Overview

overview

10

Static

static

10

aea459bd4a...18.exe

windows7-x64

10

aea459bd4a...18.exe

windows10-2004-x64

10

$PLUGINSDIR/Ping.dll

windows7-x64

3

$PLUGINSDIR/Ping.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

Installer.exe

windows7-x64

8

Installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2024 03:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    10.2MB

  • MD5

    564e47a3604ced3b7c18e43250226cd7

  • SHA1

    a3eef8fac3617d048fb9fce2201937297e3920f1

  • SHA256

    12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83

  • SHA512

    e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf

  • SSDEEP

    196608:NNCibAePytGr1MADU91h+RXs0yDiFqtpS8KNFVe1Pu5ZiqNJ:qZ6ytGriADU91h+WjDikm8KNkuziu

Score
8/10
adwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msiexec.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:880
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2744
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2672
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F3293420DFE159710E17A3B257DDD75C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1992
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIF130.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259453390 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:844
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yuxdtbuo.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2120
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF8A2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF8A1.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2968
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2qnekigq.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2068
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2052
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI889.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259459256 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2548
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI128B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259461798 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:964
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vk2buss8.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES13C0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC13BF.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:624
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pqzs46i6.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2440
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES143D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC143C.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:892
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2952
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:704
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          PID:1144
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • Modifies registry class
          PID:1008
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1784
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • Modifies registry class
          PID:2104
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3020
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • Modifies registry class
          PID:1540
        • C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
          "C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
          4⤵
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          PID:652
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehwkjilt.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2628
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES361F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC361E.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1440
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tv0cmbok.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:968
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36E8.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1500
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yowep-pq.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1960
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3757.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3756.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2432
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mzd1swsi.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2300
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES37A5.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC37A4.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:324
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\uzsoy4hw.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1532
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3860.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC385F.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:584
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lbzt7udn.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2704
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES389E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC389D.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2648
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ndu3v6ej.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2488
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38FC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38FB.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2756
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9dnblq3n.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:284
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A72.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A71.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2764
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nddiwyy9.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1756
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B5C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B5B.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1728
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p1pkadk5.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1216
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4AB7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4AB6.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2656
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wfvv0nj9.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2932
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C1E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C1D.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:324
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yezmfou1.cmdline"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1532
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4DA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4DA3.tmp"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:2568
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kd2sjovv.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2680
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES38DD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC38DC.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Browser Extensions

1
T1176

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Modify Registry

4
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

1
T1120

Query Registry

2
T1012

System Information Discovery

3
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76ed21.rbs
    Filesize

    143KB

    MD5

    201ffef35639216d3ef1e9070b5e40e6

    SHA1

    dd0fdf02bdf6ea46820f86fd0fe6b5ed6df6d954

    SHA256

    11de6a8a77284898006af2532f513a248fcab1b26e6e831c30dfd16b91d265bb

    SHA512

    545178a47057b5514bf035aeb110b636bda56568d6d1ee2f53517eec868df72b2b162749ca244a763717b01ba3dff8225687be8272c5f9c27f83cb94796c5a65

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    342B

    MD5

    4a70c37a0309e79811fd926e2ee18e36

    SHA1

    d9f3e4b74c99c6b18126090dfb52c2b240ae2d5d

    SHA256

    2ee910cfe151cf064981c52407752439e39190e27488f7a50f996711f09b9f8b

    SHA512

    cde16f5e15e5f69a694fcf5b2e6248fd9c7421d6a934390b8ce4b6bc8ebfadf8f73dd402244197ee6ec6dd8b913a3f28dea218e7d4faf1e475c7c40d5b799d58

    Download Submit

  • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
    Filesize

    92KB

    MD5

    f98745d81e8b84f39630844a63afc1ee

    SHA1

    d7977c2dab5de25630f7d869f9b16a8502cd3bb3

    SHA256

    9c34e13f0d2852fb4a8a53a4727a59d24691a507edb6ff1965024a6147799a83

    SHA512

    e6b1bf12139e627d6aa2b25c9d7e8ebab1e86fc3025655bf88bc735413f55b10490f0237b8d11fd5db0eb6045f6176e93228c70d8e940a62ea4324816c31a3dd

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Application\7cx96mgo.newcfg
    Filesize

    12KB

    MD5

    51417498b55cf9dd3d2b06acca131f8d

    SHA1

    e29cf97632afc31c3f33e92ec11aba4ab6af279f

    SHA256

    09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9

    SHA512

    2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
    Filesize

    4KB

    MD5

    5719ee7f6521ae142f0557f0706cded1

    SHA1

    a1d5694197827967aea5b3ccc88e2f91d465c283

    SHA256

    0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf

    SHA512

    cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
    Filesize

    4KB

    MD5

    2768222689e3585d609b5a2afc1ba52c

    SHA1

    ee522df6b2e365857bf6be58ac7150cbc71cfc9c

    SHA256

    21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0

    SHA512

    56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
    Filesize

    4KB

    MD5

    e6ab030a2d47b1306ad071cb3e011c1d

    SHA1

    ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

    SHA256

    054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

    SHA512

    4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
    Filesize

    3KB

    MD5

    1faf3f38f9fe027d3827fc84776f2416

    SHA1

    fa1e758c22581ec72d3a098f2aaad00bfc34fe79

    SHA256

    479da90bd0392f89cd1c655c0d51cb8ed5fdee2d8f9e804b9dba9c43ce53a68a

    SHA512

    5f313bc9d9cc0d15368103138d54f56455c214c8fcc5b8ba6fcb65631d392babe4216d5378bc025b0cee5442c9accdaa290bfe5832d79142d70fac442a2ebedd

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
    Filesize

    3KB

    MD5

    0e62316be9a0e8b2b4861e7b1c8e6f8d

    SHA1

    68dd1cf1ed3deb24f64d9a4ad7cd14f76fb1a669

    SHA256

    16f3c42747ab6e8cfc8fee99dfda998e8f770b3714c1933431bc175a7168eae1

    SHA512

    11a6388c28ec5e4396c2c9aeacc031a10db2f7bcf154ac0f02913a8bd1bd58d4d3e476ee9d42711dc637e3a0e27ed60c233eb2aaed90c70a42ff8b9c52087887

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
    Filesize

    3KB

    MD5

    3e6b1cde817049f4cd50599149975222

    SHA1

    a34266eca7ab6a5a99d5b55faacd03f82a0b6413

    SHA256

    c5eaecdc91c28fd75f2930124fb4aaaad3caef941d031d483d966bc6631bf865

    SHA512

    fd7332d5120feafee3c0ed2b2fa9ad51a22f303d806435683a608997448a7fd443eccdd9f2e30ad9cd8789c68d68bf70a1f565acb290c6b4d7c9bc5e9e823974

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\aweupsik.newcfg
    Filesize

    600B

    MD5

    f8721219c17d6cf59702e426ec3d6f8f

    SHA1

    4af8bf7b149e2a91314479dbfd60bb01d28d0946

    SHA256

    7d727683196646846609e8a282135bd24a6d5b06ebb5366aeef1293655998393

    SHA512

    a1cea2f64771980a1f59148c702d74fb0f8349e0928524b62e86633b7f3ea1e0ad66c70d24f4a7334033a3776059078baf1415a7b090ac21183a33b77f213a2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\cj26u_bb.newcfg
    Filesize

    537B

    MD5

    9b1cba305e9988f541b75fbcfada2fa6

    SHA1

    433562afa91c66051194a4fae3ee5ec0029c409d

    SHA256

    91d3bed81713313fa5ef38191b29866088440dedb1bf6e60896c59bce47f35cc

    SHA512

    36c5f76d6c292e4dc6355b941fd528d09d0c6d614d0f1ad9ac1d7243acfbc41dbeca950bcf0753a26a67345fd713ecfe17ec5a892e48f6b9a67d39788ffcfed4

    Download Submit

  • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
    Filesize

    473B

    MD5

    45b8c6b08ac425d57d6c56a491bd7ce7

    SHA1

    806de52bc10295e3a594a5b472b1f9ec9afe662b

    SHA256

    85d6cf2af03a544573b39cb5ed2a8d316ab1d4b3993d55a8428d0542c997095f

    SHA512

    556c6888e6c5b171f5a903905df27a0afb4ab774920e500d5b86973783582538f1fe0ed5ce8b740287112cb43ad16355da2886028333d4db78b2b84a18fb1023

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2qnekigq.dll
    Filesize

    88KB

    MD5

    f2817d95e536ca9aeb01ca295e4820aa

    SHA1

    879428a2f6b84dc1dd06fb8fa2886366fafacb9b

    SHA256

    e1b3538d7a6164dba2d73dc327e1a83f29f851aca81faeebc0e320bba069f28b

    SHA512

    769c35239f87190de0b56f44799eacb123e11a37aafcc262148e0046b28e692628611ad4e38f545d7fdfb099059a8bc8b4725328bfffc6cadc28384616176fac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabEE38.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESF8A2.tmp
    Filesize

    1KB

    MD5

    2cba79e8a557b7d8a4c33255a6429b8e

    SHA1

    6acbe071b5adf503809d9b115a888dec88f9a542

    SHA256

    8e07bde5b9e148f75a64bc313e9301319ca241c1ff12d35ecf0ca6b14843624e

    SHA512

    9d31637ef6c6cdeeb74428c5e1b0b6a6295de625ed3ea38839a9a0427fd479aca7d8bd3f5ce67abdb7852d185e2fd61366f4372b02c945f0757528b43d545032

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RESFBED.tmp
    Filesize

    1KB

    MD5

    e8940ef448bb3937aa70ebf385356011

    SHA1

    45f36b7bde08c0d4441bc461f2724be3713a91b0

    SHA256

    74739b34f180b24b2d34c89129ca006b858159f7ef7dbdf5f2ef89ba25ddc0c8

    SHA512

    7d470f808258d80a29ab966f8e50c8854cf9d5365c3168f57fdf04970e47324343ba29fe4734a6c9875534ca37fd5a3a9b1012ed651420f5301ab1aebb835ddd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarEE69.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
    Filesize

    9.1MB

    MD5

    e5314db579a141f6a5204f70e7073de0

    SHA1

    3d2e28be7594fd754213e3ea19b4f900f6634c91

    SHA256

    84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d

    SHA512

    f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\yuxdtbuo.dll
    Filesize

    72KB

    MD5

    c1a6474e7f7a09d6a1ba0ade21e1dcf9

    SHA1

    435eeebb51a6bd1dbea7ca9e2f190a676a33e80b

    SHA256

    9cf81251f582d9dd0f4a513534a2c5f5d28d62f6d9e9c4a89b1eb7615124aab6

    SHA512

    5e7f0f3606ab15b5d241fdcf7c6d00c8d1c1391453b3760eb42db4e7f2211329a41f5594a373559b12cbb6f4d2c0b0dd11fda896a6e371d5e8d1785df9de8aac

    Download Submit

  • C:\Windows\Installer\MSI128B.tmp-\Interop.NetFwTypeLib.dll
    Filesize

    32KB

    MD5

    a084b0c082ec6c9525336b131aeba39a

    SHA1

    45db1f5cc54a033e5df460b93edaa5d23a39ced9

    SHA256

    7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d

    SHA512

    297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b

    Download Submit

  • C:\Windows\Installer\MSI128B.tmp-\Newtonsoft.Json.dll
    Filesize

    418KB

    MD5

    0e32f5229d5ee7d288b6b3969a51fcbc

    SHA1

    54c09f07930525786fcf08b9c7aca24185a68fc1

    SHA256

    e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8

    SHA512

    64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb

    Download Submit

  • C:\Windows\Installer\MSI128B.tmp-\srprl.dll
    Filesize

    56KB

    MD5

    d8fa7df1f2cd92ad701bc23f86d89b54

    SHA1

    72160fd5ad639c5a9c44305b06c98eb637399d18

    SHA256

    475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4

    SHA512

    a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992

    Download Submit

  • C:\Windows\Installer\MSI889.tmp-\CustomAction.config
    Filesize

    806B

    MD5

    796621b6895449a5f70ca6b78e62f318

    SHA1

    2423c3e71fe5fa55fd71c00ae4e42063f4476bca

    SHA256

    09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

    SHA512

    081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

    Download Submit

  • C:\Windows\Installer\MSIF130.tmp
    Filesize

    1.5MB

    MD5

    44c66c7febaf067ac2f96e3bb643a5b3

    SHA1

    bc83eb57ebb44206b467c4147a7f82d52662e9b5

    SHA256

    641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383

    SHA512

    41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b

    Download Submit

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
    Filesize

    109KB

    MD5

    7b6bfe42db5ded1120ebc1d2296238bb

    SHA1

    ccba3f07255d6faba228af85bd4e8822f104b2db

    SHA256

    3a221627582ddb37204e0793e71285cc6cd7ed20b1d95e462ac1bf84097cc56a

    SHA512

    cd15cf0a6143b71f1905e83ea9ba282bc77329f1411e56baf31997436c06ad169b9a5161e3db75a09e0a00afda243c807683ab5ce0f07591d2f4838553808546

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
    Filesize

    416B

    MD5

    55344bf7bbe02b50262d0452c4e2d008

    SHA1

    766127c20bb683fecddfe6ff84be3356b7d82502

    SHA256

    fd922a13fd75fc1828c46dbad71e347ff6c4db9b6267b849f799f8b35b3fd293

    SHA512

    e726a5dbfc5d0788a2d2ee1b2e2b8fda76e03adcfd518ab6ff2feebfc2a96d9d9156d175ad1483208004a2e1595c7bd34e7bab0038d786225b4e570cf337106e

    Download Submit

  • C:\Windows\assembly\tmp\4ABHQHGU\System.Data.SQLite.dll
    Filesize

    889KB

    MD5

    c2e38bfe933c5bce36910fe1fb1d5067

    SHA1

    aac5ed2724e2f88c7af1a3bf56d73180ae709bb7

    SHA256

    49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286

    SHA512

    281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d

    Download Submit

  • C:\Windows\assembly\tmp\JZBRNH60\Interop.SHDocVw.dll
    Filesize

    143KB

    MD5

    030a99f9594434ea83d27b33a95c4d5a

    SHA1

    230882058a1d50e4e8f7fa4bb3144dec506c5967

    SHA256

    0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3

    SHA512

    529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\2qnekigq.0.cs
    Filesize

    187KB

    MD5

    14ac60821b7e9508914fdf584ef23f46

    SHA1

    9bc6cb0f7ea31050962fe56398213a48c5097ffa

    SHA256

    ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c

    SHA512

    b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\2qnekigq.cmdline
    Filesize

    614B

    MD5

    8d812b80d5c84a87cd29d16b4c04c8e4

    SHA1

    24cd6ca96ad7174b1397630f303df3ed32e4a22c

    SHA256

    e90732d579379cd5fa19bea1896f186b8b05a7913be8466fadc0165ad94d2ec9

    SHA512

    2f2e3ddb8a674a02f873fc0b241f417b2190194c4bc557c324fdea8dc3398f85ee33f2838c7de54852cf764620910cd27dca8ebd8666d3ea8d793bae05358d5e

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCF8A1.tmp
    Filesize

    652B

    MD5

    4f1aed363ca88fe422cb312f45884800

    SHA1

    e5a2da2fb8910b46ee85d85057df03cd5ee3f907

    SHA256

    28502e8eddef2fae9493077d9e8412eb46a3dfc97091f0d5d28e8290c1e2ba6f

    SHA512

    3cdcce49d1d22cf8504704346aaa4ba5d1d2dcf46e6c83533128ca41e8d7f3c88d89ef59d945b9632647d3e2866dc1307f2bbca3e3c308badd2790cfb9f65f04

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\CSCFBEC.tmp
    Filesize

    652B

    MD5

    2924b108f836fcb04e26bdb52a78bc12

    SHA1

    d86183b3e19e587cadb8dc1d418b7956d3328bbb

    SHA256

    8951587d8bcd64064fc6e004701b8ee9e5e263475f06f6099f5db81248f349c2

    SHA512

    6fa493132e1e7abc1ac9c0240c258c2c5a943d47627eadf8c53bade7e9afe5965936c5a9a5684ef441573c7aa8fe6a234cf4fe8ed7ec504b6db583f7a939a9df

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\yuxdtbuo.0.cs
    Filesize

    150KB

    MD5

    6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c

    SHA1

    1dbab29ad6fb169fad90e963dd0c5290f27272fc

    SHA256

    e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a

    SHA512

    193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640

    Download Submit

  • \??\c:\Users\Admin\AppData\Local\Temp\yuxdtbuo.cmdline
    Filesize

    396B

    MD5

    33a6e7a16cdca3843919beae3d9ed8d0

    SHA1

    4fbd194849795e62bb9cbeaa8c6517ca74fa0f1e

    SHA256

    b6f5851bf8012e5543ff51df37ef774bdaf633a234a938ebabfcdf5602ea07f6

    SHA512

    2ffbf0446075dfee5574c6501e091b509d9b11735f6848dc190173bfca55e1bc21d3d4baee9ec365023c78dfec62b33e7c6c9e7f7362b0186cc1581b124000b2

    Download Submit

  • \Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
    Filesize

    7KB

    MD5

    4876414d51fe01bd8525df2f8acd35d6

    SHA1

    f9435c39e3029276e71a971e48f68d3f0298fe11

    SHA256

    4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d

    SHA512

    d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
    Filesize

    383KB

    MD5

    3cf46bae7e872a661721b0894bc076e2

    SHA1

    eaaa0a35e284908dd21cf245a38efe9d2e4c7532

    SHA256

    7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043

    SHA512

    47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Filesize

    172KB

    MD5

    34d4a23cab5f23c300e965aa56ad3843

    SHA1

    68c62a2834f9d8c59ff395ec4ef405678d564ade

    SHA256

    27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

    SHA512

    7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
    Filesize

    77KB

    MD5

    7868ed46c34a1b36bea10560f453598f

    SHA1

    72330dac6f8aed0b8fde9d7f58f04192a0303d6b

    SHA256

    5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

    SHA512

    0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Smartbar.Infrastructure.Utilities.dll
    Filesize

    140KB

    MD5

    562ac9921d990126990c2f0bdce7081a

    SHA1

    f395458d8e328cf4809385fef3e225d01f8a8fc0

    SHA256

    ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738

    SHA512

    f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Smartbar.Installer.CustomActions.dll
    Filesize

    162KB

    MD5

    2120dbb0481374885af660346f503b9b

    SHA1

    0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3

    SHA256

    ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474

    SHA512

    46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Smartbar.Personalization.Common.dll
    Filesize

    10KB

    MD5

    347b0b5d32b1a85b5450b08cfb6d2e75

    SHA1

    7bfe1857974a6c6c3e882624d820311c1e3bf670

    SHA256

    76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac

    SHA512

    d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
    Filesize

    88KB

    MD5

    adb53ee43f74f430368449b98b2f6f86

    SHA1

    fb882d80da9ccf79c6817a492fbd686d4759bb41

    SHA256

    b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff

    SHA512

    8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
    Filesize

    102KB

    MD5

    5dc8a7062040e05ad36bd83246954b05

    SHA1

    f6807be0413724076c8c384576ad9a5bc1413e8c

    SHA256

    d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc

    SHA512

    43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\sppsm.dll
    Filesize

    40KB

    MD5

    787104ad9dea702d115883c489be54cb

    SHA1

    b24680d170c610203df5e3d1d52b2b04f938dd56

    SHA256

    934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3

    SHA512

    861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\spusm.dll
    Filesize

    10KB

    MD5

    e28c8d2fd64ba27d9b992fc325f26a9d

    SHA1

    d9ed413265967b6ede8787aa8c5e5734a4ea1358

    SHA256

    82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab

    SHA512

    e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\srbhu.dll
    Filesize

    7KB

    MD5

    fcbe6dec3d2da2ac9fd2754cc9cf6ad9

    SHA1

    7954bdf16f99bf843c5c8053a078813d87c94254

    SHA256

    71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e

    SHA512

    5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\srbs.dll
    Filesize

    174KB

    MD5

    7ec601a05f97c73fc2180e8c57efc9af

    SHA1

    7c99dcdcec211459b1d9d429e2ada2839876f492

    SHA256

    982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8

    SHA512

    119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b

    Download Submit

  • \Windows\Installer\MSIF130.tmp-\srut.dll
    Filesize

    22KB

    MD5

    feba43763a9b7fe1c94d681055d10167

    SHA1

    49d30dedf868accf07e6895e1699a4d751235fd0

    SHA256

    0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d

    SHA512

    680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef

    Download Submit

  • memory/704-1506-0x000000001B2D0000-0x000000001B2E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/704-1507-0x000000001B2D0000-0x000000001B2E8000-memory.dmp

    Filesize

    96KB

    Download

  • memory/1008-1560-0x0000000002570000-0x0000000002596000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1008-1561-0x0000000002570000-0x0000000002596000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1540-1617-0x0000000000900000-0x0000000000926000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1540-1616-0x0000000000780000-0x00000000007A6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2076-570-0x00000000742C0000-0x000000007486B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2076-249-0x0000000000B20000-0x0000000000B60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2076-21-0x00000000742C0000-0x000000007486B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2076-17-0x00000000742C1000-0x00000000742C2000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2076-2461-0x00000000742C0000-0x000000007486B000-memory.dmp

    Filesize

    5.7MB

    Download

  • memory/2076-16-0x0000000000B20000-0x0000000000B60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2104-1588-0x000000001BFD0000-0x000000001C776000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2104-1589-0x000000001CF30000-0x000000001D6D6000-memory.dmp

    Filesize

    7.6MB

    Download

  • memory/2672-1275-0x0000000003250000-0x0000000003333000-memory.dmp

    Filesize

    908KB

    Download

  • memory/2672-1151-0x0000000000540000-0x0000000000566000-memory.dmp

    Filesize

    152KB

    Download

  • memory/2672-1178-0x0000000000570000-0x0000000000590000-memory.dmp

    Filesize

    128KB

    Download