Technical Information
- [<HKCU>\Software\Classes\mscfile\shell\open\command] '' = '%ALLUSERSPROFILE%\Sandboxie.exe'
- [<HKLM>\System\CurrentControlSet\Services\KarSpy] 'Start' = '00000002'
- [<HKLM>\System\CurrentControlSet\Services\KarSpy] 'ImagePath' = '%CommonProgramFiles(x86)%\Sandboxie\Sandboxie.exe'
- 'KarSpy' %CommonProgramFiles(x86)%\Sandboxie\Sandboxie.exe
- %WINDIR%\syswow64\svchost.exe
- %ALLUSERSPROFILE%\sandboxie.exe
- %ALLUSERSPROFILE%\sbiedll.dll
- %CommonProgramFiles(x86)%\sandboxie\sandboxie.exe
- %CommonProgramFiles(x86)%\sandboxie\sbiedll.dll
- %ALLUSERSPROFILE%\sandboxie.exe
- %ALLUSERSPROFILE%\sbiedll.dll
- from <Full path to file> to %APPDATA%\1058248.tmp
- '<LOCALNET>.1.33':8856
- '%ALLUSERSPROFILE%\sandboxie.exe'
- '%CommonProgramFiles(x86)%\sandboxie\sandboxie.exe'
- '%ALLUSERSPROFILE%\sandboxie.exe' ' (with hidden window)
- '%WINDIR%\syswow64\cmd.exe' /c cmd.exe /c eventvwr.exe
- '%WINDIR%\syswow64\cmd.exe' /c eventvwr.exe
- '%WINDIR%\syswow64\eventvwr.exe'
- '%WINDIR%\syswow64\svchost.exe'