Overview

overview

10

Static

static

10

672dd0c0b8...8b.exe

windows7-x64

10

672dd0c0b8...8b.exe

windows10-2004-x64

10

$PLUGINSDIR/Ping.dll

windows7-x64

3

$PLUGINSDIR/Ping.dll

windows10-2004-x64

3

$PLUGINSDI...ry.dll

windows7-x64

3

$PLUGINSDI...ry.dll

windows10-2004-x64

3

Installer.exe

windows7-x64

8

Installer.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-12-2024 21:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Installer.exe

  • Size

    10.2MB

  • MD5

    564e47a3604ced3b7c18e43250226cd7

  • SHA1

    a3eef8fac3617d048fb9fce2201937297e3920f1

  • SHA256

    12ae00fe728b441221acd10483eeb1197884738e9bd6eb715ceadeea058c6c83

  • SHA512

    e925e2a5b60c7257ac6b57b3fc12675d2cc490070c456a8e794f54c6732cc34981c0d88a5acfb2214fd316194f24eae83e8151cfab101daa2f1b59f2d621cdbf

  • SSDEEP

    196608:NNCibAePytGr1MADU91h+RXs0yDiFqtpS8KNFVe1Pu5ZiqNJ:qZ6ytGriADU91h+WjDikm8KNkuziu

Score
8/10
adwarediscoveryevasionpersistenceprivilege_escalationspywarestealertrojan

Malware Config

Signatures

  • Blocklisted process makes network request 11 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 12 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\Installer.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msiexec.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2748
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2668
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2272
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2EF10527F8DB86DF5E27A0A86EDD514B
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:572
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI9941.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259430817 1 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tfsesps-.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:628
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA111.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA110.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:692
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vrwf95lg.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:744
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA3CE.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2976
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIB03D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259436635 5 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2312
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIBB09.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259439412 9 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
        3⤵
        • Blocklisted process makes network request
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h0frdzwg.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2568
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC2F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC2E.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1708
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n27g_y7w.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2376
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC8C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBC8B.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2216
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:744
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2604
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2888
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          PID:2928
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1352
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • Modifies registry class
          PID:904
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:448
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
            PID:3040
          • C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe
            "C:\Users\Admin\AppData\Local\Smartbar\Application\Smartbar.exe"
            4⤵
            • Executes dropped EXE
            • Enumerates connected drives
            • System Location Discovery: System Language Discovery
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            PID:2864
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bn9thfux.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1148
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD65.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD64.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2436
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5zzmjqj8.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2424
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE20.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE1F.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2488
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52kpoxfl.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2184
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDE6E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDE6D.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:676
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ymqkszgi.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1840
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDECC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDECB.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1780
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nvjbn8g1.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:796
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDF58.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDF57.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:292
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\9v9k2rda.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3056
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDFB6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDFA5.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2208
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ybwme36t.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2548
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE013.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE012.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2928
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvfc7nwu.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1352
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE0AF.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE0AE.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2808
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xpp24ome.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2804
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE14B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE14A.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1812
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\g09m7jma.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1740
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF8E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF8D.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2888
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\52qv4qxe.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2528
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF2E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF2E7.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1232
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0800jkit.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1568
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF50A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF509.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:984
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ytmrarfa.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:1848
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE429.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE428.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2232

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    4
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\f7695fd.rbs
      Filesize

      143KB

      MD5

      cfddbc72927ff0e524c25167b2352f67

      SHA1

      e2ac591373c716ab104706e746e022d126821dbb

      SHA256

      ce10df1835451c98c245cc9904ccb77b269da715a9d93f4ad9328f5d8bba2117

      SHA512

      f73b4f93435320b65783c58a74f5eecb8635c29281e492550bc052842dfd466d11f02b69b9d0f3da711e6a16fd4a0e08e490ec9db8ba3aeb50ad5884eaedbe3a

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
      Filesize

      342B

      MD5

      1c0c8398d18078098e08422769c998ee

      SHA1

      b0eaf48d1248c15308b408dbc8f1ab35db84329e

      SHA256

      1abcad8ff800d0e270380f46e9c57308638cccff188086d4b25a41eb9a79ce5e

      SHA512

      67630b89bd80b32d34ea3e4f620b13e6759150e116c69d01e300c51da4a470191f32efb58b1a9a633e966cd6d4824fe9647ed8f0705ca9fc2312bc4289c37ee5

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Application\84cedsbn.newcfg
      Filesize

      12KB

      MD5

      51417498b55cf9dd3d2b06acca131f8d

      SHA1

      e29cf97632afc31c3f33e92ec11aba4ab6af279f

      SHA256

      09c4cf7783aaaf4d783a20d5d424e5d778dfa985cf24d9adab6a8615e5942ea9

      SHA512

      2190da7f78ed76aed06ffabfdcfdff6f248ba7a1990bb80a4949a101626013c87048d5464487bcd0679c50d5019a26379f4f8691d0100ca08f7dfdd709417836

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\30DFF8F0-BA79-4360-A3EA-51B6D006133CPress.png
      Filesize

      4KB

      MD5

      5719ee7f6521ae142f0557f0706cded1

      SHA1

      a1d5694197827967aea5b3ccc88e2f91d465c283

      SHA256

      0a2ae8f3e9aa552748cfeadaec055778487602e7f6d4a6c2a221fe1fd496bfaf

      SHA512

      cde76dada9e798a746d7ae23ee189940a6b7660805267a9221501c5c911a89b298005f111622fae7c886e810e23f83b77d47fa75793d19441246eb775a2f2bf6

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\3C610B86-19DE-4757-B46A-871C9C27FF0APress.png
      Filesize

      4KB

      MD5

      2768222689e3585d609b5a2afc1ba52c

      SHA1

      ee522df6b2e365857bf6be58ac7150cbc71cfc9c

      SHA256

      21ee471e79b0a646735e132bc1f0c48f464677127b105426e00b160a554de6b0

      SHA512

      56527749dca471af92eb4166b2bb6f1ca4cbf07c8d7e1a201378467f1d08efe5fd913715bb995d35c7d511b2cbdc9469d79baae7ee4bab619e4e11753c3505e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
      Filesize

      4KB

      MD5

      e6ab030a2d47b1306ad071cb3e011c1d

      SHA1

      ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

      SHA256

      054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

      SHA512

      4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      3KB

      MD5

      a341b4dd3758348c69ad130f1dd9ad94

      SHA1

      ea6ba5a8c2d33420cef5d4be943207c063f1def0

      SHA256

      3d5ac2908cc18d3e736774a491539c3701961cd0081b6d0a135dfbe8db810157

      SHA512

      63a78918a9d081b3276dbdd7f498296396b175ecde7d05b262bf5aa6e918aa0fed2e1c42a0e892de7a5a7ac93baa647b05cd2cc8000b0586e18c9257f11124b5

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\ji_pnvxp.newcfg
      Filesize

      600B

      MD5

      4e2af31f9d2df2f85e1b5e521ed1ffa7

      SHA1

      4edb9ac9632d1c21c79b12be4db7935656a9e8b7

      SHA256

      6850d688b100b93b31ba438b1744a1d04efe0f375318dff5c9fd554d33fdf392

      SHA512

      843831f822447ce36695077dc0b70d52f8983beaa8209cdcf1aebbdada6dd68a18c26b4f3b9fa5bd724595372b7560c8fdbc46f899fbbe97d824d730e4d9aad0

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\lls-e5ou.newcfg
      Filesize

      535B

      MD5

      150e92c89b3f926add54485e5327b48e

      SHA1

      c1bb12f562389612ef8620c4d1257edd8f5e07a9

      SHA256

      27912852cea05628dcec6578760221b2d0a632c5c326802d12910eef4111d963

      SHA512

      46124b9e3522463e76db4ca5d891cd01d5c658c38440597faf8e6ace7528e2e9026af9b6a73913cdf46a1c32398d258d10d5e2ce220fbef80093a87759093958

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Smartbar.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.153.63.12705\user.config
      Filesize

      471B

      MD5

      e4af8d7ad09a4fd9500a9542efad8a08

      SHA1

      53dec87111adf6190fa8e0a272f78cd8247f71f0

      SHA256

      e52b1b03beed33703c727557c925a680dd921d1e12e2f76ccaa06beca4eda62e

      SHA512

      7bd8ae7908522223b8c90493179546f14088773dcb56b3a238102aacbf7b2a8a5841b53a0c8f55602993c0a82c2ffc65a96b64496186ec71c2018237fa065732

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Cab9697.tmp
      Filesize

      70KB

      MD5

      49aebf8cbd62d92ac215b2923fb1b9f5

      SHA1

      1723be06719828dda65ad804298d0431f6aff976

      SHA256

      b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

      SHA512

      bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA111.tmp
      Filesize

      1KB

      MD5

      fa5ab5b1ac5401d051e43f8bebe24563

      SHA1

      9ad801d48c900a2f50ddeb74939d9341c54db30b

      SHA256

      012437b7f58641054d5f0f04e03fc1ddd3724a6651d5d1dfdaf7dbe05aee2453

      SHA512

      952a22e20660b1ba7a6ea5e88b4b8f5211ffa7f9a2d3f67e0f2942a3f411a9640c095fc4b2af9b80d56b838623b4e783ebdd44a52af8c85c125a6e8bf689cfed

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESA3CF.tmp
      Filesize

      1KB

      MD5

      f68986f12dee971f801375fba518d02c

      SHA1

      795e6502eac3489e33f3071873ff6cee5d05094c

      SHA256

      31d22970f2ffdf6a22800ab912eff96391caf091bba63db37aae8f04892b185d

      SHA512

      6f7188ed2d4122b97aee416488cc36b1b5aa6f6c5d103a2d8ebf61b1d280a8206f4fb777d4630ccbb522851ce4d22315d17c4b5d6e6df872608e79f28202dc27

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Tar96A9.tmp
      Filesize

      181KB

      MD5

      4ea6026cf93ec6338144661bf1202cd1

      SHA1

      a1dec9044f750ad887935a01430bf49322fbdcb7

      SHA256

      8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

      SHA512

      6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
      Filesize

      9.1MB

      MD5

      e5314db579a141f6a5204f70e7073de0

      SHA1

      3d2e28be7594fd754213e3ea19b4f900f6634c91

      SHA256

      84263b76687ff69f306579fb3f05f3a0528db029cf0f2f60eddc22549545408d

      SHA512

      f18c446d8e388759c12527ca970dea3c24af954d199c39027eae4ad8c97df7c902f24845ab0ee0ffd9ad9ee6768c43169b11fec47bd3246cd2e9c7e8da44993a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\tfsesps-.dll
      Filesize

      72KB

      MD5

      7215dcbced6878b94a98902be12d29aa

      SHA1

      448ca0b64352a0453cc16378a0f243be5b808146

      SHA256

      9518f84460063636ecf6a44adc3b4b7c006f0f0f08ed87ba54e27a8a4ffac39e

      SHA512

      2c5acc6e5d0126c8a3f077519ea69fa0826d1926ba8cf269971e5a966ef56aba42e5b05bcd9311b1d8e02d874ce07e01d5c78d4f637ef7985541d1c5ddd84385

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vrwf95lg.dll
      Filesize

      88KB

      MD5

      e9aad950bf0dd6c34b980033e4fe399e

      SHA1

      0d4adf9fafec1fe94e30f5595ae074e6d609ece0

      SHA256

      067e2da6e421dcf70c260729d9aa146a2e780c4a62218e264fa4e5fe52d92578

      SHA512

      f20cb4e8c44510c8ce8111fbb51a71fe9f64e57aa218c455039d30b01d078e9973219be5bef174a8fbf4eaddfcbceb85b7e856d6bcdfd362fab2d3cc493470be

      Download Submit

    • C:\Windows\Installer\MSI9941.tmp
      Filesize

      1.5MB

      MD5

      44c66c7febaf067ac2f96e3bb643a5b3

      SHA1

      bc83eb57ebb44206b467c4147a7f82d52662e9b5

      SHA256

      641fae557b683029787befda2a2ed5251b19a4c11fc19e3dbf2cd97459e7e383

      SHA512

      41ce527bd09ae6b3126947197c94169121dcffe79b9db624a17a3a45d4e25a2f53dde0a686b4329b9e2d5c33bbbc6d6b9cc840b97731eac38ae31254dfd3364b

      Download Submit

    • C:\Windows\Installer\MSIB03D.tmp-\CustomAction.config
      Filesize

      806B

      MD5

      796621b6895449a5f70ca6b78e62f318

      SHA1

      2423c3e71fe5fa55fd71c00ae4e42063f4476bca

      SHA256

      09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

      SHA512

      081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

      Download Submit

    • C:\Windows\Installer\MSIBB09.tmp-\Interop.NetFwTypeLib.dll
      Filesize

      32KB

      MD5

      a084b0c082ec6c9525336b131aeba39a

      SHA1

      45db1f5cc54a033e5df460b93edaa5d23a39ced9

      SHA256

      7cba99a0f2a5b233e341f691c2aa6cb4ca10065425fc478b56fa468d6b0af54d

      SHA512

      297ba29e1ee4300f1a11620d475e67a9747fd9affabeee5fb5151b07c931c8f5c5af12b956e2ab7bd7dc6ebb1dbc298f5d56fa419f5fe2e3646053c0e515e29b

      Download Submit

    • C:\Windows\Installer\MSIBB09.tmp-\Newtonsoft.Json.dll
      Filesize

      418KB

      MD5

      0e32f5229d5ee7d288b6b3969a51fcbc

      SHA1

      54c09f07930525786fcf08b9c7aca24185a68fc1

      SHA256

      e1ca33208030c858254249b2c9aa6d8541c2e875343b2997f2b2f9e4993c96f8

      SHA512

      64e8499e668ea44397ed5ea009e3692b623d2ac01bdd43e460624fe0282a3398025e4e53282e0f0905062b60400f4c16a64933ed7667de942f1588dd936aebcb

      Download Submit

    • C:\Windows\Installer\MSIBB09.tmp-\srprl.dll
      Filesize

      56KB

      MD5

      d8fa7df1f2cd92ad701bc23f86d89b54

      SHA1

      72160fd5ad639c5a9c44305b06c98eb637399d18

      SHA256

      475a2c225258c571ae66c0178a83177bd5a59f4ce1be1f867e14e75614ad43e4

      SHA512

      a4d11c7f66325199f5c3a41cc37f32cf6ee828d790add1a6b77b9127e65243bb17dcc10b1cb2cbaac4e543bc329bd30e64919ffc0af3fd6088a672e08e10e992

      Download Submit

    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log
      Filesize

      109KB

      MD5

      94e3ac6df72ab1fd30e3c74ca4515a81

      SHA1

      2bc04974a0b61e327da79fe81959eddd88375f19

      SHA256

      3435e9b1f96c208cadd2228421aa6ada11eeefff2f1067127486805e8fcf3417

      SHA512

      aa434cafdd5ca875c0fcc2dc758e6eaa471a152b1ba13f4823f5a58c6be072adff0576cbeb9da183c51881361a5fb5b623dc9980d214c024add809b0db2d140f

      Download Submit

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
      Filesize

      416B

      MD5

      4fcf862e733f371e0005de4a917f3720

      SHA1

      8d6f786cd77e88c93d4442286131a4f818baf88b

      SHA256

      7c8558fd215a241f7ff824c0bdc4e7c4facdf3bbdffe9292497824fdd1f5eed9

      SHA512

      942dfdd22b532702582ac5bd4c7ec9700c439827274fa4454bb1e16fadaabf502b31b6af3aeb4a2f0ca9c8c6eae1ea67ebabc78eda05e9733f1d937968a2c18b

      Download Submit

    • C:\Windows\assembly\tmp\BG5Y0UEK\Interop.SHDocVw.dll
      Filesize

      143KB

      MD5

      030a99f9594434ea83d27b33a95c4d5a

      SHA1

      230882058a1d50e4e8f7fa4bb3144dec506c5967

      SHA256

      0fdc72a06cc54771f1b07293d2e914cded985d84833ed4bf952a665eb107b5a3

      SHA512

      529d14374df0b455db055027f42ccf731ddf4b7bef8fc27bffa2ff5a46463dc6b3cacf75fd6356e325f075d7fb70ad0f8abd85feb75d00befd1c86aec857d7ee

      Download Submit

    • C:\Windows\assembly\tmp\JEB7NEML\System.Data.SQLite.dll
      Filesize

      889KB

      MD5

      c2e38bfe933c5bce36910fe1fb1d5067

      SHA1

      aac5ed2724e2f88c7af1a3bf56d73180ae709bb7

      SHA256

      49a51063aaccc22a28590575417bdff40a67a06e6f2a67217b37af1b49fa6286

      SHA512

      281225b5e7193270b27811224c70475fc9af47c5d05a7e98f6856ad6abccff084302d0ddb72868d6872eef2efaf2989645af5e596083bfb995f214182aa4184d

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA110.tmp
      Filesize

      652B

      MD5

      087d9bf55cc8695e0ae5c77212188624

      SHA1

      987957a5859b4b483804712010176e83c1cf326f

      SHA256

      78896c1bd08d1965858f7e468447badfdb2af3ceb536e3b3174c5ef7113cb0a6

      SHA512

      001c71bcc038ac9391fb20a3b573fb0745f8e2ecfa8fa38395883da1cdbce6a9a48faab8856a2a010a907453e71d8bb0442b72772ff8bad7918f3735393fa2cd

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCA3CE.tmp
      Filesize

      652B

      MD5

      b3144e2845dd294de8c6c3080f44ac09

      SHA1

      31b6a2f5a4aa1e98ba483e7a7edeafc3866f1bc3

      SHA256

      e8427b5eb5408ee0b833fcbc76e4a87a5b5094c20cf7c94eb17f7440d3be6e68

      SHA512

      474f794845748082ce701cc91436d54e60dfd6137cd1a3c09021bc41b9f720bd8c644186104abc7a0348671083c359e56f2e00a9f121a81275ded38df9dae301

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tfsesps-.0.cs
      Filesize

      150KB

      MD5

      6f8e0c3c3b1b9a297b8ee6bfbb9c2a2c

      SHA1

      1dbab29ad6fb169fad90e963dd0c5290f27272fc

      SHA256

      e0514048fd6f4169c41896332a243cf014a719e5fe217c5743fc3c7149db578a

      SHA512

      193fc4f01b6afb2a858f006eb7c5dfd6106d88b0b0e0f12b4c8c103a8bae270ff0d583886ec5af910ce4d50cb1ccfb54a14d27fd517b847a624d9ba79f688640

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\tfsesps-.cmdline
      Filesize

      396B

      MD5

      2dd564aac105a438ece91669e5a25a27

      SHA1

      13b6f5af3901b7bb7577b4593f8aad1a05fffbf2

      SHA256

      76326491f2054fbb9fb90c85e57fbeaddad7f690fa838e7191a779f70df4a662

      SHA512

      f7011f9955bf0c028457bda43c88a9799b5613988045005ce9fe3ac6d27c77e25da0958fcf4261dcbfe0fd8064d93e215c0a51632adae111d7ad50b6c072b74e

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vrwf95lg.0.cs
      Filesize

      187KB

      MD5

      14ac60821b7e9508914fdf584ef23f46

      SHA1

      9bc6cb0f7ea31050962fe56398213a48c5097ffa

      SHA256

      ed564c34b04178601638c4c2a9ac3c21ac83d4031976fbd467c42d8e1a7c7c1c

      SHA512

      b3faf1282b570436807b403ebd7aead6e86dbcb61dd64cfba0bc25023ddfe2017434e7f2ba34c0e69974b6f28587d75448f6b9567814d93130e9c7c3b8d01cd5

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\vrwf95lg.cmdline
      Filesize

      614B

      MD5

      7516955537a11a4676f49f583886bda4

      SHA1

      64fb5f8380edfd5b617641bc9dcb6c849a8661a8

      SHA256

      75437e6324d3512509cb87263e7ea1a4e01041532d3281eb57c34e24f37b3b57

      SHA512

      904d1562024a09da241dba127d93d836c5317fbe6185b874e0f361c598bfa0b89f5a0d3093f3e5962b48b4bbd0470baef080fe40914db89dd672771f1726e018

      Download Submit

    • \Users\Admin\AppData\Local\Temp\smartbar\GuidCreator.dll
      Filesize

      7KB

      MD5

      4876414d51fe01bd8525df2f8acd35d6

      SHA1

      f9435c39e3029276e71a971e48f68d3f0298fe11

      SHA256

      4bda5a964065b918ce70a27914056b17a95e3f8002028b394ecf8ff2d7cebf3d

      SHA512

      d18afa3d806fd056836beb5a0822156402afe3455567d41f9b27d578980d5ae341273cadf5dff3175a799e791822e07eede03e3c0c143604f980f7876cd2fc0a

      Download Submit

    • \Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
      Filesize

      383KB

      MD5

      3cf46bae7e872a661721b0894bc076e2

      SHA1

      eaaa0a35e284908dd21cf245a38efe9d2e4c7532

      SHA256

      7ca73cfb8d0502b14b657216b8735394cbd08aa8e4266fb9e86ad84ae159b043

      SHA512

      47065a1cb81b41cab7c98488609470b308c708ba73c0e11c3f06901fde008b280f3b75ee825c12e4681aefbd8a43840e0319b43bbab7fe68b24c30926d0ce9f2

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      172KB

      MD5

      34d4a23cab5f23c300e965aa56ad3843

      SHA1

      68c62a2834f9d8c59ff395ec4ef405678d564ade

      SHA256

      27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

      SHA512

      7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
      Filesize

      77KB

      MD5

      7868ed46c34a1b36bea10560f453598f

      SHA1

      72330dac6f8aed0b8fde9d7f58f04192a0303d6b

      SHA256

      5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

      SHA512

      0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Smartbar.Infrastructure.Utilities.dll
      Filesize

      140KB

      MD5

      562ac9921d990126990c2f0bdce7081a

      SHA1

      f395458d8e328cf4809385fef3e225d01f8a8fc0

      SHA256

      ef84e1ad9cf174a9ab0bba648b56f2ffd17f4cb4421902b61559b544d812e738

      SHA512

      f52a9a62ca7d810804289ffe0300919eea529f2e0d4d07709309e101087809a5a004437184f3a3518fcd286db18947d78ce00bafbcbbe7b62a8aca4cf8295208

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Smartbar.Installer.CustomActions.dll
      Filesize

      162KB

      MD5

      2120dbb0481374885af660346f503b9b

      SHA1

      0dad9f77c93325cbe2499efac70ebbbfd8e1a4b3

      SHA256

      ef0e1d3a5f58e797c47d1ca2999e6ab1e94520c3816a8264874920c26c9ae474

      SHA512

      46966d2eec899fbd48b8aaf5e72555cec3b2f1bc2481c2eb014d98078aa6b6e825144718fbe2aa7b23d816462645186abbfc2ebdc7a4f331d5087999f21ca68a

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Smartbar.Personalization.Common.dll
      Filesize

      10KB

      MD5

      347b0b5d32b1a85b5450b08cfb6d2e75

      SHA1

      7bfe1857974a6c6c3e882624d820311c1e3bf670

      SHA256

      76a9f22039731c1fb3871876dd8c55d4ab75635367daa811ced5ed70eed950ac

      SHA512

      d79edc2546249f71a19faa1ee4aebdfd2faa8b6b56615740c93023255c81716de6c4af484bde506f7dcd80b607d8804313589e58b05dd2448d5c1fca3cd39e92

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
      Filesize

      88KB

      MD5

      adb53ee43f74f430368449b98b2f6f86

      SHA1

      fb882d80da9ccf79c6817a492fbd686d4759bb41

      SHA256

      b7837a68ede7781286057de0b59b7bb9c7c29ff9e9ded32c7175cafe9de3b5ff

      SHA512

      8fc2cd5a585c8247274fbe8d53ac27faa1f2b0407d27e5e78d6917cfa94947ace2aa20ca670a5b87e3d7a939360691102ed9c7530ec997af1057064bcb9c085a

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
      Filesize

      102KB

      MD5

      5dc8a7062040e05ad36bd83246954b05

      SHA1

      f6807be0413724076c8c384576ad9a5bc1413e8c

      SHA256

      d00f229036a6ea19e05c9838f2827fdb22b3003af4c7c97b37abf2ea36236dfc

      SHA512

      43cda9b7a57ae292b71df7a8f02c359b486a82162f92e2d8a7449f2b9c835a7ba44177477a7e0763a5698a4b2d9a025f8786c054950db3fab017edfdf4c17f12

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\sppsm.dll
      Filesize

      40KB

      MD5

      787104ad9dea702d115883c489be54cb

      SHA1

      b24680d170c610203df5e3d1d52b2b04f938dd56

      SHA256

      934230fc9da4c6eac4b1f916baec075ac5faf1a70af14dcdb62d3d06ca878cd3

      SHA512

      861147b8ed484a25a5ca9af8b7488896ee41dfd4eb57dafd4bb33455b03936c8fd930224fd9a1a0e8dcddf0fc33bc7adfc3ac48ca3ff430122f3ce18952fe312

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\spusm.dll
      Filesize

      10KB

      MD5

      e28c8d2fd64ba27d9b992fc325f26a9d

      SHA1

      d9ed413265967b6ede8787aa8c5e5734a4ea1358

      SHA256

      82d96714ac65e6e18e3da619cfd1367416bba5ed6d08db7bf312f8937f95f2ab

      SHA512

      e2fcc5972c48fa1d26d2df0b2c5ed4e34d15d7f08eb35510989441b4083f30d19f6d5fc2652ac42d11a3877f333ad4408c0cb547ecf7b948e1f324f719cfc739

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\srbhu.dll
      Filesize

      7KB

      MD5

      fcbe6dec3d2da2ac9fd2754cc9cf6ad9

      SHA1

      7954bdf16f99bf843c5c8053a078813d87c94254

      SHA256

      71688a7955124b644cb05833d8285b876c7ff336eb4478ce01e1f80b07f7b76e

      SHA512

      5975297ac6aaa7d85842079809f9be2ad57959da2687de4bb7aa0764bc16dd878c482a92d7c4a4ed484aa7683f60c90b870757165f79d7ae481b7f7897e94c39

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\srbs.dll
      Filesize

      174KB

      MD5

      7ec601a05f97c73fc2180e8c57efc9af

      SHA1

      7c99dcdcec211459b1d9d429e2ada2839876f492

      SHA256

      982d12314935e25a016da0bec644bc4c8bd02b0984eb70b76e081b3562a6adf8

      SHA512

      119e216313540f0fac30c1a8e531909dbdc8022735a9fb73b80c8bbbb2ff0548cdf911e640cd19827acff703c95b1d8db0ddf3ed61d056e9e4d4f437b8c88e7b

      Download Submit

    • \Windows\Installer\MSI9941.tmp-\srut.dll
      Filesize

      22KB

      MD5

      feba43763a9b7fe1c94d681055d10167

      SHA1

      49d30dedf868accf07e6895e1699a4d751235fd0

      SHA256

      0634fa964eba9baed92e2a935aef925fdaa921a35424b6ae9bfaaace932dc49d

      SHA512

      680116cfe66472c4d6ae9c94d74cd3fe8cef1c9beade27c19e58369c2c6f238f9e63019d7ea2b8b35689b7c0e812f2ee49d26a56e6972d3e21dc5f7312cf81ef

      Download Submit

    • memory/904-1588-0x000000001C0C0000-0x000000001C866000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/904-1589-0x000000001D020000-0x000000001D7C6000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2088-17-0x0000000074991000-0x0000000074992000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2088-2516-0x0000000074990000-0x0000000074F3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-249-0x0000000000C50000-0x0000000000C90000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2088-16-0x0000000000C50000-0x0000000000C90000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2088-417-0x0000000074990000-0x0000000074F3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2088-21-0x0000000074990000-0x0000000074F3B000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2272-1275-0x0000000003290000-0x0000000003373000-memory.dmp

      Filesize

      908KB

      Download

    • memory/2272-1178-0x0000000000440000-0x0000000000460000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2272-1151-0x0000000000710000-0x0000000000736000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2604-1506-0x0000000000C00000-0x0000000000C18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2604-1507-0x0000000000C00000-0x0000000000C18000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2928-1561-0x0000000000AB0000-0x0000000000AD6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2928-1560-0x0000000000AB0000-0x0000000000AD6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3040-1616-0x0000000000890000-0x00000000008B6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/3040-1617-0x00000000022A0000-0x00000000022C6000-memory.dmp

      Filesize

      152KB

      Download