Overview

overview

10

Static

static

10

138b5cc8e7...18.exe

windows7-x64

8

138b5cc8e7...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    148s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    04-10-2024 13:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    138b5cc8e7dcd60fbdb99898982ed606_JaffaCakes118.exe

  • Size

    9.2MB

  • MD5

    138b5cc8e7dcd60fbdb99898982ed606

  • SHA1

    8157e5c44df485d4ab29e637e0a4783c1d07c154

  • SHA256

    237de1196f556a7b8f6d0c908025e1be7b5561cd9f7533f29d57076aec9176c2

  • SHA512

    97999514d2e1b259c729dc2aed6cf8d0e962ffae2b92d1cd028e34a104e50cf1e8faf22d73939ec4974129dbe5bea5326169028a69979b839b76eab52c4ab411

  • SSDEEP

    196608:Wegi7jbmj9kCADU91h+RXhKpBRGvMZU7nK2r2eTcuYH6TL:A+bG9ZADU91h+byRAMPOSPi

Score
8/10
adwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\138b5cc8e7dcd60fbdb99898982ed606_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\138b5cc8e7dcd60fbdb99898982ed606_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msiexec.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1972
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2472
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD8EF831CED7715363DC4D4EB1D0FCDB
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2944
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI9FC7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259432423 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ts-l_qr_.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2180
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA362.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA361.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2992
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIB08B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259436682 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2412
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIB7AF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259438507 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1776
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          • Modifies system certificate store
          PID:2212
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:1632
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2852
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          PID:3008
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1612
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • Modifies registry class
          PID:536
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1164
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • Modifies registry class
          PID:1536
        • C:\Users\Admin\AppData\Local\Smartbar\Application\SnapDo.exe
          "C:\Users\Admin\AppData\Local\Smartbar\Application\SnapDo.exe"
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:2020
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zwrdkqmt.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2492
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD76C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD76B.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1628
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t4gepgxm.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1928
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD7D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD7C9.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:628
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\po_suhdf.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1640
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD827.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD826.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2996
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t9vikl1b.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2540
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD875.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD874.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:776
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bvmt59aj.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:592
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA0B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA0A.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2792
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ue0si9yz.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2444
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA88.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA87.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1704
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eiaryf9o.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:328
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDAD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDAD5.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:536
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zf1ytujk.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1452
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB62.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDB61.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1828
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kegphowj.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1684
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDBDF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDBDE.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1984
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\llqib0ff.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1520
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEBA7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEB97.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2772
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-brbs7uo.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2648
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF20.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1460
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ft1oqqm5.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:776
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF171.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF170.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2592
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\svsylo4e.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2184
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD7D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCD6D.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f769a9e.rbs
    Filesize

    111KB

    MD5

    5783226dd59acb55b08255e4b3e855a0

    SHA1

    7b0d06193a0496b10b310a9392bede4c5ee61c0c

    SHA256

    8799b9e955260f12dfa992424e55d332371100b5a9681859a86bd877a5730ba9

    SHA512

    6b2863ca067bdd9835f11979432f874cc30e88837d83d17c51a95c0335cdd28af23199948f7bafe787165ec6af8dae8e728328c58a73466410a76a935605f8e2

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    b4f17275e67debb15d49a8c703712d02

    SHA1

    307e304ff67dc74b0aa1e1246bc08b1a98cc7d90

    SHA256

    9519e374ec7efa484b689e2e1994e29f1920b224839241fce4c968ed421265b2

    SHA512

    a982913ef7cfbd8ec9a2b5aeb3d05be57681bcf06810bd19cc79d833ab87c2bcfdb5268f7371d95e508ed2e633556b25e313aa221c6dd10b37edc72254cd41fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
    Filesize

    92KB

    MD5

    2c87b2d541eecd3b4a69f502e63a5783

    SHA1

    c3d1777df678cf4ef89ec8330f4d64f07fb26f9e

    SHA256

    eae2daadf140785ff98f48909f57ec24b3138fc0744018ec84a4ff8932c3d638

    SHA512

    502bd68d3ead4d794969b1db7dde114e0d3ded7fc52d81ab4e50c9d59ba74a0279426b54502301e2589929802b91ff8aa32d7e3d02a79d98209e540b40f7304c

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Application\gauomtpw.newcfg
    Filesize

    12KB

    MD5

    68791d8ef37c4c2a5eee46f8315ad2ae

    SHA1

    5fa5c38ffd43b32898bdd6fd0cda37976035a28f

    SHA256

    6348df8ce02c5ce502b52fcccc9e8ac695a0661badd08c5bfe8538b7904276eb

    SHA512

    ab447a3838fa7108d54f73d6cd4f70d732811e2e07e1fd066d7ae3ad7057daad697a23201b1123c4ba22b740d76dab19970ab1a00546fd47706d687b278a26c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
    Filesize

    4KB

    MD5

    5719ee7f6521ae142f0557f0706cded1

    SHA1

    a1d5694197827967aea5b3ccc88e2f91d465c283

    SHA256

    0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf

    SHA512

    cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
    Filesize

    4KB

    MD5

    2768222689e3585d609b5a2afc1ba52c

    SHA1

    ee522df6b2e365857bf6be58ac7150cbc71cfc9c

    SHA256

    21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0

    SHA512

    56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
    Filesize

    4KB

    MD5

    e6ab030a2d47b1306ad071cb3e011c1d

    SHA1

    ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

    SHA256

    054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

    SHA512

    4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\PublisherSettings.xml
    Filesize

    15KB

    MD5

    7706e14f8e1e875567edf16ae1bd148e

    SHA1

    3bf8439022f78b731f909799d2ea16b917e26b28

    SHA256

    9025426fd77d229a4c53d983335873ee78560181bae855b7a84d2e233a4b1829

    SHA512

    3d5d7264971be81a897e98cf88d92109433dbe15956d86196d82093ab6f62e02306b221018c3ccc8a70e18738413d8b0d59f8b18f038065ed784a90a186dafda

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
    Filesize

    2KB

    MD5

    471b9e8752f0eca9a655cfafd7410154

    SHA1

    53d555749c04cb475963d4e2d448bc1ae8cd1f00

    SHA256

    43e84d9f068cd3e27412df1e3f32809f70b056840483c0b453d5168b4a85d36a

    SHA512

    5a1ca37319734c0d8e2a43e5e7cfa6a2c64493901219142d503fe82105e6bd2b7729f4bcdd64b7218972f10c05839ac9df6ed14c1915734bd6fd33cbb26f184c

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\SnapDo.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.830\gy-7i9fd.newcfg
    Filesize

    600B

    MD5

    3119b5000b9117b449a20aa115b4a5b0

    SHA1

    fd911c66db786812a3a698dba1cd278411c63c1d

    SHA256

    3eb76b84eee202d1ad7f12436cf4d3f4805141869d5eeaa6bca88d76a4151555

    SHA512

    a21b8b9c33a9cef5653c70e8c9bed246700c8a41627befc41dda5f85fc26d289bcc05d36489f98263397327ce2a7dee320951a7b5ac1fafbdc60cd89e7c9e3a0

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\SnapDo.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.830\user.config
    Filesize

    471B

    MD5

    d72214fcd73bfc58befa5f7da26e3c2c

    SHA1

    aba51ff425df4fdff070c8fb12ca67c788dbe1ae

    SHA256

    0c48f4447e1f2bf1d8cc3c71f7dd674d837e5c4f6c71f5d5a2da04782c49ca7b

    SHA512

    e98bb9121e5f01b47672ff340a83c10023deeeb94831574638274ffa44fc53095aaa6e56707d3e005514149df9ff96b1d4ebb38cf67a142f04cddac4663ee026

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\SnapDo.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.6.1.830\w3y8sde_.newcfg
    Filesize

    535B

    MD5

    26c9a9a9f54570195350e424bfe6fd01

    SHA1

    4e2dd5f8e75d685b1e9fba513cac14834f0e1328

    SHA256

    c09f2296aeb953013e1c0efacbf86f93af795d347c076f6d895535f8b895431b

    SHA512

    61cd32a9a8c301467483dd4bc8e9bfa39ace95f9ef45eb1c3f8d6e5402b114b703187fd16770bf25e504059cf85e056d72c6002358964dd69b8835dc5ecd3fe2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab9B67.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESA362.tmp
    Filesize

    1KB

    MD5

    41fe441223a0c6cbb4e3f1853f8eff17

    SHA1

    ad224004c1330615295a9e227d2552b693db6c6b

    SHA256

    780904cfabeb18213b09ada354cb5ef3a42229ec7dd84f1ec2684012ab9d5020

    SHA512

    b71ce11d8b050299a73efb5548d4d780fe5a4019324504ff4ac05097af4484a96890212091f922e182876caee4f8fd65c4183c7445c2bbe86a22dedbd3b79c48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar9B7A.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
    Filesize

    8.1MB

    MD5

    7c0a5c2c273f7266369c6cb5ad305314

    SHA1

    c0316dbf07385f033f51758b1700089e06201eb9

    SHA256

    43944a61c24f4c3178856707054a4e25d52ccdf30aae5b8f9494497e34d26e9c

    SHA512

    d4eae25fe4e9638b0590bf9b4e34e58ad42f43fe1344408ba5811dc17aea1a6fa8bf2b940d03df33da8c26849fb87c11fc1698c490ee9e77ecf8c39cb2ad2acb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ts-l_qr_.dll
    Filesize

    88KB

    MD5

    9070edf7f04ff1a3bad1f119e55dc92b

    SHA1

    ec554dfe48b3a690f85f99bf5209bb8f72306f12

    SHA256

    02dec716f714fe90c621dad468d405c57124400fb5e4b350e121cb12b64788ab

    SHA512

    b9b8632d079635f935553a3bf28a5ea792ff75510f758650d8871913d1bd8777f1dbb1e7129e23dff5506ce79259c9be99e79a956301dff7e05cefb0ef75d557

    Download Submit

  • C:\Windows\Installer\MSI9FC7.tmp
    Filesize

    1.5MB

    MD5

    f4dac8512f2767c89b6ade353fe7296b

    SHA1

    9b591a77b0d7f53590a5143eb9c39be65a41b06d

    SHA256

    ae9d1e49f652e1132a7122399e792d7ebad1b550f65ea114eff89a8c8368548f

    SHA512

    43e81639da7c8135030a0667ed66e9c0acc9e8c7f6bf0c29ef4ebb6cd35b7540d527866af2cce59c0cee0c610b90f4d0fd4040ef2d9d738ebe7be019c07bde48

    Download Submit

  • C:\Windows\Installer\MSIB08B.tmp-\CustomAction.config
    Filesize

    806B

    MD5

    796621b6895449a5f70ca6b78e62f318

    SHA1

    2423c3e71fe5fa55fd71c00ae4e42063f4476bca

    SHA256

    09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

    SHA512

    081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

    Download Submit

  • C:\Windows\Installer\MSIB7AF.tmp-\Interop.NetFwTypeLib.dll
    Filesize

    32KB

    MD5

    5f999c68e7770881a9a6e045855c7995

    SHA1

    03d58c17cebf5075b9cb6091a286f414489b4f0b

    SHA256

    0ee85b7498d7ac0acfcfa9d65c7eec6e2c2191c21cda2d0047df395eee0471ce

    SHA512

    97f08f783a2473652fee4a3d22023e6ac9bccacf10e13a4aef1500cc0a4aeee19787d49f109f993ec0a643a9c7d7109de8a21e309319935c673208c617b73ab1

    Download Submit

  • C:\Windows\Installer\MSIB7AF.tmp-\Smartbar.Resources.ProductsRemovalLibary.dll
    Filesize

    17KB

    MD5

    e1bbfdee0a3dc9c963c53443a5cf8963

    SHA1

    55753d0a7b1e49f3c09184623f674e60d7d10245

    SHA256

    0a6598e12d49debe47ea678e9a721e27b417e9af50e18093d48290aa679cd978

    SHA512

    d53c569eab2e313de3f723f84a7dd89f6876bbd8aacb467dcad74d3057f778473413f8efe8217a0a8373db54da55230481ce4ad84bee414d22c73fd62c217d20

    Download Submit

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
    Filesize

    109KB

    MD5

    0eebc375bc1dae1bb0150f501121d3ff

    SHA1

    f5389b514a160e316b5d27ad6fa12bd3fe6c85e6

    SHA256

    d38254cb9d5c842d72be740823a1d4eac09aa82e6bdca193fc8badf233a0ced1

    SHA512

    60d5d70710505374017929248489aca1f6ae988799bc47096a69e58783b9336ba2295eb598af26ddd8ca3249b168997df9bc35e7bf2772c092cf8c1b27ec2420

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
    Filesize

    416B

    MD5

    0e5e5b7a0d0125576d061c85ecb9075e

    SHA1

    e84b840cb7a2cd211e73a4ea2a39f9f69651d25a

    SHA256

    47a3c07fcb879747bd30b04502db2208bb9282bf152683326dfabc5d0c9ea067

    SHA512

    fef42df29c352a5f21633a4308e1473fd2e40cc641002668e7e4ba683b1ee910e14283d57aac2d16fc113bd520272336dfd84e21a296d1f59f797d69b063b191

    Download Submit

  • C:\Windows\assembly\tmp\FZKZI0DC\System.Data.SQLite.dll
    Filesize

    890KB

    MD5

    0cad9f17eab4f29719b2defc90e42f27

    SHA1

    a2750221ccf7fb4d2c14744b073e84f4ab0e6831

    SHA256

    794cd3e7f0ec56d554936aa3d9f22753a605ed1130bf0c9e2c3c57f3e298f703

    SHA512

    c49a6b1296bfe1a578b52475ab124a96c0ef14dba0ffae680c5482881b68b83d728c58cd69429dadf3f0546785992e35fd26d20f2ff027ed5af4a34c9e055454

    Download Submit

  • C:\Windows\assembly\tmp\MV7SU7YQ\Interop.SHDocVw.dll
    Filesize

    143KB

    MD5

    7155bca191991224bcbba5b5aa64b302

    SHA1

    b3d7c5b1d40d82d0000d4b82a1b8b6ed3fb60261

    SHA256

    7242f575e2414031cebbdae0b3f557300c4b6a521da63772b81d5f96661cc2ff

    SHA512

    2f72a0ab4914da0233ab180c57bc36c180fab6b66dff6592eddd02301eca2f54cadbaebc0c1a3140f41b4ec9a588ce4c450edd80b747b3bdc73a2d9531e4bfc5

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCA361.tmp
    Filesize

    652B

    MD5

    26a139f694beeb61640ad0d33c129b70

    SHA1

    55fc585e764622483150b27600694ece43f7bebd

    SHA256

    4851de16861020fa6587b8d53b6db0ef5ffc2441fc7025b15f8c1b60a61c1fe6

    SHA512

    1fc764f1b13afdb8ddc3e03737637351557556740a1629ba6194bf76c5bf5598c12745e307a3dbc881aaca0d3c8996858d70f716889debd35edeaaed03ac678c

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ts-l_qr_.0.cs
    Filesize

    187KB

    MD5

    144d5d043b00d613d6ae0215b79fc4f1

    SHA1

    456386473ffd3cf917a4a67adab5a1ff962c617e

    SHA256

    c870040596d07812d93905c698e503263aec04dc4dca0d8a214e03040086ed88

    SHA512

    de998ec94a07c7220449132e0ae4ffbec7b4dc2d6061071ac0cecedbb2089cb8c7e5261147719152ba3e3e8c4fd7041e345060bf2730c9d77c603b090bea7657

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\ts-l_qr_.cmdline
    Filesize

    614B

    MD5

    e8fd4a0ffc2564dbad0bdba77b076331

    SHA1

    9c94c212f21c8c22b927f32139c681d35b088057

    SHA256

    f2ca2a1772535665c3a4128e64d3674c8475629ae601379f602b585bbd43b48f

    SHA512

    23b8344612101e7d9b84de8e2ba90777e4d9ec4d9481e0f10963762dbffdd7f9429726c2ad403dc0982c9dbe57ff03fde423cc9012d8ab236ac2e5cee8ef879a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
    Filesize

    383KB

    MD5

    4693e209db87ea689c2dfae2ebcc371d

    SHA1

    ab0b0901cf45426d05262cc8e1e9b9418f4a0159

    SHA256

    338ecd0d1af2bb3edd27a49663a30fe9eca74aa99cfe078e0622304d1cef6fa4

    SHA512

    0ce991bddb2074f0246d957a6f2d7452918c88ed00b7ffb687c0bd54e8e3ec99606c5b87a20e49522203dfa296bdf89322afd2514f49aeb9f1d5abbb413bc437

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Filesize

    172KB

    MD5

    34d4a23cab5f23c300e965aa56ad3843

    SHA1

    68c62a2834f9d8c59ff395ec4ef405678d564ade

    SHA256

    27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

    SHA512

    7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
    Filesize

    77KB

    MD5

    7868ed46c34a1b36bea10560f453598f

    SHA1

    72330dac6f8aed0b8fde9d7f58f04192a0303d6b

    SHA256

    5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

    SHA512

    0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Infrastructure.Utilities.dll
    Filesize

    12KB

    MD5

    89160109632ca3459a07c0eebd067021

    SHA1

    124a6315565903806b187d21b9f9d8db32eba3a7

    SHA256

    fa2e4147d3ff0e79a8cb2ce0fc965b7ccf97840d20325438488324fab5bc0f8b

    SHA512

    0d6ddd1a02601a41c2d158d00272258c76315d589ab115d656167af3d1c5f9251368c9e85f9a36ed9d2ddad39d73e541ecfc9425163342094d0ef72d02f6d33c

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Installer.CustomActions.dll
    Filesize

    140KB

    MD5

    5c579c4e45c6f515c06cece15b0e7a56

    SHA1

    c92a26439fb04afd860f74bed2cc4faac261c627

    SHA256

    f1323e4b76c0b423859d5263b3541241bb93b693ca5f7e71786664c93c22d600

    SHA512

    ddb219f3e6ebaed41242d03136ee8131c014332bf48233b64f1b9a62adc90ac99aa0d52c3172b6e4f6c8ea5da0e055ddae1bf30670f084c6be659ed98dbf3557

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Resources.BrowserHelperUtils.dll
    Filesize

    7KB

    MD5

    873932eeab6826a9a8a300cd9fc160b4

    SHA1

    ac82e4ea8c202419c07bedb5cd89a3f49398398d

    SHA256

    396a7855cafef41132972cbabe38f9d72707392cf9f2824b1be43cf4fdda22ac

    SHA512

    cb2c32ba6afd1bbff06aba92d85af78585236e080648c255734bf7edee937eb613ac848f059aa2a03d58cadfa1d509925b650d8576dd96843bd511988481e849

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
    Filesize

    88KB

    MD5

    f91a5d59970d8b984b422c9b69346615

    SHA1

    124fad0d27bad34b2757a1353e1213fe25bcbd29

    SHA256

    51185b0e127a3284ed9c4104dd010f38e77ba2f5ead77bcecdab2020c4861579

    SHA512

    7840abe0e117803de0752c22f8dd47034dab6d47684e7784d0b2137e877b1dc5986cddd57afb4f27a5dfec855a7ca70cab5ff61daccd9a8eae335aa88a5396e5

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
    Filesize

    103KB

    MD5

    f0d0c318daca7e1ff3abde442a79d25a

    SHA1

    da007f339272e1670d5d95f407f1cd23d4150375

    SHA256

    5fb6269aa8de327693ad6ad67b9eb3e996a896416597bb117585a57f7a0f9f58

    SHA512

    71bbff848461fe217e8ae814208dbe686dbb3532a6f8a2a6c43e7eb272377cc651ca6b6a13787ec6fd4b41848cb928f55c7f159735c0ebc2fbe01670c04209f6

    Download Submit

  • \Windows\Installer\MSI9FC7.tmp-\Smartbar.Resources.SetBrowsersSettings.dll
    Filesize

    154KB

    MD5

    d99745d1f4d8013efacb9c65527904d1

    SHA1

    8db5756bcc2ef4d1d1205910b9aa0ca5c907f0f5

    SHA256

    cbb016f9021e57cb1842e376e1e1d1024df53aa429d1cb9db9eb7a138f37ff12

    SHA512

    5a410d42de0ae9cb65bace93c42e2d42109cc5d8e2ed7403541b258d6ca1f3d56d2f2c61f7a8c3f39cfeb4c487f08f269642b068bd2d33e9b629d43c71fedac3

    Download Submit

  • memory/536-1303-0x000000001C1C0000-0x000000001C966000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/536-1304-0x000000001D120000-0x000000001D8C6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/1536-1331-0x0000000000DB0000-0x0000000000DD6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1536-1332-0x0000000000DE0000-0x0000000000E06000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1632-1222-0x00000000008E0000-0x00000000008F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1632-1221-0x00000000008E0000-0x00000000008F8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2828-916-0x0000000000230000-0x0000000000256000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2828-1028-0x0000000003190000-0x0000000003273000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2828-942-0x0000000000460000-0x0000000000480000-memory.dmp

    Filesize

    128KB

    Download

  • memory/3008-1276-0x0000000000990000-0x00000000009B6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3008-1275-0x0000000000990000-0x00000000009B6000-memory.dmp

    Filesize

    152KB

    Download