Overview

overview

10

Static

static

10

672dd0c0b8...8b.exe

windows7-x64

10

672dd0c0b8...8b.exe

windows10-2004-x64

10

$PLUGINSDIR/Ping.dll

windows7-x64

3

$PLUGINSDIR/Ping.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

Installer.exe

windows7-x64

8

Installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2024 21:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe

  • Size

    8.8MB

  • MD5

    823389e6b696377bca1922f6eff200ad

  • SHA1

    e292a7ecb3156e12dcacde7afb810b84afff6007

  • SHA256

    672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b

  • SHA512

    f5c4e9f09faa18e5bef6d3d0dc19ad6ceaaf47f842f3f52399c796153da1695ff94e69d5d54d6e18b1fda54a72b740c6e48e29148fc523f6a978b53c1529d30b

  • SSDEEP

    196608:T1oRCm5gjvpKv1gJzwgs/vvZNijq97g00QCOsNjz0uHFtdMaKDk:T1oRCIg1Kvozwl/73vYrWaKI

Score
10/10
pandastealeradwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Panda Stealer payload 1 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Pandastealer family
    pandastealer
  • Blocklisted process makes network request 12 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops desktop.ini file(s) 1 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 47 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 55 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 2 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe
    "C:\Users\Admin\AppData\Local\Temp\672dd0c0b851ef59e073ba4aa2a5211c9546679b22788d1d117339b28b8d528b.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Users\Admin\AppData\Local\Temp\Installer.exe
      C:\Users\Admin\AppData\Local\Temp\Installer.exe /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Modifies Internet Explorer settings
      • Modifies Internet Explorer start page
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2636
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /F /IM msiexec.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:2916
      • C:\Windows\SysWOW64\msiexec.exe
        "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet /quiet ARGS=HP:1;DS:1;NT:1;DOWNLOADPROVIDER:ShoppingHelper;PUBLISHER:ShoppingHelper;ROT:ALL;ROSP:1;CSH:1;SHOW_UNINSTALL:1;VISIBLE_IN:FF,IE;INSTALLATION_ID:d13811c3-be3c-f963-4eca-e759baed3971
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2268
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2572
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EF11C76A851964E274749DF819F3417
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1976
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI9201.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259428960 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:308
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\l06dukcs.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1868
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9628.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9627.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2440
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jmufdktg.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1572
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99B0.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2752
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIA60F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259434015 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:344
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIB38A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259437462 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops desktop.ini file(s)
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2080
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\605qibqb.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1484
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB53C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB53B.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1504
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9zxcujrl.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2828
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB5AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB5A9.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1604
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2108
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2292
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1660
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • Modifies registry class
          PID:1392
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2064
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • Modifies registry class
          PID:2100
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1040
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
            PID:588
          • C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
            "C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
            4⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            PID:1856
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ks0z2wb4.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2372
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC30.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1004
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vkqqtfd4.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2848
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES159.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC158.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:584
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xwyj6ael.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2204
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B6.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2644
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\-slnzlxv.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2756
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES224.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC223.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2676
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pd5dxaql.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2948
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES31D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC31C.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1652
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ltf4ilyq.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1488
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC36A.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2100
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\f6dft4di.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2656
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3AA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A9.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2996
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h-v4zyts.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1112
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES465.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC464.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1548
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h6bxo4fa.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2200
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES520.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51F.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1692
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_zwhvxrd.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2760
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1B4F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1B4E.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2652
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ur94engn.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1736
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E5B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1E5A.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1692
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kmr9lbh6.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2800
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2128.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2118.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2736
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfnooaje.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1152
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4C3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4C2.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2136

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    5
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    System Network Configuration Discovery

    1
    T1016

    Internet Connection Discovery

    1
    T1016.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f767cc2.rbs
      Filesize

      143KB

      MD5

      995d77c62a8e6db96e5b83a1e37285ce

      SHA1

      91d3ccf3355dc45f179d42212f3604b5dc153aa7

      SHA256

      275463a0c39b2bf121d505483d762ad2c698f41a2bb2ad0061535b6f2300faf8

      SHA512

      37309f696ef73a0430c9cfcea1a6c97c7e1a90c7370795961da05653500c391e7464aca089da3609e512411c7d14c93fefae7647fe4e86c3f9c943f99806e6be

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      1KB

      MD5

      a266bb7dcc38a562631361bbf61dd11b

      SHA1

      3b1efd3a66ea28b16697394703a72ca340a05bd5

      SHA256

      df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

      SHA512

      0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      ae921ce158f90b87ccc2a8b18e7365e4

      SHA1

      a76b778935ddc2e1393a7032cb7a3f21e2051169

      SHA256

      f9cb1d716f9b3093222128b15e917c50bcc8510ea5fea77dbb4cd378d51e9133

      SHA512

      66cf1f29354b2555a54146f5d62af8e791e18ae8ad38687077b44c84e600bb29795f2c7af39dd1ead148dcfc3de94bc31143c1fa1f0c44c660d96a2991c142c8

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
      Filesize

      242B

      MD5

      27bed42dfd398b71ca98be3c1a5ec4fa

      SHA1

      29da20abe8d1d4f966635f94268c7f9920f1bc0f

      SHA256

      bbf438f488a152c9668653b80006832b20982ada5d9262ddad083ab8e2085112

      SHA512

      a8c72a24b0c1ec00d7b18b4966ab4e0b44be2a2c766378f31e452a638a5988149d86ff9c855d4d8cfc649080cf7ee45c356272ef78b214d59f3132b6e5b41292

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
      Filesize

      92KB

      MD5

      444dfcb62fb09ad8de699a5d55d95b79

      SHA1

      f1cef14842b4791879318c31aa79d38d01a7290e

      SHA256

      c0a07d63b5dce56a498bdae1c6729182d736f2592151232d8df3ce7162f865a7

      SHA512

      8dc97ff55ae760728afd046a2ec0fe7947ffc59ded6830f0f8aa2ec4cadb063843b3eefabef4e29dbf7986a5caffc003373ad4abee6fcc47f12e51223696999e

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Application\xp-iooqn.newcfg
      Filesize

      12KB

      MD5

      51417498b55cf9dd3d2b06acca131f8d

      SHA1

      e29cf97632afc31c3f33e92ec11aba4ab6af279f

      SHA256

      09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9

      SHA512

      2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
      Filesize

      4KB

      MD5

      5719ee7f6521ae142f0557f0706cded1

      SHA1

      a1d5694197827967aea5b3ccc88e2f91d465c283

      SHA256

      0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf

      SHA512

      cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
      Filesize

      4KB

      MD5

      2768222689e3585d609b5a2afc1ba52c

      SHA1

      ee522df6b2e365857bf6be58ac7150cbc71cfc9c

      SHA256

      21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0

      SHA512

      56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
      Filesize

      4KB

      MD5

      e6ab030a2d47b1306ad071cb3e011c1d

      SHA1

      ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

      SHA256

      054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

      SHA512

      4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      3KB

      MD5

      68c249afd80a24444d93dd0086de55f8

      SHA1

      cded3bbb9555986e5f735b6c4dfe1c56f396f5ee

      SHA256

      32095edbabcc75c6dfa5575400fe3ff7014152c24ce682027163e10ba19ce0a2

      SHA512

      f406746a1d58e7eb35d0df23a13a13d94ef17b9e8d572dd002843edf12b448514d8afb19e91c85fc6d6a7a7b5f46ab4208996f00d61a8f005d23a95f38fff278

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      3KB

      MD5

      d9a9e45bbbde0c27d858bc69bde23cef

      SHA1

      babb7af0f2c8edd88472d2c7d186979e6aa1a0ac

      SHA256

      73f81c3dd8b552516d88b1c24d4d6f590f58acc51cb746db0a73cdd866aa446e

      SHA512

      79060a8a74fa2eae3976dacb412674ceb36c955bfd9c5c52ba9d4fff1e7dc71c5ce37343b2f4a054c15c2df621df85add07ab17f95115dcb7022668fa5d43482

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      3KB

      MD5

      cd4cb3bdc9bd3fa91bd29db176f6e684

      SHA1

      fd306c48da0d0135f8b78ed6311e5a6a64332baa

      SHA256

      f42179b10d60f8e523dda1051607bebb086698545828c76084b01ed77799cc7a

      SHA512

      659fec228f1fa9397a111097d070d27407dc3b9006728cdd1e0db55b8ddfbfd5965595f341a22480459a62eaa0f14ee553346c97202cd5e22126315b59709437

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      3KB

      MD5

      01739c98dd538a62dd230c9969399120

      SHA1

      7655d4d7eaea9f0eb04e7e5d9d26f00f9a806cde

      SHA256

      8201499a6ebd7dfaff1baaf83cf0c2147fd262238e6e21ed66548169caa76fbe

      SHA512

      1907c627b89703a9946e4785ab86affbc66b8e0fd6f584c85596f6f8a3749416e1f09b63783fb5c90bf3bd35d6e7afc86ceacb493ecc22081073fc607196dcf4

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\rok8qwio.newcfg
      Filesize

      535B

      MD5

      0ae89e12abf939d9540548d83706ebea

      SHA1

      44e708e096db0e69da4f0f1a411d7fe17b7c152f

      SHA256

      1431f981de966e65116fc9794117b2aca12c12de0dd67c9fe090bb140d9bf176

      SHA512

      984c055e2288a3fb49dd39c7f0a684fb089453a2702d14941deb0fd4f611f8e850db8cdd8746c084eed958e4ee60aa4b88b5eee0e11912600598ef8fdf697edc

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
      Filesize

      471B

      MD5

      90198218b9f7c07d733758ed6f277452

      SHA1

      5efcb3bd9441f4010abd524ccdca9f96977d4956

      SHA256

      0b4900912cb5446efafdfbebc1f048d2d88604cd5e4dc594b2ada8b593f263c6

      SHA512

      94cc27189d679d712684578b8a2fa257bfb5e751c1005135f6ec31763f78b205cc0d25da4f16feea5fdd1b2176751cbf295fd9aab11232150998d26082220dd8

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\vj375i-2.newcfg
      Filesize

      600B

      MD5

      4d6a8ca4026ebbbe8a42c0edacc43164

      SHA1

      a36bcf6c60eb24c00952576c4fc0739d2b6a4978

      SHA256

      db4d901d858e80473b4da105da2af5c6c76e2f6255be63717508e8ead50f90ba

      SHA512

      965eba9b24ecb1d914980f86b22134952519938bbb2054225c9132073581a7b85adb8a5f0f52339dba67c2105e1ad6207851651072ac60bc786e46543f71c676

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab7DC9.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES9628.tmp
      Filesize

      1KB

      MD5

      e038823dc741035f911e9dcbfbf438b7

      SHA1

      0e772549632087da3df594b66fff908e90d2a791

      SHA256

      b33f99e10e151ad86990503f74a4ee33267d131aa2e9f37b3a950b734ccedfb4

      SHA512

      9c76d8f1be7fb354e0e3a21c9bcd1485130dfc232caea98b033ba757c9dec2c8d9acd39355b1b301ce43d6c4f430956d336361de8cddec24e24145a2a0292784

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RES99B1.tmp
      Filesize

      1KB

      MD5

      7aa06b1aededf4d984b8648e93bae6d9

      SHA1

      9a294a0baf480637eb38acbe7977cf647a13ea50

      SHA256

      de1b19f7494ddc3c6302e86fed7d0511039527f2baad7a8a31c05fc04aed1097

      SHA512

      8c5061a12679a46cfdabd55a88f2af5827e9ab734cfc8010b94693a9c8489048403811869bc4afbddac683890db0cb631846a8b1d24b53eeb2fa06ac80840f00

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar7DDC.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jmufdktg.dll
      Filesize

      88KB

      MD5

      0f181c6f835839c90e24a0c0f2c4b83d

      SHA1

      ec16c8a31f09ae7acdf4c67f443959bc4e2ee769

      SHA256

      db90578934ebc6345aa3681adde0507ef309281b409b1771c9bee83532ff1fc6

      SHA512

      0de2903ef856df0b0a8e04894b2f511ed95cf2b5ab6b43083512fe724f857f6cd1f9d23d8d3921cc54b58682fa5337808017505e7eec34b8d5ec217afafdf582

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\l06dukcs.dll
      Filesize

      72KB

      MD5

      3f813c0283537a6f08e52f01975a23e7

      SHA1

      4dcb5f402e6f38be0ab096165b98ad5bf6046bec

      SHA256

      dfbc829a6788fada1bbbb4cbc8f4dbeef55b038cd9edeb1db6d113631d350158

      SHA512

      52a56ce58b76fb69d5694489217813f47c8d6d7ae87464877d257c1a38132c96e118ae2eba5bf3e042bce630ca119a75c3ac684fd711c7463ee9afd331d1d37d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nsd69AC.tmp\Ping.dll
      Filesize

      64KB

      MD5

      b0e9ba9dab60cb7a9fd886dcf440cac3

      SHA1

      c416f6e9ba379feb9008c775d8456514444b66da

      SHA256

      52d52e5a1e1cec3e2db08555a8b2651f636cf76c6a24e32aa446595365cf193f

      SHA512

      90de38a7c57f59e8deb17c2473a215e2f052aee909a47ef37a88fefcfaeb5e6b54d462a39bcac4d0f1aa88d1806ba9e1237d0eeba98f7a0479bd6825e841f043

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
      Filesize

      9.1MB

      MD5

      e5314db579a141f6a5204f70e7073de0

      SHA1

      3d2e28be7594fd754213e3ea19b4f900f6634c91

      SHA256

      84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d

      SHA512

      f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini
      Filesize

      151B

      MD5

      988ea61855eab89ff1f69e884a6bee04

      SHA1

      5d4792d34fe3939301eefa968ab5b5e8d415aec1

      SHA256

      010436597702c768cd6f56b169a523c69a64459e5ef04fefbeaaa1bd087a6fe1

      SHA512

      eb8df971b4dfacb0772571147e32a191161848464d24ab3be690f7308378004259c03375618ffbb332316b8bf21f637ce7fe694322590d9b56af65695e3d3b9f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Search.lnk
      Filesize

      2KB

      MD5

      f9a57423959e53e9c6ccebca83edf191

      SHA1

      33adc838262b185a6840fdc6081457de1c975fe7

      SHA256

      17bf8aada9cd06c1f87a90516dc203d56a412da596d17bd45a35c8bf11e7ddbc

      SHA512

      9f1d10ee78a6b94c612441ff02a26cbe043e079b07f56229a9c73e185d8657295238c7392ea285e827bd58c33f2f6465fa32ac6db0a8dc57d3058aed3d76117d

      Download Submit

    • C:\Windows\Installer\MSI9201.tmp
      Filesize

      1.5MB

      MD5

      44c66c7febaf067ac2f96e3bb643a5b3

      SHA1

      bc83eb57ebb44206b467c4147a7f82d52662e9b5

      SHA256

      641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383

      SHA512

      41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b

      Download Submit

    • C:\Windows\Installer\MSIA60F.tmp-\CustomAction.config
      Filesize

      806B

      MD5

      796621b6895449a5f70ca6b78e62f318

      SHA1

      2423c3e71fe5fa55fd71c00ae4e42063f4476bca

      SHA256

      09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

      SHA512

      081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

      Download Submit

    • C:\Windows\Installer\MSIB38A.tmp-\Interop.NetFwTypeLib.dll
      Filesize

      32KB

      MD5

      a084b0c082ec6c9525336b131aeba39a

      SHA1

      45db1f5cc54a033e5df460b93edaa5d23a39ced9

      SHA256

      7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d

      SHA512

      297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b

      Download Submit

    • C:\Windows\Installer\MSIB38A.tmp-\Newtonsoft.Json.dll
      Filesize

      418KB

      MD5

      0e32f5229d5ee7d288b6b3969a51fcbc

      SHA1

      54c09f07930525786fcf08b9c7aca24185a68fc1

      SHA256

      e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8

      SHA512

      64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb

      Download Submit

    • C:\Windows\Installer\MSIB38A.tmp-\srprl.dll
      Filesize

      56KB

      MD5

      d8fa7df1f2cd92ad701bc23f86d89b54

      SHA1

      72160fd5ad639c5a9c44305b06c98eb637399d18

      SHA256

      475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4

      SHA512

      a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992

      Download Submit

    • C:\Windows\Installer\MSIB38A.tmp-\srsl.dll
      Filesize

      21KB

      MD5

      6fc50184e3aad7f4df0231da697a9da8

      SHA1

      fef8608d31e8e1c16ca7db402fa352ee7231585b

      SHA256

      58e698c208cd6ad94d2da3511447a975605e2b49bbdb7b572863f318aaffe0cf

      SHA512

      626b0a4031571ca906311937583f646aebdc7aacd5afb5ddf66c2d45dbc335e026d337d4f5803c38ddd022b9e64c79b4dd30d094d5d01a669e99d6c6829650b4

      Download Submit

    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
      Filesize

      111KB

      MD5

      1e7d78e6ded52cf44c40d27326fd93c7

      SHA1

      20c92fdab87b050571805f45c3375908e06a925f

      SHA256

      e7df2fae7fcda21cfce75ae7edefcb3d662d27d87beb7227398591cbe28ac68a

      SHA512

      808a36b130adb2b658f0576bd11b69803cef8af573b77892eeb4a5e56723a960d72544ed6f01130e17ee0d86c1195bf5851ae0bcfdd0091304eaaf47bb420059

      Download Submit

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
      Filesize

      416B

      MD5

      04c049137ff6af8a4d431c2af2cf40c6

      SHA1

      7da27d2cf242e901ce4e78afc55991eebd7c6c90

      SHA256

      fede235a455fc4499059a69c6f2d1558a0c351e8a7e287c730249c06b7e375a9

      SHA512

      e87fe42834b5829f69acc9d524ac41615256237fc7848df0fc7f41e798d9aa3226e4a6be0dfd84a5ea67c9e80bd84eab80491224a25fc81119d7e80308eddb1c

      Download Submit

    • C:\Windows\assembly\GAC\Microsoft.VisualStudio.OLE.Interop\7.1.40304.0__b03f5f7f11d50a3a\Microsoft.VisualStudio.OLE.Interop.dll
      Filesize

      116KB

      MD5

      459ff9c6762b7fdd91c156ff3e096478

      SHA1

      7179debce9a271450b1241e7435a999aea1ddd05

      SHA256

      93865c89e1507409fbbeb9433542a303cdd2fd5acda3d51fecd83e4a8fb8072c

      SHA512

      8b95330d364413122427604af1c0e848694975eb8c541b911aeb0d50fbb5cd15a60863f68593f1088b26f83500f400f52292a2891511223f796be750c6a7583a

      Download Submit

    • C:\Windows\assembly\tmp\GB9WB7KO\System.Data.SQLite.dll
      Filesize

      889KB

      MD5

      c2e38bfe933c5bce36910fe1fb1d5067

      SHA1

      aac5ed2724e2f88c7af1a3bf56d73180ae709bb7

      SHA256

      49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286

      SHA512

      281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d

      Download Submit

    • C:\Windows\assembly\tmp\Z7EOU439\Interop.SHDocVw.dll
      Filesize

      143KB

      MD5

      030a99f9594434ea83d27b33a95c4d5a

      SHA1

      230882058a1d50e4e8f7fa4bb3144dec506c5967

      SHA256

      0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3

      SHA512

      529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC9627.tmp
      Filesize

      652B

      MD5

      ca433768a5e0e715a251042f7af9dce4

      SHA1

      bbe368cbc6fee0c13527bbb6937a6a830e283ba2

      SHA256

      e59e20d0fbdf24630fcc57a3fc0875d9bcef10004a8e2be12eee0e9763880b0b

      SHA512

      ac6fc6e99dba512bb136c94f5b7e2df4c42c1114966b5396e149d892b460f4c0470125e8fb981e80213620b34cc039435f06f86e3e0f0c4871c8f03f3be1f12b

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSC99B0.tmp
      Filesize

      652B

      MD5

      d73ab2ad75ae1d8a9e99da940bac29c3

      SHA1

      8fe790c497a580f0c698e98da46e697c065e2e70

      SHA256

      9b6dd5bee09cbf8a4225b1b07f1408b924c9e1419282f7b90f3e750f11e92e26

      SHA512

      d87f89ffe3e6af3f23bc732ef4e7061670bebe754d77d7359501c2811a04c62221ab26cf94ebf874319c5a4e5271c9966653757fa7e1056522f9dc15778ad7aa

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jmufdktg.0.cs
      Filesize

      187KB

      MD5

      14ac60821b7e9508914fdf584ef23f46

      SHA1

      9bc6cb0f7ea31050962fe56398213a48c5097ffa

      SHA256

      ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c

      SHA512

      b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\jmufdktg.cmdline
      Filesize

      614B

      MD5

      7643571151fa232a63fed779af372d28

      SHA1

      fa3da7009b31d695032bd6de337289c6a4134e7d

      SHA256

      9734505caad6e8c2961342b14056b1ce2987633e38f49c8e1df8b26d446e24cc

      SHA512

      e773b4fc803f73f3d1608712f91fecf7cf2723221260b0eb2e2b5c7b5a1d314270dcd0006677fc93e0a78eeeea3d800fc016e0647e5d636d0aa2614b302e2865

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\l06dukcs.0.cs
      Filesize

      150KB

      MD5

      6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c

      SHA1

      1dbab29ad6fb169fad90e963dd0c5290f27272fc

      SHA256

      e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a

      SHA512

      193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\l06dukcs.cmdline
      Filesize

      396B

      MD5

      726bac8d892b5f9ee5c22b6a81c6c4de

      SHA1

      2418ecacadfe98beac68d10a9d0002a1c400a882

      SHA256

      20c4fd4d31db2ca3158def20283d14de4a474f57fb13449384cafc0038aaa430

      SHA512

      5a5ac53e484bccc03312a0bdbbdcb4390de7d18a2b318c3343a5b62bcd1a3c8a48c6bc06c52484c4cd55cfdd3aedd9dd661806bfb6d46721fa36b6739a644fef

      Download Submit

    • \Users\Admin\AppData\Local\Temp\Installer.exe
      Filesize

      10.2MB

      MD5

      564e47a3604ced3b7c18e43250226cd7

      SHA1

      a3eef8fac3617d048fb9fce2201937297e3920f1

      SHA256

      12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83

      SHA512

      e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf

      Download Submit

    • \Users\Admin\AppData\Local\Temp\nsd69AC.tmp\Registry.dll
      Filesize

      24KB

      MD5

      2b7007ed0262ca02ef69d8990815cbeb

      SHA1

      2eabe4f755213666dbbbde024a5235ddde02b47f

      SHA256

      0b25b20f26de5d5bd795f934c70447112b4981343fcb2dfab3374a4018d28c2d

      SHA512

      aa75ee59ca0b8530eb7298b74e5f334ae9d14129f603b285a3170b82103cfdcc175af8185317e6207142517769e69a24b34fcdf0f58ed50a4960cbe8c22a0aca

      Download Submit

    • \Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
      Filesize

      7KB

      MD5

      4876414d51fe01bd8525df2f8acd35d6

      SHA1

      f9435c39e3029276e71a971e48f68d3f0298fe11

      SHA256

      4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d

      SHA512

      d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
      Filesize

      383KB

      MD5

      3cf46bae7e872a661721b0894bc076e2

      SHA1

      eaaa0a35e284908dd21cf245a38efe9d2e4c7532

      SHA256

      7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043

      SHA512

      47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      172KB

      MD5

      34d4a23cab5f23c300e965aa56ad3843

      SHA1

      68c62a2834f9d8c59ff395ec4ef405678d564ade

      SHA256

      27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

      SHA512

      7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
      Filesize

      77KB

      MD5

      7868ed46c34a1b36bea10560f453598f

      SHA1

      72330dac6f8aed0b8fde9d7f58f04192a0303d6b

      SHA256

      5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

      SHA512

      0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Smartbar.Infrastructure.Utilities.dll
      Filesize

      140KB

      MD5

      562ac9921d990126990c2f0bdce7081a

      SHA1

      f395458d8e328cf4809385fef3e225d01f8a8fc0

      SHA256

      ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738

      SHA512

      f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Smartbar.Installer.CustomActions.dll
      Filesize

      162KB

      MD5

      2120dbb0481374885af660346f503b9b

      SHA1

      0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3

      SHA256

      ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474

      SHA512

      46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Smartbar.Personalization.Common.dll
      Filesize

      10KB

      MD5

      347b0b5d32b1a85b5450b08cfb6d2e75

      SHA1

      7bfe1857974a6c6c3e882624d820311c1e3bf670

      SHA256

      76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac

      SHA512

      d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
      Filesize

      88KB

      MD5

      adb53ee43f74f430368449b98b2f6f86

      SHA1

      fb882d80da9ccf79c6817a492fbd686d4759bb41

      SHA256

      b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff

      SHA512

      8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
      Filesize

      102KB

      MD5

      5dc8a7062040e05ad36bd83246954b05

      SHA1

      f6807be0413724076c8c384576ad9a5bc1413e8c

      SHA256

      d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc

      SHA512

      43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\sppsm.dll
      Filesize

      40KB

      MD5

      787104ad9dea702d115883c489be54cb

      SHA1

      b24680d170c610203df5e3d1d52b2b04f938dd56

      SHA256

      934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3

      SHA512

      861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\spusm.dll
      Filesize

      10KB

      MD5

      e28c8d2fd64ba27d9b992fc325f26a9d

      SHA1

      d9ed413265967b6ede8787aa8c5e5734a4ea1358

      SHA256

      82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab

      SHA512

      e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\srbhu.dll
      Filesize

      7KB

      MD5

      fcbe6dec3d2da2ac9fd2754cc9cf6ad9

      SHA1

      7954bdf16f99bf843c5c8053a078813d87c94254

      SHA256

      71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e

      SHA512

      5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\srbs.dll
      Filesize

      174KB

      MD5

      7ec601a05f97c73fc2180e8c57efc9af

      SHA1

      7c99dcdcec211459b1d9d429e2ada2839876f492

      SHA256

      982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8

      SHA512

      119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b

      Download Submit

    • \Windows\Installer\MSI9201.tmp-\srut.dll
      Filesize

      22KB

      MD5

      feba43763a9b7fe1c94d681055d10167

      SHA1

      49d30dedf868accf07e6895e1699a4d751235fd0

      SHA256

      0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d

      SHA512

      680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef

      Download Submit

    • memory/588-1648-0x0000000002560000-0x0000000002586000-memory.dmp

      Filesize

      152KB

      Download

    • memory/588-1647-0x0000000001020000-0x0000000001046000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1392-1591-0x0000000000A70000-0x0000000000A96000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1392-1592-0x0000000000A70000-0x0000000000A96000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2100-1620-0x000000001D3F0000-0x000000001DB96000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2100-1619-0x000000001C490000-0x000000001CC36000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2292-1537-0x00000000022A0000-0x00000000022B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2292-1538-0x00000000022A0000-0x00000000022B8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2572-1158-0x0000000000430000-0x0000000000456000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2572-1185-0x0000000000570000-0x0000000000590000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2572-1282-0x00000000032F0000-0x00000000033D3000-memory.dmp

      Filesize

      908KB

      Download

    • memory/2636-229-0x00000000740F0000-0x000000007469B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-99-0x0000000000A90000-0x0000000000AD0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2636-32-0x00000000740F0000-0x000000007469B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-28-0x00000000740F1000-0x00000000740F2000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2636-2653-0x00000000740F0000-0x000000007469B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2636-27-0x0000000000A90000-0x0000000000AD0000-memory.dmp

      Filesize

      256KB

      Download