zgrat | 5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
27/11/2023, 11:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe
Size

11.8MB
MD5

298a833a10f5075cc5697620db59005c
SHA1

a3f9093f9fd13067ece460f0879ea4fbb88ff00e
SHA256

5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e
SHA512

a5a8ef545810e446aaf11de15ea8c2dbf5059cbb95f17b5890486236e27f7b7c329b151cdb9ecff487499a948099e1210dd4a503627553a85350e6da71ced33c
SSDEEP

196608:O2pcHvIdaPolQtForVax1lPmjNJRCLy+iNTZ34oaGGR6SvlgvCid4jzLf:O2OH6aAWDozd0AeNJDm14X7

Score

10^/10

zgrat discovery persistence rat

Malware Config

Signatures

Detect ZGRat V1 4 IoCs

resource	yara_rule
behavioral2/files/0x0006000000022e1f-86.dat	family_zgrat_v1
behavioral2/files/0x0006000000022e1f-98.dat	family_zgrat_v1
behavioral2/files/0x0006000000022e1f-100.dat	family_zgrat_v1
behavioral2/memory/1860-107-0x00000192365B0000-0x0000019237380000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

.NET Reactor proctector 4 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

resource	yara_rule
behavioral2/files/0x0006000000022e1f-86.dat	net_reactor
behavioral2/files/0x0006000000022e1f-98.dat	net_reactor
behavioral2/files/0x0006000000022e1f-100.dat	net_reactor
behavioral2/memory/1860-107-0x00000192365B0000-0x0000019237380000-memory.dmp	net_reactor

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000\Control Panel\International\Geo\Nation	5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe

Executes dropped EXE 5 IoCs

pid	Process
3612	SmartyUninstaller4.exe
5068	SmartyUninstaller4.tmp
1940	_setup64.tmp
1860	SmartyUninstaller.exe
2564	Replace.exe

Modifies system executable filetype association 2 TTPs 1 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1546.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\smarty4	SmartyUninstaller4.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File created	C:\Program Files\Smarty Uninstaller 4\tr\is-E8388.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\hu\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\is-QL64H.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\is-2Q49G.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\cs\is-O7U56.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\ja\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\uk\is-RCKQD.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\is-05VIL.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\Visit web site.url	SmartyUninstaller4.tmp
File created	C:\Program Files (x86)\Smarty Uninstaller 4\__tmp_rar_sfx_access_check_240624937	Replace.exe
File opened for modification	C:\Program Files\Smarty Uninstaller 4\en\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\it\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\pl\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\sl\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\unins000.msg	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files (x86)\Smarty Uninstaller 4\SmartyUninstaller.exe	Replace.exe
File created	C:\Program Files\Smarty Uninstaller 4\is-SVEDA.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\images\is-MOGLB.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files (x86)\Smarty Uninstaller 4\SmartyApp.dll	Replace.exe
File opened for modification	C:\Program Files\Smarty Uninstaller 4\bg\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\de\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\fr\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\zh-CN\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\nl\is-HTSNT.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\zh-CN\is-ODB2F.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\images\is-RRT6B.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\tr\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\fr\is-MJG34.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\sv-SE\is-74RGL.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\unins000.dat	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files (x86)\Smarty Uninstaller 4	Replace.exe
File created	C:\Program Files (x86)\Smarty Uninstaller 4\SmartyUninstaller.exe	Replace.exe
File created	C:\Program Files\Smarty Uninstaller 4\it\is-4EB6J.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\ja\is-S1ORJ.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\nl\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\bg\is-6QE48.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\en\is-S2VS2.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\hu\is-31RAR.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\es-ES\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\unins000.dat	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\is-MJ37Q.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\de\is-GAGI4.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\es-ES\is-88KS1.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\pl\is-5CM5L.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\sv-SE\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\uk\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\is-HNQD0.tmp	SmartyUninstaller4.tmp
File opened for modification	C:\Program Files\Smarty Uninstaller 4\cs\SmartyUninstaller.resources.dll	SmartyUninstaller4.tmp
File created	C:\Program Files\Smarty Uninstaller 4\sl\is-F9RBP.tmp	SmartyUninstaller4.tmp
File created	C:\Program Files (x86)\Smarty Uninstaller 4\SmartyApp.dll	Replace.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1452	taskkill.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shell\smarty4	SmartyUninstaller4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SmartyLicenseFile	SmartyUninstaller4.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.smlicense	SmartyUninstaller4.tmp

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5068	SmartyUninstaller4.tmp
5068	SmartyUninstaller4.tmp
1036	msedge.exe
1036	msedge.exe
2092	msedge.exe
2092	msedge.exe
5548	identity_helper.exe
5548	identity_helper.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe
5868	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1860	SmartyUninstaller.exe
Token: SeDebugPrivilege	1452	taskkill.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5068	SmartyUninstaller4.tmp
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe
2092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 3612	1972	5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe	86
PID 1972 wrote to memory of 3612	1972	5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe	86
PID 1972 wrote to memory of 3612	1972	5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe	86
PID 3612 wrote to memory of 5068	3612	SmartyUninstaller4.exe	88
PID 3612 wrote to memory of 5068	3612	SmartyUninstaller4.exe	88
PID 3612 wrote to memory of 5068	3612	SmartyUninstaller4.exe	88
PID 5068 wrote to memory of 1940	5068	SmartyUninstaller4.tmp	91
PID 5068 wrote to memory of 1940	5068	SmartyUninstaller4.tmp	91
PID 5068 wrote to memory of 2092	5068	SmartyUninstaller4.tmp	96
PID 5068 wrote to memory of 2092	5068	SmartyUninstaller4.tmp	96
PID 2092 wrote to memory of 2252	2092	msedge.exe	98
PID 2092 wrote to memory of 2252	2092	msedge.exe	98
PID 5068 wrote to memory of 1860	5068	SmartyUninstaller4.tmp	97
PID 5068 wrote to memory of 1860	5068	SmartyUninstaller4.tmp	97
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 3808	2092	msedge.exe	102
PID 2092 wrote to memory of 1036	2092	msedge.exe	100
PID 2092 wrote to memory of 1036	2092	msedge.exe	100
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101
PID 2092 wrote to memory of 4180	2092	msedge.exe	101

C:\Users\Admin\AppData\Local\Temp\5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe
"C:\Users\Admin\AppData\Local\Temp\5c3e6619a1e83f6636ce670fbe4a431fb9bcb1aaa7daccbee877db7de00e3e9e.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe" /silent
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Users\Admin\AppData\Local\Temp\is-FMHFT.tmp\SmartyUninstaller4.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-FMHFT.tmp\SmartyUninstaller4.tmp" /SL5="$210234,6474712,944640,C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe" /silent
    3⤵
    - Executes dropped EXE
    - Modifies system executable filetype association
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Users\Admin\AppData\Local\Temp\is-4BHAF.tmp\_isetup\_setup64.tmp
      helper 105 0x454
      4⤵
      Executes dropped EXE
      PID:1940
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.smartuninstall.com/thankyou.html
      4⤵
      Enumerates system info in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2092
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd036d46f8,0x7ffd036d4708,0x7ffd036d4718
        5⤵
        
        PID:2252
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1036
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
        5⤵
        
        PID:4180
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
        5⤵
        
        PID:3808
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
        5⤵
        
        PID:1944
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
        5⤵
        
        PID:916
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
        5⤵
        
        PID:2280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
        5⤵
        
        PID:2188
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
        5⤵
        
        PID:3084
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
        5⤵
        
        PID:4100
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
        5⤵
        
        PID:3396
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
        5⤵
        
        PID:1968
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6688 /prefetch:1
        5⤵
        
        PID:5204
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
        5⤵
        
        PID:5280
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
        5⤵
        
        PID:5524
    - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5544 /prefetch:8
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5548
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
        5⤵
        
        PID:5632
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6352 /prefetch:1
        5⤵
        
        PID:5624
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
        5⤵
        
        PID:5920
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
        5⤵
        
        PID:5928
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,11650233887672949249,13182951206105184559,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2440 /prefetch:2
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5868
  - - C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe
      "C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1860
- C:\Windows\SysWOW64\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im "SmartyUninstaller.exe"
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1452
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.cybermania.ws/
  2⤵
  PID:2648

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3012

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd036d46f8,0x7ffd036d4708,0x7ffd036d4718
1⤵
PID:1040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Privilege Escalation

Event Triggered Execution

T1546

Change Default File Association

T1546.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe

Filesize
13.8MB

MD5
929208acfa69d6e2129cec53e4cb83b5

SHA1
6c4f5ca7386ead51ccf49af97f85a621ee0ee398

SHA256
ab690d36770399bad822e63a4e91f2a3fd292b9e812159b80788cc6bfd7ef841

SHA512
16c59768b5d3672428d5122fdbe8eaf959008796574a46bbfcbf4ac8cc5ecde0e503fac39c99e234c9fbda8b7128671e9e8fef2e78814f8069f0aefbacd11931

Download Submit
C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe

Filesize
13.8MB

MD5
929208acfa69d6e2129cec53e4cb83b5

SHA1
6c4f5ca7386ead51ccf49af97f85a621ee0ee398

SHA256
ab690d36770399bad822e63a4e91f2a3fd292b9e812159b80788cc6bfd7ef841

SHA512
16c59768b5d3672428d5122fdbe8eaf959008796574a46bbfcbf4ac8cc5ecde0e503fac39c99e234c9fbda8b7128671e9e8fef2e78814f8069f0aefbacd11931

Download Submit
C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe

Filesize
13.8MB

MD5
929208acfa69d6e2129cec53e4cb83b5

SHA1
6c4f5ca7386ead51ccf49af97f85a621ee0ee398

SHA256
ab690d36770399bad822e63a4e91f2a3fd292b9e812159b80788cc6bfd7ef841

SHA512
16c59768b5d3672428d5122fdbe8eaf959008796574a46bbfcbf4ac8cc5ecde0e503fac39c99e234c9fbda8b7128671e9e8fef2e78814f8069f0aefbacd11931

Download Submit
C:\Program Files\Smarty Uninstaller 4\SmartyUninstaller.exe.config

Filesize
800B

MD5
acbaf9ab41e559288b62411a3073a7e4

SHA1
fcc52f1dc3abae44c6c46663ccf6d8e78ffdbc5c

SHA256
866ac50fe229852a698f3ab989d87ed7658b249b774851949a181d306f5ae093

SHA512
1955b17c2678d4577deb34f1d7ede38e0eae6b9bf648105116520d427eac7c9d4361afd1ec13dec9f557bae34d1852fc624d70b4c42f13cb089f0af70eccf8f5

Download Submit
C:\Program Files\Smarty Uninstaller 4\unins000.exe

Filesize
3.0MB

MD5
0d957bf0c8ce6158a6c5c7ed6f790af2

SHA1
b199bf34dd355dc0e3c34a00d5ef4fddb05e5843

SHA256
5c104238a4fdf365118f685d44b70ce5a3fc7505b9890eef90efaecfbf97818a

SHA512
73d23179b14d983cff8a037e86caf9012d3b0d8af715d489294f21528248d874f3060c4baa0460d1bd2267f85caa1955e3c40366cd8d48cbef36dd61b460318d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\5b108ae3-1fc3-48ca-88c6-5f624fee31c2.tmp

Filesize
7KB

MD5
765b07c2fbb8aba215e58d584be463b1

SHA1
97a85d5f5012d75a95d5709a58839f7528188604

SHA256
e6082bfe741ff0ed07a9c77f9682957f58a48ff72f81a8a093123800573db0c4

SHA512
ce85428015ade646c35a89b5debe3f24b678a98276275c134e421435be2764a50665162b72f3fea338d455cbdd8d64c750522481864d677a10c6ea1057340b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00001a

Filesize
20KB

MD5
8f827504fed8381a83e3e728542218b9

SHA1
ae7e3bbd17c67eb2ed0f9747f73db0b302d143d6

SHA256
aa7be0a1bb1efb2347a9caa166cc7fedba6032b8b6c74006112f20c8fab191b3

SHA512
0333cd0df9c863bac9acf68f662468c04c2a5a258c64e8c305b48016115bb455a5626accb0bd125e3a3236ded51632c60554e7f7ec41b89581432a6ce7cd633c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
190699e4ca3ea3a3a59877977f1dcb5e

SHA1
eed9e8dd2dbc2235eed7d8e19623d0a317c7a122

SHA256
bc01ffaaeffd7c0f84d71ed8cb3c2dac14f3abaf7f9b8b7dbb0e1dce762a6322

SHA512
1bc35abeead4057605f064f973225fd9514b8dc7933bb48aac43240ab50ad608139562391db5c38d121de1effbeb51c00f0803602accc4f5a093b40f784d7870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
bb57a1eb47e13580d160e4f318bc0d98

SHA1
67ed0b17ba6dbd2b31f68cdc45e42d931897e307

SHA256
e2898d09b417dadc26bfdd4dfeb60bc11ac5751e8819a1cac89381c063e46582

SHA512
cf32c1ecd9470193d57ce3475b7eb3f88c0a939eade13274c310063f9d42c475fae90af951f888597ffb1109760b58a7af17bd84f70da055d20f5771e95bd8f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1469a6ac6f295581e4c6944cc669a4de

SHA1
e77aac28c1e5e6f42aea1bf8430a455fe5db9ead

SHA256
6f3e0f6b77d9368aca3fd1d4ebba7a17b2620d874725e1c8903e3352b145fb54

SHA512
6499050198443c52b6096b4db7bbadc3bc9ba3a339493db91da9242c1aba67deb8aa50f5e82fadf23f35b98fcfb860217b63aa8edfc2e1b28964ee6e074a08b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
918ecd7940dcab6b9f4b8bdd4d3772b2

SHA1
7c0c6962a6cd37d91c2ebf3ad542b3876dc466e4

SHA256
3123072fba0ea8e8f960dd213659a0c96ce2b58683593b8ea84efac772b25175

SHA512
c96044501a0a6a65140bc7710a81d29dac35fc6a6fd18fbb4fa5d584e9dc79a059e51cbe063ca496d72558e459ffa6c2913f3893f0a3c0f8002bbca1d1b98ea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
adafdff72a15d8c8fde291fd28d78583

SHA1
244f5802ed5e7c74890463468fb904e8f0d65eea

SHA256
67f4784dbc61de781a9ebc85bfaf1607ec02a7ad21accf30ad1384d2107f6698

SHA512
1413aa8fb78fe8bad34925bff5e1312885735b726147d9d3f5218149001caae8d2c31972515de573503ce126af88d3e22770b736e6cbb262cc10c7a081c0e1ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\CyberMania.url

Filesize
4KB

MD5
f89e823b83f9edc863ae9e35ea0a5949

SHA1
12db7e3d70e47bd97df335c74cd7323dc48a778d

SHA256
7fba1e8849a88298272be247c2b22ef4a50ac1bc4c83a4c02848bc131e622088

SHA512
d3e297af4eeeb3b8201381fddc426c33ab543db80c0da2ef7ee000ad773cf6895d7221ec17b95806377ea74488f8db7354e23d13c43d87599f6b02631e379d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
5.1MB

MD5
9a108ddb018b15e9aca8cbc00383ed1c

SHA1
72369d7e5802a53e574397d83756dcec2e1bdfac

SHA256
109faefb7ba0efb8b50004fbd8b2be50a98ee6bbc36b89ef9797fb9177879ba6

SHA512
8786d5211fad490bae4114b5d96d9d784bdd7e91a6a69bb1b31e84473f1435f793ffc514b4acbcc38abb4b2b997b977194e3821e92b87af47fbd8a9ab57e6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
5.1MB

MD5
9a108ddb018b15e9aca8cbc00383ed1c

SHA1
72369d7e5802a53e574397d83756dcec2e1bdfac

SHA256
109faefb7ba0efb8b50004fbd8b2be50a98ee6bbc36b89ef9797fb9177879ba6

SHA512
8786d5211fad490bae4114b5d96d9d784bdd7e91a6a69bb1b31e84473f1435f793ffc514b4acbcc38abb4b2b997b977194e3821e92b87af47fbd8a9ab57e6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Replace.exe

Filesize
5.1MB

MD5
9a108ddb018b15e9aca8cbc00383ed1c

SHA1
72369d7e5802a53e574397d83756dcec2e1bdfac

SHA256
109faefb7ba0efb8b50004fbd8b2be50a98ee6bbc36b89ef9797fb9177879ba6

SHA512
8786d5211fad490bae4114b5d96d9d784bdd7e91a6a69bb1b31e84473f1435f793ffc514b4acbcc38abb4b2b997b977194e3821e92b87af47fbd8a9ab57e6c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe

Filesize
7.1MB

MD5
43db1724c8cc4ac74145e937cc219eff

SHA1
decf6924f74f67772bdfbe8f8beea3fc7e793e8e

SHA256
74b9483ca3113609db9f84ac2e86c0c9da58247238c4ed5816554ae12f0e7d99

SHA512
5b256a71b009318ee561ad476999dd0170f1c53bc00ab15f244eab00d81ca7e945b6a0a6c6639e2c7592f6a2b0ce2ce1a8dcb13498c465593f2f3fa3e52ac79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe

Filesize
7.1MB

MD5
43db1724c8cc4ac74145e937cc219eff

SHA1
decf6924f74f67772bdfbe8f8beea3fc7e793e8e

SHA256
74b9483ca3113609db9f84ac2e86c0c9da58247238c4ed5816554ae12f0e7d99

SHA512
5b256a71b009318ee561ad476999dd0170f1c53bc00ab15f244eab00d81ca7e945b6a0a6c6639e2c7592f6a2b0ce2ce1a8dcb13498c465593f2f3fa3e52ac79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\SmartyUninstaller4.exe

Filesize
7.1MB

MD5
43db1724c8cc4ac74145e937cc219eff

SHA1
decf6924f74f67772bdfbe8f8beea3fc7e793e8e

SHA256
74b9483ca3113609db9f84ac2e86c0c9da58247238c4ed5816554ae12f0e7d99

SHA512
5b256a71b009318ee561ad476999dd0170f1c53bc00ab15f244eab00d81ca7e945b6a0a6c6639e2c7592f6a2b0ce2ce1a8dcb13498c465593f2f3fa3e52ac79a

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-4BHAF.tmp\_isetup\_setup64.tmp

Filesize
6KB

MD5
e4211d6d009757c078a9fac7ff4f03d4

SHA1
019cd56ba687d39d12d4b13991c9a42ea6ba03da

SHA256
388a796580234efc95f3b1c70ad4cb44bfddc7ba0f9203bf4902b9929b136f95

SHA512
17257f15d843e88bb78adcfb48184b8ce22109cc2c99e709432728a392afae7b808ed32289ba397207172de990a354f15c2459b6797317da8ea18b040c85787e

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FMHFT.tmp\SmartyUninstaller4.tmp

Filesize
3.0MB

MD5
0d957bf0c8ce6158a6c5c7ed6f790af2

SHA1
b199bf34dd355dc0e3c34a00d5ef4fddb05e5843

SHA256
5c104238a4fdf365118f685d44b70ce5a3fc7505b9890eef90efaecfbf97818a

SHA512
73d23179b14d983cff8a037e86caf9012d3b0d8af715d489294f21528248d874f3060c4baa0460d1bd2267f85caa1955e3c40366cd8d48cbef36dd61b460318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-FMHFT.tmp\SmartyUninstaller4.tmp

Filesize
3.0MB

MD5
0d957bf0c8ce6158a6c5c7ed6f790af2

SHA1
b199bf34dd355dc0e3c34a00d5ef4fddb05e5843

SHA256
5c104238a4fdf365118f685d44b70ce5a3fc7505b9890eef90efaecfbf97818a

SHA512
73d23179b14d983cff8a037e86caf9012d3b0d8af715d489294f21528248d874f3060c4baa0460d1bd2267f85caa1955e3c40366cd8d48cbef36dd61b460318d

Download Submit
C:\Users\Admin\Desktop\Smarty Uninstaller 4.lnk

Filesize
989B

MD5
dfa586a7259bef900586fcf3a442d9af

SHA1
7ddf34b6cb8a9d5ff0f45eb59aedc82d62a8de74

SHA256
6961e5f128a8390b2cad8e18dfc64d39144cc212a8ce6253faf09980cd53920e

SHA512
f4b4f0ac12d94c1975106ab50d3626792f0906cea4f7400bb6f2c34c08c59525781caf79317b2ea3cd4a82f8d6caa260efe6e6deae20fd1bfa4b75273d516ca0

Download Submit
memory/1860-126-0x0000019238FA0000-0x0000019238FAA000-memory.dmp

Filesize
40KB

Download
memory/1860-153-0x0000019252E00000-0x0000019253378000-memory.dmp

Filesize
5.5MB

Download
memory/1860-152-0x0000019238EE0000-0x0000019238EF0000-memory.dmp

Filesize
64KB

Download
memory/1860-117-0x0000019238F80000-0x0000019238F88000-memory.dmp

Filesize
32KB

Download
memory/1860-108-0x0000019238EE0000-0x0000019238EF0000-memory.dmp

Filesize
64KB

Download
memory/1860-107-0x00000192365B0000-0x0000019237380000-memory.dmp

Filesize
13.8MB

Download
memory/1860-114-0x00000192518C0000-0x0000019251952000-memory.dmp

Filesize
584KB

Download
memory/1860-159-0x00007FFD029B0000-0x00007FFD03471000-memory.dmp

Filesize
10.8MB

Download
memory/1860-101-0x00007FFD029B0000-0x00007FFD03471000-memory.dmp

Filesize
10.8MB

Download
memory/1860-121-0x0000019238FD0000-0x0000019238FD8000-memory.dmp

Filesize
32KB

Download
memory/1860-127-0x0000019238FC0000-0x0000019238FCA000-memory.dmp

Filesize
40KB

Download
memory/3612-128-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/3612-16-0x0000000000400000-0x00000000004F4000-memory.dmp

Filesize
976KB

Download
memory/5068-125-0x0000000000400000-0x0000000000716000-memory.dmp

Filesize
3.1MB

Download
memory/5068-22-0x00000000008F0000-0x00000000008F1000-memory.dmp

Filesize
4KB

Download