfg
| MD5 | 150e92c89b3f926add54485e5327b48e |
| SHA1 | c1bb12f562389612ef8620c4d1257edd8f5e07a9 |
| SHA256 | 27912852cea05628dcec6578760221b2d0a632c5c326802d12910eef4111d963 |
| SHA512 | 46124b9e3522463e76db4ca5d891cd01d5c658c38440597faf8e6ace7528e2e9026af9b6a73913cdf46a1c32398d258d10d5e2ce220fbef80093a87759093958 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
| MD5 | e4af8d7ad09a4fd9500a9542efad8a08 |
| SHA1 | 53dec87111adf6190fa8e0a272f78cd8247f71f0 |
| SHA256 | e52b1b03beed33703c727557c925a680dd921d1e12e2f76ccaa06beca4eda62e |
| SHA512 | 7bd8ae7908522223b8c90493179546f14088773dcb56b3a238102aacbf7b2a8a5841b53a0c8f55602993c0a82c2ffc65a96b64496186ec71c2018237fa065732 |
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\ji_pnvxp.newcfg
| MD5 | 4e2af31f9d2df2f85e1b5e521ed1ffa7 |
| SHA1 | 4edb9ac9632d1c21c79b12be4db7935656a9e8b7 |
| SHA256 | 6850d688b100b93b31ba438b1744a1d04efe0f375318dff5c9fd554d33fdf392 |
| SHA512 | 843831f822447ce36695077dc0b70d52f8983beaa8209cdcf1aebbdada6dd68a18c26b4f3b9fa5bd724595372b7560c8fdbc46f899fbbe97d824d730e4d9aad0 |
memory/2088-2516-0x0000000074990000-0x0000000074F3B000-memory.dmp