pandastealer | 202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410ad

Analysis

max time kernel
119s
max time network
119s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 04:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe
Size

8.8MB
MD5

aea459bd4a96c0440c4435bfe39aaf40
SHA1

4bddc9c5e363f94a71610c5720ab188593be11d1
SHA256

202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410ad
SHA512

7a6a144118bbea7835e035e6bd0d3a87363dd92f2186ba9911eb41d2e0a45530757a9c8348e8171027eb90814497da49b225b7a9a606d3bb2872d53086ae4f19
SSDEEP

196608:T1oRCm5gjvpKv1gJzwgs/vvZNijq97g00QCOsNjz0uHFtdMaKDk:T1oRCIg1Kvozwl/73vYrWaKI

Score

10^/10

pandastealer adware discovery evasion persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Panda Stealer payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000d000000012281-6.dat	family_pandastealer

PandaStealer
Panda Stealer is a fork of CollectorProject Stealer written in C++.
stealer pandastealer
Pandastealer family
pandastealer

Blocklisted process makes network request 11 IoCs

flow	pid	Process
6	3052	msiexec.exe
8	3052	msiexec.exe
10	3052	msiexec.exe
12	484	rundll32.exe
17	2168	rundll32.exe
27	2168	rundll32.exe
29	2168	rundll32.exe
31	2168	rundll32.exe
34	2168	rundll32.exe
36	2168	rundll32.exe
40	2168	rundll32.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 2 IoCs

pid	Process
920	Installer.exe
2112	Smartbar.exe

Loads dropped DLL 64 IoCs

pid	Process
1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe
1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe
920	Installer.exe
920	Installer.exe
920	Installer.exe
920	Installer.exe
1388	MsiExec.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
484	rundll32.exe
1388	MsiExec.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
684	rundll32.exe
1388	MsiExec.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\Browser Infrastructure Helper = "C:\\Users\\Admin\\AppData\\Local\\Smartbar\\Application\\Smartbar.exe startup"	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	Smartbar.exe
File opened (read-only)	\??\Y:	Smartbar.exe
File opened (read-only)	\??\K:	Smartbar.exe
File opened (read-only)	\??\N:	Smartbar.exe
File opened (read-only)	\??\O:	Smartbar.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	Smartbar.exe
File opened (read-only)	\??\U:	Smartbar.exe
File opened (read-only)	\??\X:	Smartbar.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	Smartbar.exe
File opened (read-only)	\??\Z:	Smartbar.exe
File opened (read-only)	\??\E:	Smartbar.exe
File opened (read-only)	\??\J:	Smartbar.exe
File opened (read-only)	\??\L:	Smartbar.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	Smartbar.exe
File opened (read-only)	\??\I:	Smartbar.exe
File opened (read-only)	\??\W:	Smartbar.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	Smartbar.exe
File opened (read-only)	\??\M:	Smartbar.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	Smartbar.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	Smartbar.exe
File opened (read-only)	\??\Q:	Smartbar.exe
File opened (read-only)	\??\R:	Smartbar.exe
File opened (read-only)	\??\T:	Smartbar.exe
File opened (read-only)	\??\B:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}	RegAsm.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{31ad400d-1b06-4e33-a59a-90c2c140cba0}\NoExplorer = "1"	RegAsm.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.Translations.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\srprl.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\spusm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Smartbar.Resources.SocialNetsSharer.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\MACTrackBarLib.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\spsm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\spbl.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll	rundll32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.new	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\sppsm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\srbs.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\sismlp.dll	rundll32.exe
File created	C:\Windows\assembly\tmp\42237BJA\Microsoft.VisualStudio.OLE.Interop.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Microsoft.Practices.EnterpriseLibrary.Common.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\sppsm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\MACTrackBarLib.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Microsoft.Practices.ObjectBuilder.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\srbhu.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\srus.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\srut.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\srpdm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\spsm.dll	rundll32.exe
File created	C:\Windows\assembly\tmp\LTEZKJBI\Interop.SHDocVw.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll	rundll32.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.new	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Interop.NetFwTypeLib.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Infrastructure.BusinessEntities.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.GUI.Docking.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Smartbar.Resources.Translations.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Smartbar.Infrastructure.BusinessEntities.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\srsbs.dll	rundll32.exe
File created	C:\Windows\Installer\f76801b.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\spusm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Smartbar.Resources.LanguageSettings.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Smartbar.GUI.Docking.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\f768018.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\sipb.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Smartbar.Resources.LanguageSettings.resources.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.GUI.Controls.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.SocialNetsSharer.XmlSerializers.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.Logging.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Smartbar.Infrastructure.Utilities.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\srpdm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\MACTrackBarLib.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\sismlp.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9A9A.tmp	msiexec.exe
File created	C:\Windows\Installer\f76801d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\spusm.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.LanguageSettings.dll	rundll32.exe
File opened for modification	C:\Windows\assembly\tmp\42237BJA\__AssemblyInfo__.ini	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.LanguageSettings.resources.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9ABA.tmp-\Smartbar.GUI.Controls.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA873.tmp-\Microsoft.Practices.EnterpriseLibrary.Logging.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Smartbar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
632	msiexec.exe
920	Installer.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2864	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 55 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{AE07101B-46D4-4A98-AF68-0333EA26E113}	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchUrl\Default = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\MAO Settings\AddonLoadTimeThreshold = "10000"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Use Search Asst = "yes"	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\Smartbar.exe = "9999"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Internet Explorer\SearchUrl	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Key deleted	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\USER PREFERENCES	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"	Installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\UseHomepageForNewTab = "1"	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Search Bar = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\ShowTabsWelcome = "0"	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURL_JSON = "http://suggestqueries.google.com/complete/search?output=firefox&client=firefox&qu={searchTerms}"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\SearchAssistant = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate={installDate}"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{006ee092-9658-4fd6-bd8e-a21a348e59f5}"	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\SuggestionsURLFallback = "http://api.bing.com/qsml.aspx?query={searchTerms}&maxwidth={ie:maxWidth}&rowheight={ie:rowHeight}&sectionHeight={ie:sectionHeight}&FORM=IE8SSC&market={language}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Toolbar\{ae07101b-46d4-4a98-af68-0333ea26e113} = "Smartbar"	RegAsm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Search\Default_Search_URL = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=ds&q={searchTerms}&installDate=02/12/2024"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\SearchScopes\{006ee092-9658-4fd6-bd8e-a21a348e59f5}\DisplayName = "Web Search"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\FeatureControl	rundll32.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=GB&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate={installDate}"	Installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://feed.snapdo.com/?publisher=ShoppingHelper&dpid=ShoppingHelper&co=TJ&userid=d13811c3-be3c-f963-4eca-e759baed3971&searchtype=hp&installDate=02/12/2024"	rundll32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{656130CD-753E-3DDC-893C-D6975C1EEED9}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3F5-98B4-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLSpanElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F249-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6D55083F-D6FF-3028-A8A3-95DE56BB6EDF}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F630-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C77B0461-C344-345F-B41F-C1352A3E2B36}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F284-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B3E55904-F89A-3F14-ADE9-32CE53681F86}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CC-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A66A524B-DE26-335C-BBCD-86250806FAD3}\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38F-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLImageElementFactoryClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F281-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{AE07101B-46D4-4A98-AF68-0333EA26E113}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{425E7597-03A2-338D-B72A-0E51FFE77A7E}\1.0.0.0\Class = "IESmartBar.POINT"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.BHO	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F3E8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F6C8-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLDefaultsClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F402-98B5-11CF-BB82-00AA00BDCE0B}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{34B4F646-3FC3-3CA2-AF86-BDAA6F9167D8}\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CBDDE76-4C5D-3B59-A31F-45B59186510A}\7.0.3300.0\Class = "mshtml._styleTextLineThroughStyle"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4DBA43D6-92EF-365A-A8F6-164C0BECAA03}\7.0.3300.0\Class = "mshtml._htmlZOrder"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F245-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F276-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A717364F-69F3-3A24-ADD5-3901A57F880E}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}\InprocServer32\ = "mscoree.dll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F251-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F4CB-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLElementCollectionClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F2B9-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{31AD400D-1B06-4E33-A59A-90C2C140CBA0}\ProgId\ = "IESmartBar.BHO"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2CCE3E1-31E1-3A80-9E94-3F818328FB20}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C77B0461-C344-345F-B41F-C1352A3E2B36}\7.0.3300.0\Class = "mshtml._bodyScroll"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A5C76C0B-A22F-3565-BA14-863844C9570C}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F281-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{26D3A9D0-70E0-3905-838B-67B7AEAD16F0}\7.0.3300.0\Class = "mshtml._styleNormal"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EAB22AC3-30C1-11CF-A7EB-0000C05BAE0B}\InProcServer32	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6D55083F-D6FF-3028-A8A3-95DE56BB6EDF}\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9CBDDE76-4C5D-3B59-A31F-45B59186510A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{F9D1FACE-EF58-3A60-BD92-95DA3D29A3A2}\7.0.3300.0\Class = "mshtml._htmlRules"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F314-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F282-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLBaseFontElementClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\IESmartBar.BandObjectAttribute\ = "IESmartBar.BandObjectAttribute"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F580-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F27A-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F38D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC20047-2388-3184-B6DD-B543825CA72A}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F6AA-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Class = "mshtml.HTMLRenderStyleClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F2E4-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTMLStyleSheetClass"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9C468E69-AED4-3E79-9CC5-4EDF700A52E5}\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9BA05972-F6A8-11CF-A442-00A0C90A8F39}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1A7B7923-55BB-3079-B47E-AC73CBEDCE77}\7.0.3300.0	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{9778FF5E-CBCB-3A8E-AA0C-69F4540870C0}\7.0.3300.0	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F4FE-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\Class = "mshtml.HTCEventBehaviorClass"	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{56561B2A-FB5D-363A-9631-4C03D6054209}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5E8433C3-CEE5-399A-883B-0FBB33FA9689}	RegAsm.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{ADCDA984-74EE-399A-B8C7-F16E1D96115F}	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\RuntimeVersion = "v1.0.3705"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3050F493-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B3E55904-F89A-3F14-ADE9-32CE53681F86}\7.0.3300.0\Class = "mshtml.__MIDL_IWinTypes_0007"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3050F24D-98B5-11CF-BB82-00AA00BDCE0B}\InprocServer32\7.0.3300.0\Assembly = "Microsoft.mshtml, Version=7.0.3300.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	RegAsm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EDC20047-2388-3184-B6DD-B543825CA72A}\7.0.3300.0\Class = "mshtml._htmlMarqueeBehavior"	RegAsm.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e51d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af33313353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c92000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Smartbar.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\E12DFB4B41D7D9C32B30514BAC1D81D8385E2D46\Blob = 040000000100000010000000a7f2e41606411150306b9ce3b49cb0c90f0000000100000014000000f45a0858c9cd920e647bad539ab9f1cfc77f24cb090000000100000016000000301406082b0601050507030306082b06010505070308140000000100000014000000daed6474149c143cabdd99a9bd5b284d8b3cc9d80b000000010000001400000055005300450052005400720075007300740000001d0000000100000010000000f919b9ccce1e59c2e785f7dc2ccf6708030000000100000014000000e12dfb4b41d7d9c32b30514bac1d81d8385e2d46190000000100000010000000e843ac3b52ec8c297fa948c9b1fb281920000000010000006a040000308204663082034ea003020102021044be0c8b500024b411d3362de0b35f1b300d06092a864886f70d0101050500308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a656374301e170d3939303730393138333132305a170d3139303730393138343033365a308195310b3009060355040613025553310b3009060355040813025554311730150603550407130e53616c74204c616b652043697479311e301c060355040a131554686520555345525452555354204e6574776f726b3121301f060355040b1318687474703a2f2f7777772e7573657274727573742e636f6d311d301b0603550403131455544e2d5553455246697273742d4f626a65637430820122300d06092a864886f70d01010105000382010f003082010a0282010100ceaa813fa3a36178aa31005595119e270f1f1cdf3a9b826830c04a611df12f0efabe79f7a523ef55519684cddbe3b96e3e31d80a2067c7f4d9bf94eb47043e02ce2aa25d870409f6309d188a97b2aa1cfc41d2a136cbfb3d91bae7d97035fae4e790c39ba39bd33cf5129977b1b709e068e61cb8f39463886a6afe0b76c9bef422e467b9ab1a5e77c18507dd0d6cbfee06c7776a419ea70fd7fbee9417b7fc85bea4abc41c31ddd7b6d1e4f0efdf168fb25293d7a1d489a1072ebfe10112421e1ae1d89534db647928ffba2e11c2e5e85b9248fb470bc26cdaad328341f3a5e54170fd65906dfafa51c4f9bd962b19042cd36da7dcf07f6f8365e26aab8786750203010001a381af3081ac300b0603551d0f0404030201c6300f0603551d130101ff040530030101ff301d0603551d0e04160414daed6474149c143cabdd99a9bd5b284d8b3cc9d830420603551d1f043b30393037a035a0338631687474703a2f2f63726c2e7573657274727573742e636f6d2f55544e2d5553455246697273742d4f626a6563742e63726c30290603551d250422302006082b0601050507030306082b06010505070308060a2b0601040182370a0304300d06092a864886f70d01010505000382010100081f52b1374478dbfdceb9da959698aa556480b55a40dd21a5c5c1f35f2c4cc8475a69eae8f03535f4d025f3c8a6a4874abd1bb17308bdd4c3cab635bb59867731cda78014ae13effcb148f96b25252d51b62c6d45c198c88a565d3eee434e3e6b278ed03a4b850b5fd3ed6aa775cbd15a872f3975135a72b002819fbef00f845420626c69d4e14dc60d9943010d12968c789dbf50a2b144aa6acf177acf6f0fd4f824555ff0341649663e5046c96371383162b862b9f353ad6cb52ba212aa194f09da5ee793c68e1408fef0308018a086854dc87dd78b03fe6ed5f79d16ac922ca023e59c91521f94df179473c3b3c1c17105200078bd13521da83ecd001fc8	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	Smartbar.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c909000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c01400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e52000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	Smartbar.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
920	Installer.exe
920	Installer.exe
920	Installer.exe
3052	msiexec.exe
3052	msiexec.exe
684	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2112	Smartbar.exe
2112	Smartbar.exe
2168	rundll32.exe
2168	rundll32.exe
2168	rundll32.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2168	rundll32.exe
2168	rundll32.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe
2112	Smartbar.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2112	Smartbar.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeSecurityPrivilege	3052	msiexec.exe
Token: SeCreateTokenPrivilege	632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	632	msiexec.exe
Token: SeLockMemoryPrivilege	632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	632	msiexec.exe
Token: SeMachineAccountPrivilege	632	msiexec.exe
Token: SeTcbPrivilege	632	msiexec.exe
Token: SeSecurityPrivilege	632	msiexec.exe
Token: SeTakeOwnershipPrivilege	632	msiexec.exe
Token: SeLoadDriverPrivilege	632	msiexec.exe
Token: SeSystemProfilePrivilege	632	msiexec.exe
Token: SeSystemtimePrivilege	632	msiexec.exe
Token: SeProfSingleProcessPrivilege	632	msiexec.exe
Token: SeIncBasePriorityPrivilege	632	msiexec.exe
Token: SeCreatePagefilePrivilege	632	msiexec.exe
Token: SeCreatePermanentPrivilege	632	msiexec.exe
Token: SeBackupPrivilege	632	msiexec.exe
Token: SeRestorePrivilege	632	msiexec.exe
Token: SeShutdownPrivilege	632	msiexec.exe
Token: SeDebugPrivilege	632	msiexec.exe
Token: SeAuditPrivilege	632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	632	msiexec.exe
Token: SeChangeNotifyPrivilege	632	msiexec.exe
Token: SeRemoteShutdownPrivilege	632	msiexec.exe
Token: SeUndockPrivilege	632	msiexec.exe
Token: SeSyncAgentPrivilege	632	msiexec.exe
Token: SeEnableDelegationPrivilege	632	msiexec.exe
Token: SeManageVolumePrivilege	632	msiexec.exe
Token: SeImpersonatePrivilege	632	msiexec.exe
Token: SeCreateGlobalPrivilege	632	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeDebugPrivilege	684	rundll32.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe
Token: SeRestorePrivilege	3052	msiexec.exe
Token: SeTakeOwnershipPrivilege	3052	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 1800 wrote to memory of 920	1800	202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe	30
PID 920 wrote to memory of 2864	920	Installer.exe	31
PID 920 wrote to memory of 2864	920	Installer.exe	31
PID 920 wrote to memory of 2864	920	Installer.exe	31
PID 920 wrote to memory of 2864	920	Installer.exe	31
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 920 wrote to memory of 632	920	Installer.exe	34
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 3052 wrote to memory of 1388	3052	msiexec.exe	36
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 1388 wrote to memory of 484	1388	MsiExec.exe	37
PID 484 wrote to memory of 1692	484	rundll32.exe	38
PID 484 wrote to memory of 1692	484	rundll32.exe	38
PID 484 wrote to memory of 1692	484	rundll32.exe	38
PID 484 wrote to memory of 1692	484	rundll32.exe	38
PID 1692 wrote to memory of 2380	1692	csc.exe	40
PID 1692 wrote to memory of 2380	1692	csc.exe	40
PID 1692 wrote to memory of 2380	1692	csc.exe	40
PID 1692 wrote to memory of 2380	1692	csc.exe	40
PID 484 wrote to memory of 884	484	rundll32.exe	41
PID 484 wrote to memory of 884	484	rundll32.exe	41
PID 484 wrote to memory of 884	484	rundll32.exe	41
PID 484 wrote to memory of 884	484	rundll32.exe	41
PID 884 wrote to memory of 1604	884	csc.exe	43
PID 884 wrote to memory of 1604	884	csc.exe	43
PID 884 wrote to memory of 1604	884	csc.exe	43
PID 884 wrote to memory of 1604	884	csc.exe	43
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 684	1388	MsiExec.exe	44
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 1388 wrote to memory of 2168	1388	MsiExec.exe	45
PID 2168 wrote to memory of 2480	2168	rundll32.exe	46
PID 2168 wrote to memory of 2480	2168	rundll32.exe	46

C:\Users\Admin\AppData\Local\Temp\202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe
"C:\Users\Admin\AppData\Local\Temp\202dcd065752d8e3d74ac43b70ef3267fd5c10d892fc9655a094575cdba410adN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Users\Admin\AppData\Local\Temp\Installer.exe
  C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:920
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /F /IM msiexec.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:d13811c3-be3c-f963-4eca-e759baed3971
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 858EC0A0D9FC5E0E332ED400E991F59F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1388
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI84F7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259425684 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:484
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eohimm1g.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8A94.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8A93.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2380
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3r1bybgz.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E0E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8E0D.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1604
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI9ABA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259431129 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:684
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA873.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259434639 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fht3xqes.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA9F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA9F5.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2152
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p1zulpah.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1688
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAA73.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAA72.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies registry class
      PID:1776
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
      4⤵
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2952
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
      4⤵
      Installs/modifies Browser Helper Object
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:316
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
      4⤵
      Installs/modifies Browser Helper Object
      PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:788
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
      4⤵
      Modifies registry class
      PID:1992
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:2056
  - - C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
      "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
      4⤵
      PID:2728
  - - C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
      "C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
      4⤵
      Executes dropped EXE
      Enumerates connected drives
      System Location Discovery: System Language Discovery
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      PID:2112
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ffkb-xbh.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:964
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCDDB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCDDA.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:708
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3ufmf6xb.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCF03.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCF02.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2060
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dfrw4oxl.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1984
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCFED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCFEC.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hkwf3_-a.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD144.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD143.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:996
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\6bt_knnw.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD2CA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD2C9.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2844
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a-1hfm23.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD338.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD337.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2796
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tuwvywud.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2148
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD376.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD375.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2492
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ji8gq4ry.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2384
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD431.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD430.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:656
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y--mixcx.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4DC.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lcau3b0o.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2432
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE31F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE31E.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0ng87dtd.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE5AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE5AE.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2888
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\os4qqrt_.cmdline"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE8F9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE8F8.tmp"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1796
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nj2rsjlo.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2616
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD4CD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD4CC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76801c.rbs

Filesize
143KB

MD5
ff15bc69b6e82a14ef7a5669580585de

SHA1
6cbab7b5baeef6bd44fd418ff8d7a60ed5069715

SHA256
a831f728132eaa83521e033477f29a4e0ad0d667dcdcf68be4f923ffff5f5646

SHA512
e0a0955536e237d96b47ce072f6146ab19afd36ed03754687572422c17b113d8bcbde365b00141d262365ec9135953bcdb935cdac4e3f9e299dd27211f93fbaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f8f4397a2743ba9ac9abe177f72c6b8

SHA1
5c2d959f347f8ed2827e84b802312e1dad64d063

SHA256
dddbcc969ef7e81789d9ad6b5f988c6584d2e56a2d10eddf30e2e928775052ee

SHA512
c8b98dd86ddb757ee30c1bc5f3a08a2eb668a0cd526c0f5c95147acebe807e7d80b943bb58fe5b895047aa9b901b16e79d178bc1c4df6857eba895346a11995a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b873ae16b9a278c05eb394b1c3e6f01e

SHA1
b1bfdd48fc22397b0ba1e3af5383c3aa91e12b04

SHA256
bf62877934da4c50c179981de5036ac54de60e217b6a79ed92ed7aeffbeaf83b

SHA512
09f17634f9ad2a1ba751be87aab97039633c919097eba03b0c3a72548ec7d1bdfd771207ada5e856b11eb3c8697f6ed12c03b2462cc55ceb7ceafc490264753b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp

Filesize
92KB

MD5
444dfcb62fb09ad8de699a5d55d95b79

SHA1
f1cef14842b4791879318c31aa79d38d01a7290e

SHA256
c0a07d63b5dce56a498bdae1c6729182d736f2592151232d8df3ce7162f865a7

SHA512
8dc97ff55ae760728afd046a2ec0fe7947ffc59ded6830f0f8aa2ec4cadb063843b3eefabef4e29dbf7986a5caffc003373ad4abee6fcc47f12e51223696999e

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Application\97ouxpto.newcfg

Filesize
12KB

MD5
51417498b55cf9dd3d2b06acca131f8d

SHA1
e29cf97632afc31c3f33e92ec11aba4ab6af279f

SHA256
09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9

SHA512
2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png

Filesize
4KB

MD5
5719ee7f6521ae142f0557f0706cded1

SHA1
a1d5694197827967aea5b3ccc88e2f91d465c283

SHA256
0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf

SHA512
cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png

Filesize
4KB

MD5
2768222689e3585d609b5a2afc1ba52c

SHA1
ee522df6b2e365857bf6be58ac7150cbc71cfc9c

SHA256
21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0

SHA512
56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png

Filesize
4KB

MD5
e6ab030a2d47b1306ad071cb3e011c1d

SHA1
ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

SHA256
054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

SHA512
4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

Filesize
3KB

MD5
935646a2b0379aae4de2270ecb98124e

SHA1
4af3e38202534bbcc7ac3ab5de462cd025301f7a

SHA256
a35991863f12285cf385edcca8762a8a2a98fc69a578192238359f9173760879

SHA512
95919341f7239984a756f9affa4cc5d4f8fb1b4b812db9b7e35a723530f32f81d4e2ef6e4e98b0ee97866127ecb1bc301c32d2a13c5812a9c9887d6a057c139e

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

Filesize
3KB

MD5
59c234b0786624d1d395adc5bbb169a9

SHA1
160b30d3214e1676d9932402ad6f07b06c8bef94

SHA256
e1ded6460a1736c6478451b1137343d2aabf91f16ac537b308cf7e3bbd0fc8d0

SHA512
9847c63d622c1bb08c1fd43a828841c09394c2163b7a398ec95c98261c1fc1ead3e0e3ed772ea3dd0101fd290cf9d408a49235f4dee95cbf1a38814801276b2b

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

Filesize
3KB

MD5
d1122dd4556ef907e1fa2da6123f3b75

SHA1
ebcc5a83a287b07a444f4fc085f845791ebb7381

SHA256
4755392eda466a1bd4394e9a57b506b86a140b4fa929e9bde8b2a3eee8d1b010

SHA512
2ba45a982c1e560c1be16e680de2f6f01dd9111f4294772442f2a76eec96aa8d3add78ecf139524aa36af2db27ce2610450e9138f074ef23317ac45c54aafeb0

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml

Filesize
3KB

MD5
5c2f9f2351f859194601f0afaa02413c

SHA1
7448ea0605d01703b4d021f5aec53e0be4a56b74

SHA256
92a0fa11c844dfad68674dc01e5d6bc2142295a2d10c77671a57f4314289a664

SHA512
1140ea9a5177341e1a81d2f0449e028da00cae8c21941fef5b0fad4e3834cf27c4bb3cb20aaa22044e00c4ce68a0b1465faeef49cfc6881fc0bfad48a478b7f2

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\ijazl8r1.newcfg

Filesize
535B

MD5
e63124182b01866613f45b98be84b02f

SHA1
85477c23bd25ca417da6036509d280e6b03efc80

SHA256
2ec7efadfa1c06ca2ce420e2e131084ee1caf7c05aa4ae329b0563ec7a912fe1

SHA512
e476a210845afe4d6200dddadb658197a65967d697118b21ca0ced1bc4676a6552517f604cf53ff8cbe2f5e0577f191248300d794289a906a01593096745423e

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\larpkm0v.newcfg

Filesize
600B

MD5
f374e85371765e34fe886c324e8c98c8

SHA1
b43d6a67f8cf7f146ec0be23b3d070d491e5b7ad

SHA256
77a6a5cab92b9891a1d2f78cd45403354ec8da979516431ab3835762653b71ce

SHA512
a703bd2a61aff4d7a1a25452d878bb689c57fd84ae24df3e3d0c8e1ec036489f4ada37ea3d0990de3a4acbd4199ee118dd17f001a59b95822a0dd5ee1425d695

Download Submit
C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config

Filesize
471B

MD5
f6c794fa77efaae9d846d2c32a29f332

SHA1
a200a170eab06675674878df80aa5dd9e9c1261e

SHA256
c843b20c6ae6ba3ce2aa193ecde0e8ab32dc22aac1c81680cba82ca3e2e226fb

SHA512
79d76bdd81f966558e72b3e3ad4760246474352a59444d7476ed71cd5750f8e7b81ce973d942f9df3366551fe75ae3e8b1f013255f638f6065359a6aab6d0208

Download Submit
C:\Users\Admin\AppData\Local\Temp\3r1bybgz.dll

Filesize
88KB

MD5
60296f8425ca0879a1763b9827a9b203

SHA1
f503f9ed42fad6ff1f7f68c5897b9ab15c11c448

SHA256
ec0865a327716123109cee9f4a762d1fd12fe9c8e40aa28f00a0774526c6617d

SHA512
32fda6d3194eea7296fa016a41e333b167fca49f10a9ef5fb6fccc84b5885e71b96dbaaf8a16914935fdcb1e5544280c6defe1c1a95d224af35d3b9c59d17751

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8104.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8A94.tmp

Filesize
1KB

MD5
1a8f409e9a78c85e4f3d360ebca02dc2

SHA1
0ee02924149e25e2c7a774a2982d6ec4c01c6d81

SHA256
09cd676f88ce1e128ca08326a51ec515a2db1cc3021959f447eaf41bff127c95

SHA512
85ceb6b1ba5dc98cce981b5548ac4b133ddcac29de5d324d1a4c7907d06ed1cfb362da4abf92b69eae48f5b98c5c358f4f58496a3299801421b66f74d2fb1785

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8E0E.tmp

Filesize
1KB

MD5
f9bb4c8818c68978550813fa4e5b7329

SHA1
709c440f7136aa98588482f28f628df841a03773

SHA256
90a9dfd1c19ce9f7351aeb6eb3ba52abb08dfe454ab412e5e5037616f3a6b1ea

SHA512
915228abd883c9cb2e636694332d416b42f8cda6f17fda5f2a0bc0de7662d8af7e091b5ffb9268e2904a7435d5cf9d747fc1051adf376999f8af044a57fa4ab8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8117.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eohimm1g.dll

Filesize
72KB

MD5
add8f6eeeafbb898383fc88148c9f88a

SHA1
7f8f844495879340040a31f98518975af876edde

SHA256
30b75ef89c5d9944e7d072c555f172c492b9b180d48d607535918b8e0134edaf

SHA512
dac9d8d411d4604c32e5fcbc8a5e58e61663d0050e10d8aef44cca975e6e4c6ff63c142115cf325278256a2c9e03fa3b26ed2caef3841b59056dd06357b0df9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsj7476.tmp\Ping.dll

Filesize
64KB

MD5
b0e9ba9dab60cb7a9fd886dcf440cac3

SHA1
c416f6e9ba379feb9008c775d8456514444b66da

SHA256
52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f

SHA512
90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043

Download Submit
C:\Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll

Filesize
7KB

MD5
4876414d51fe01bd8525df2f8acd35d6

SHA1
f9435c39e3029276e71a971e48f68d3f0298fe11

SHA256
4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d

SHA512
d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi

Filesize
9.1MB

MD5
e5314db579a141f6a5204f70e7073de0

SHA1
3d2e28be7594fd754213e3ea19b4f900f6634c91

SHA256
84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d

SHA512
f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
151B

MD5
988ea61855eab89ff1f69e884a6bee04

SHA1
5d4792d34fe3939301eefa968ab5b5e8d415aec1

SHA256
010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1

SHA512
eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk

Filesize
2KB

MD5
5f632053ee6c38ddad11738a586eaff5

SHA1
a783b044f531537977e8cfc67ba4fe946e1a14bc

SHA256
6ede4a9ea9b681e76bd56f735d3d4ee3a169af3b29c80d4a49c713650570732b

SHA512
7b613b26d6b8e2ff55cc254d6d6cf4541dc4862b79cf56c36477e0dcded21a01cc9163ec90e29f887d33690408aea73ab25742e3750834b329a10914a4e4781b

Download Submit
C:\Windows\Installer\MSI84F7.tmp

Filesize
1.5MB

MD5
44c66c7febaf067ac2f96e3bb643a5b3

SHA1
bc83eb57ebb44206b467c4147a7f82d52662e9b5

SHA256
641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383

SHA512
41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b

Download Submit
C:\Windows\Installer\MSI9ABA.tmp-\CustomAction.config

Filesize
806B

MD5
796621b6895449a5f70ca6b78e62f318

SHA1
2423c3e71fe5fa55fd71c00ae4e42063f4476bca

SHA256
09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

SHA512
081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

Download Submit
C:\Windows\Installer\MSIA873.tmp-\Interop.NetFwTypeLib.dll

Filesize
32KB

MD5
a084b0c082ec6c9525336b131aeba39a

SHA1
45db1f5cc54a033e5df460b93edaa5d23a39ced9

SHA256
7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d

SHA512
297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b

Download Submit
C:\Windows\Installer\MSIA873.tmp-\Newtonsoft.Json.dll

Filesize
418KB

MD5
0e32f5229d5ee7d288b6b3969a51fcbc

SHA1
54c09f07930525786fcf08b9c7aca24185a68fc1

SHA256
e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8

SHA512
64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb

Download Submit
C:\Windows\Installer\MSIA873.tmp-\srprl.dll

Filesize
56KB

MD5
d8fa7df1f2cd92ad701bc23f86d89b54

SHA1
72160fd5ad639c5a9c44305b06c98eb637399d18

SHA256
475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4

SHA512
a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992

Download Submit
C:\Windows\Installer\MSIA873.tmp-\srsl.dll

Filesize
21KB

MD5
6fc50184e3aad7f4df0231da697a9da8

SHA1
fef8608d31e8e1c16ca7db402fa352ee7231585b

SHA256
58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf

SHA512
626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
109KB

MD5
df8e117ce4028bc21de6c5468988d6f8

SHA1
938d7daa1db687560d5af9c58ef2ed33609ff9f3

SHA256
585065e9e0fff2884c9e33dd1325e4bcf07bf202327cb09743df9ae443fc1652

SHA512
d682725ec420a42ecb791feac1d41be8206fe6e9f5f2cf6ea8048653eaaf1b52e9d7dc7d00ad3a7703ee974e4d42bc80386dca88923d0b37a185d84aa50a7aab

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch

Filesize
416B

MD5
5866f672b991742bdbaeb171602456d7

SHA1
dd2fd509375891d2fa4a88bf85731811c621c5b8

SHA256
e9d925165832440d93639cbcaeff0c3c516b5b6115218a2993b6c981f2433269

SHA512
563fdc93ae1026802f5ecca77a7f642a30ec6b942940a31a965d16445014ec91d1e17f81a5fd15d98695c5e277140a3e99c1df2694033823dbdecb7d243c6b06

Download Submit
C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll

Filesize
116KB

MD5
459ff9c6762b7fdd91c156ff3e096478

SHA1
7179debce9a271450b1241e7435a999aea1ddd05

SHA256
93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c

SHA512
8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a

Download Submit
C:\Windows\assembly\tmp\LTEZKJBI\Interop.SHDocVw.dll

Filesize
143KB

MD5
030a99f9594434ea83d27b33a95c4d5a

SHA1
230882058a1d50e4e8f7fa4bb3144dec506c5967

SHA256
0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3

SHA512
529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee

Download Submit
C:\Windows\assembly\tmp\W3KT41NF\System.Data.SQLite.dll

Filesize
889KB

MD5
c2e38bfe933c5bce36910fe1fb1d5067

SHA1
aac5ed2724e2f88c7af1a3bf56d73180ae709bb7

SHA256
49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286

SHA512
281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3r1bybgz.0.cs

Filesize
187KB

MD5
14ac60821b7e9508914fdf584ef23f46

SHA1
9bc6cb0f7ea31050962fe56398213a48c5097ffa

SHA256
ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c

SHA512
b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3r1bybgz.cmdline

Filesize
614B

MD5
992b80bb49d4f5b80c4ef8909436b2e9

SHA1
a7f26f7615d3bc1d5342fb3f81d9be569259ce6e

SHA256
5d52d9b0269c470a856060de3d02ee93255e28a0eb724628debe59c62c5f4764

SHA512
da49e675403a8a9140a2484d7248b8c3a06341eff8ecea58e845b2dfdee2cf06f7e806c26b268a8aa2ce440da65cb752d2ab7a135c601d85effbcf854012c615

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8A93.tmp

Filesize
652B

MD5
dc84a49019ed4681bb6c4f95b85733a7

SHA1
e05470e80b641d7c5a580fa6597fa8ffa541b3be

SHA256
4b3af2f33ea58a5e97eca643a40327828a3dadec3bdacb6b51791f49c158c64f

SHA512
4dca941f1e158f22bce44b48f6c0169241a9b949316803fcb239dc8f8f03de9ac6fda26fd5cd87a22f0a62e22a4edc269ab2c11fb65267530e304ead8de4764b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8E0D.tmp

Filesize
652B

MD5
dbbf10b9dedd0f535f39c2fda5001654

SHA1
484af7953ebdd869c4910d37cd350a8cacbe56a4

SHA256
8ffc35c91359a74ae3cd123c6e99062a8f61be443cc71a2c05c23036a888bd37

SHA512
e44914f4e40517cbb245c236753e7a8eb1a5d7347da4e7834c465db8ab906eb1468c67878658aee7542bf8e83a0488119e6abfb3f4e57c0183c1368d9d20bf69

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eohimm1g.0.cs

Filesize
150KB

MD5
6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c

SHA1
1dbab29ad6fb169fad90e963dd0c5290f27272fc

SHA256
e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a

SHA512
193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\eohimm1g.cmdline

Filesize
396B

MD5
b77bd029efc00d3474a6fc9098aa91a2

SHA1
4bd90f4d0b3c120ada374fb71daa21d663c80dc6

SHA256
f5bb5f42bccda40f8e4d84244efb7e50f891e656e08051ecb3bd1adecbc3697f

SHA512
493195a6bb33630e80c8cfab2ddaa723cd50bf83771156f241e39d840dbc004359f05eac923b797360ba5a03e6e369ab69a168ea59fe309645de3c1ef8dfc8a7

Download Submit
\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
10.2MB

MD5
564e47a3604ced3b7c18e43250226cd7

SHA1
a3eef8fac3617d048fb9fce2201937297e3920f1

SHA256
12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83

SHA512
e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf

Download Submit
\Users\Admin\AppData\Local\Temp\nsj7476.tmp\Registry.dll

Filesize
24KB

MD5
2b7007ed0262ca02ef69d8990815cbeb

SHA1
2eabe4f755213666dbbbde024a5235ddde02b47f

SHA256
0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

SHA512
aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

Download Submit
\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll

Filesize
383KB

MD5
3cf46bae7e872a661721b0894bc076e2

SHA1
eaaa0a35e284908dd21cf245a38efe9d2e4c7532

SHA256
7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043

SHA512
47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2

Download Submit
\Windows\Installer\MSI84F7.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
172KB

MD5
34d4a23cab5f23c300e965aa56ad3843

SHA1
68c62a2834f9d8c59ff395ec4ef405678d564ade

SHA256
27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

SHA512
7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

Download Submit
\Windows\Installer\MSI84F7.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll

Filesize
77KB

MD5
7868ed46c34a1b36bea10560f453598f

SHA1
72330dac6f8aed0b8fde9d7f58f04192a0303d6b

SHA256
5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

SHA512
0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

Download Submit
\Windows\Installer\MSI84F7.tmp-\Smartbar.Infrastructure.Utilities.dll

Filesize
140KB

MD5
562ac9921d990126990c2f0bdce7081a

SHA1
f395458d8e328cf4809385fef3e225d01f8a8fc0

SHA256
ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738

SHA512
f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208

Download Submit
\Windows\Installer\MSI84F7.tmp-\Smartbar.Installer.CustomActions.dll

Filesize
162KB

MD5
2120dbb0481374885af660346f503b9b

SHA1
0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3

SHA256
ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474

SHA512
46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a

Download Submit
\Windows\Installer\MSI84F7.tmp-\Smartbar.Personalization.Common.dll

Filesize
10KB

MD5
347b0b5d32b1a85b5450b08cfb6d2e75

SHA1
7bfe1857974a6c6c3e882624d820311c1e3bf670

SHA256
76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac

SHA512
d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92

Download Submit
\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll

Filesize
88KB

MD5
adb53ee43f74f430368449b98b2f6f86

SHA1
fb882d80da9ccf79c6817a492fbd686d4759bb41

SHA256
b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff

SHA512
8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a

Download Submit
\Windows\Installer\MSI84F7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll

Filesize
102KB

MD5
5dc8a7062040e05ad36bd83246954b05

SHA1
f6807be0413724076c8c384576ad9a5bc1413e8c

SHA256
d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc

SHA512
43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12

Download Submit
\Windows\Installer\MSI84F7.tmp-\sppsm.dll

Filesize
40KB

MD5
787104ad9dea702d115883c489be54cb

SHA1
b24680d170c610203df5e3d1d52b2b04f938dd56

SHA256
934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3

SHA512
861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312

Download Submit
\Windows\Installer\MSI84F7.tmp-\spusm.dll

Filesize
10KB

MD5
e28c8d2fd64ba27d9b992fc325f26a9d

SHA1
d9ed413265967b6ede8787aa8c5e5734a4ea1358

SHA256
82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab

SHA512
e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739

Download Submit
\Windows\Installer\MSI84F7.tmp-\srbhu.dll

Filesize
7KB

MD5
fcbe6dec3d2da2ac9fd2754cc9cf6ad9

SHA1
7954bdf16f99bf843c5c8053a078813d87c94254

SHA256
71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e

SHA512
5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39

Download Submit
\Windows\Installer\MSI84F7.tmp-\srbs.dll

Filesize
174KB

MD5
7ec601a05f97c73fc2180e8c57efc9af

SHA1
7c99dcdcec211459b1d9d429e2ada2839876f492

SHA256
982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8

SHA512
119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b

Download Submit
\Windows\Installer\MSI84F7.tmp-\srut.dll

Filesize
22KB

MD5
feba43763a9b7fe1c94d681055d10167

SHA1
49d30dedf868accf07e6895e1699a4d751235fd0

SHA256
0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d

SHA512
680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef

Download Submit
memory/920-2606-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/920-27-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/920-28-0x0000000074951000-0x0000000074952000-memory.dmp

Filesize
4KB

Download
memory/920-32-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/920-567-0x0000000074950000-0x0000000074EFB000-memory.dmp

Filesize
5.7MB

Download
memory/920-260-0x00000000028A0000-0x00000000028E0000-memory.dmp

Filesize
256KB

Download
memory/1992-1620-0x000000001D290000-0x000000001DA36000-memory.dmp

Filesize
7.6MB

Download
memory/1992-1619-0x000000001C330000-0x000000001CAD6000-memory.dmp

Filesize
7.6MB

Download
memory/2164-1592-0x00000000008F0000-0x0000000000916000-memory.dmp

Filesize
152KB

Download
memory/2164-1591-0x00000000008F0000-0x0000000000916000-memory.dmp

Filesize
152KB

Download
memory/2728-1648-0x0000000001090000-0x00000000010B6000-memory.dmp

Filesize
152KB

Download
memory/2728-1647-0x0000000000980000-0x00000000009A6000-memory.dmp

Filesize
152KB

Download
memory/2952-1537-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/2952-1538-0x0000000000890000-0x00000000008A8000-memory.dmp

Filesize
96KB

Download
memory/3052-1158-0x0000000000700000-0x0000000000726000-memory.dmp

Filesize
152KB

Download
memory/3052-1185-0x0000000000730000-0x0000000000750000-memory.dmp

Filesize
128KB

Download
memory/3052-1282-0x0000000003390000-0x0000000003473000-memory.dmp

Filesize
908KB

Download