Overview

overview

10

Static

static

10

2025-02-27...ia.exe

windows7-x64

7

2025-02-27...ia.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/02/2025, 23:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-02-27_4a536d5a79d6ae2382bf20b6127235d1_mafia.exe

  • Size

    8.6MB

  • MD5

    4a536d5a79d6ae2382bf20b6127235d1

  • SHA1

    35a5745456a8ee88e45c400b06e97c92b689f815

  • SHA256

    456e2d97840aa868aff95b0151d654e015fb408bb09830efd891b2d9fc4b0852

  • SHA512

    bb2cb51d665fcb65f737801883f6f98cc1832ec9a46a7923dbc163979eadacbb0717f1bfc57d5ae04f9583d5d07050dd8ae0c622a93d20a499a4425c36e569dc

  • SSDEEP

    196608:qHYiRk/OK70/iZADU91h+RzPhnJHBj7WNqGDiwn+eeCw4K4E:7DfADU91h+tbpWQGDCL

Score
8/10
adwarediscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 6 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 64 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 2 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 4 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in Windows directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 40 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies Internet Explorer settings 1 TTPs 33 IoCs
    adwarespyware
  • Modifies Internet Explorer start page 1 TTPs 1 IoCs
    stealer
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    defense_evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-02-27_4a536d5a79d6ae2382bf20b6127235d1_mafia.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-02-27_4a536d5a79d6ae2382bf20b6127235d1_mafia.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4032
    • C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msiexec.exe
      2⤵
      • System Location Discovery: System Language Discovery
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:3404
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi /quiet
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:4276
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 2F79D706D80347151A6E6B1096795080
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIB9F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240630312 2 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationStart
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:980
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\fwdtksct.cmdline"
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:888
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
            C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBECD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBECC.tmp"
            5⤵
            • System Location Discovery: System Language Discovery
            PID:5056
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIC0F0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632046 6 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationRemoveFiles
        3⤵
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2828
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSICA67.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240634500 52 Smartbar.Installer.CustomActions!Linkury.Installer.CustomActions.CustomActions.InstallationComplete
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies Internet Explorer start page
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3708
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:2492
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerExtension.dll"
          4⤵
          • Modifies Internet Explorer settings
          • Modifies registry class
          PID:4344
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          • System Location Discovery: System Language Discovery
          PID:3292
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" /codebase "C:\Users\Admin\AppData\Local\Smartbar\Application\SmartbarInternetExplorerBHO.dll"
          4⤵
          • Installs/modifies Browser Helper Object
          PID:320
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:5064
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Microsoft.mshtml.dll"
          4⤵
          • Modifies registry class
          PID:1908
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:1096
        • C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe
          "C:\windows\microsoft.net\Framework64\v2.0.50727\RegAsm.exe" "C:\Users\Admin\AppData\Local\Smartbar\Application\Interop.SHDocVw.dll"
          4⤵
            PID:1168
          • C:\Users\Admin\AppData\Local\Smartbar\Application\Linkury.exe
            "C:\Users\Admin\AppData\Local\Smartbar\Application\Linkury.exe"
            4⤵
            • Executes dropped EXE
            • Drops desktop.ini file(s)
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of WriteProcessMemory
            PID:2712
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w4t2glwr.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:3236
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEB7A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEB79.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3772
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xqd4g0bj.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:100
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC16.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC15.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1528
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rvwd_kme.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3612
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC84.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEC83.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2372
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\poavwc0a.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1392
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED01.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED00.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:3116
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4fr5_epr.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4224
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESED7E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCED7D.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4760
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bazepliw.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:220
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEDFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEDFA.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4928
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\h2dkwaev.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:112
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEE68.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEE67.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:1540
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ofioikyt.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4084
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEF43.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEF42.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:2232
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hbla_vtk.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3216
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF03D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF03C.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4900
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ahv3ytj5.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:3656
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF29E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF29D.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4652
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\j2gggc_h.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:4732
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A17.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3A16.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:996
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
              "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oazwvgnl.cmdline"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:116
              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
                C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3B50.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3B4F.tmp"
                6⤵
                • System Location Discovery: System Language Discovery
                PID:4816
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
            "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qetoauqj.cmdline"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2220
            • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
              C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4D3.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4D2.tmp"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:1820

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    5
    T1112

    Subvert Trust Controls

    1
    T1553

    Install Root Certificate

    1
    T1553.004

    Credential Access

    Credentials from Password Stores

    1
    T1555

    Credentials from Web Browsers

    1
    T1555.003

    Unsecured Credentials

    1
    T1552

    Credentials In Files

    1
    T1552.001

    Discovery

    Peripheral Device Discovery

    1
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Data from Local System

    1
    T1005

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57b633.rbs
      Filesize

      95KB

      MD5

      9a7a2197e29b4c8088028183098735fd

      SHA1

      2af3969de35b5daeca02d3bd10f3d002f2ca1b39

      SHA256

      33e0d1e0f52f7513138866514d0ed39ebd885a53397db46c570b9ada8d895e25

      SHA512

      3d9df73bd050a2afebed449eed8fcfdeb15084c8b724721cf55ffd23856f06180a9c50d05957f6376310c275cc88cfd4b7ae6e69f77db302932ac5c007672640

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5457A8CE4B2A7499F8299A013B6E1C7C_D734EC3DD00546F46D368325396086B0
      Filesize

      5B

      MD5

      5bfa51f3a417b98e7443eca90fc94703

      SHA1

      8c015d80b8a23f780bdd215dc842b0f5551f63bd

      SHA256

      bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

      SHA512

      4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

      Download Submit

    • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data.temp
      Filesize

      114KB

      MD5

      af4d3825d4098bd9c66faf64e20acdc8

      SHA1

      e205b61bd6e5f4d44bc36339fe3c207e52ee2f01

      SHA256

      095484268f554458404ca64d5c9f7b99abe0dbb1a75e056184047dc836f2e484

      SHA512

      71b4b99614e28a85925033f95d90e7c43f958b2284f7d7605d2ea896330efa9bba8b6d9550f62829daec3cf452e95c964ddb30cd9c7850bfa41a988792132e78

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\rundll32.exe.log
      Filesize

      491B

      MD5

      8e28079704db4d073e6c39636eadc0e0

      SHA1

      210a60b4d7139f1779c41babc4c7e7c6b71f26cb

      SHA256

      34462d5da310b13b1000c3ab514350bc17395de96f9bbe4ec161128ca1171b84

      SHA512

      a6bf25f6440d549e2547016f01dd16345fa04655d36b225e87a96bce43195f80d82a1664f001c5ed2db2cd155681ab8cd913834d96e9459ff342012857deff91

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Application\hs3kh6pn.newcfg
      Filesize

      12KB

      MD5

      c5022c31df694fd8efe1dea55941fe45

      SHA1

      a13d6c828d5a7cde3c9444ea42b5ab2b5d365d11

      SHA256

      a52f3074f3ec79325d56433dc17f3d9558ca79223bd5d80c1130ed2add9b3911

      SHA512

      903021465aa537721187ff978128f7b310a57f443a58a01c285f2cc55f35befb4a450c7b0cb97a99bdb4919f98e82798b7cfa9ceef6183df72a36380209c499c

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Common\icons\B1BEF453-913F-4EC4-B057-A2BB21C09DCBpress.png
      Filesize

      4KB

      MD5

      e6ab030a2d47b1306ad071cb3e011c1d

      SHA1

      ed5f9a6503c39832e8b1339d5b16464c5d5a3f03

      SHA256

      054e94c94e34cef7c2fad7a0f3129c4666d07f439bfec39523dca7441a49bd7c

      SHA512

      4cbb002cc2d593bafd2e804cb6f1379187a9cae7d6cc45068fda6d178746420cc90bcd72ba40fc5b8b744170e64df2b296f2a45c8640819aa8b3c775e6120163

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\PublisherSettings.xml
      Filesize

      15KB

      MD5

      003775c0f66c772e61208b98e89f2f70

      SHA1

      a0ed72254524c1a3760b85fe5890a0c696f2366a

      SHA256

      770b4011e9cb7a1fe54320e6e216758397ae44db8d817a2860f4781237ca387d

      SHA512

      516308719f8e3c8f0aa88252f09c310190d317f7e0d8734d97f18a752d37b432192c81579b24169f96dce90ee44cd2357928aafee0711b90c63b8c258f72bdcf

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\DistributionFiles\Configs\UserSettings.xml
      Filesize

      2KB

      MD5

      976075fd5f6520cfc80d29a98536414e

      SHA1

      f97804d96063c48ac7da0f15d5234dcce6b67ce6

      SHA256

      5acf98479e1d5245c694ce4975b2b16ff03bca9b9cc65805e597b7883c9d84e1

      SHA512

      027db21a69e830191ba41f889b218ac46687ac5502e539b2b2947b274bfa01a11b4083b2b32ae1c19340fe124c1c96049dc42a6ba00f98322ca2a36908972cdb

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Linkury.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.2.0.0\4ebiuhkp.newcfg
      Filesize

      600B

      MD5

      336f98d97b91e5579f7d082b806c80ed

      SHA1

      847f89d8aef42f7d4321ee4faef6bdfcc50909b9

      SHA256

      0202bafecd9c7620b3fa053d45a4313e3bf2a66d02fc94636065175612b96616

      SHA512

      bf6847f86e900c69d92a90103a0a6a9717be6e9261e769b19f7832150f216f75e89ba7dc32f621b285b0c84b7b37066a023907073bf9cdfc58a18ee3e2c746cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Linkury.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.2.0.0\9x6q0m1j.newcfg
      Filesize

      535B

      MD5

      75a77d592020ebda1a1cd5c1b4b1433f

      SHA1

      c69ad4b5873ddb775bd298b8ad3e08ce3f511139

      SHA256

      581f0a82e4ad5f080e4eeb874ddbce808e5180ddc0e9376cc19ddf381da82f49

      SHA512

      e12794d6e2bd5b92124ee17e80f1b5c395d08f18c881f2c2dfc1a337450fc6c4964dfc107d1759ae267bc54f1592a7cfc2e80d9ea7a5e59f7b70b38e2073ff20

      Download Submit

    • C:\Users\Admin\AppData\Local\Smartbar\Linkury.exe_StrongName_vuedtbpoockmp1sq45awfxuouevabx0i\1.2.0.0\user.config
      Filesize

      471B

      MD5

      0b446a55c53ba9c64b0397c5a18483da

      SHA1

      52d093f17e43f88f60265c5798c2c2ccb0b11c4d

      SHA256

      c0d181426de0258e4366e60f9ef572331eae2392dda8df7e3c5e6f3748c7e1b8

      SHA512

      b9364f5fe0923492d0434c388f5fc41e6da59125909188e7f6d43e2254a536cc4add1520737172356193fb6fb725bd72a80db5bf26099d61686690a0e53b03a9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\RESBECD.tmp
      Filesize

      1KB

      MD5

      f6ab79f2e5be410f21826c20664ab8ca

      SHA1

      5f325869ba988f369b2d0000bd4f543ee837e6aa

      SHA256

      296b20a49db8994b28ccef06d20a001ac14a6e4863b4584f1673c8405faceda1

      SHA512

      da097d926c8d09d5e325d1cb66f1da43f0d7e584408e641cc83bf88551574af243a11589340515df8665ce5d95ed7873ef235d49ba272196a518d924ee369f50

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\fwdtksct.dll
      Filesize

      68KB

      MD5

      409ddee5ff4e3de193d70a50e8b0bf1f

      SHA1

      5899d766531de0471996828742c4dbcc6a11c7c3

      SHA256

      0ed4274b1f5f44428ae71a6f956a4b2d058b2651895cbc9367ca7b29616a8dea

      SHA512

      988f993580855eca0de6eaa97db21020e3a029dabf4e489886c977cf0715bf3c3916e8bd014f31d4f54e8b86b6731e88666b3e52312ef101157c804ef1aac357

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\HistoryWrapperService.dll
      Filesize

      383KB

      MD5

      02e427cace83b38829b5cdb867b078dd

      SHA1

      3b54febd0c0be63d74036b30818fdc9b925eeef0

      SHA256

      70c841b9709c5a6e26467390db7ca22ae1143a61555030908dcb5b1baaf78600

      SHA512

      4ab8a527222fde7b2fafbb2bad80e8755aa4e6a75f19dcd320e3014762ac58a69384db471d6a4386fa6cdc7c1ffb0329da77a73bc84ef4fadc52b3706d1d79e8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\Installer.msi
      Filesize

      7.4MB

      MD5

      fba8a6d14f51cc21ec31ca035be3ee43

      SHA1

      6def3296e3cffd838b50e6e16b73f03d5f6f9a47

      SHA256

      c5d15ea33d91d18076b67c82f258cec56c862e73aef846c2cbf37fda5b3f8d82

      SHA512

      049b4105fb7887eed61d7716569082820c748338d43cce6b16d404cf7588dbe47436d4b2b0ca954e927837b857025127018385ff0e973a252359369d4f5f9f0f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\Setter.dll
      Filesize

      299KB

      MD5

      f551663386ac3afb31bebb5564310147

      SHA1

      9d5d4f3ad248ca8877cd1f2305e99837a4067a32

      SHA256

      c685a8a9996f670ec0b7f7250776ec53e5618b2f29a917ecdd0e45f685bef8ac

      SHA512

      4389df690bff7c84b5ebc15b6c42e9d9352cf19607a340bc004c8c6c90935836a94d9e955eccec606119463feac36109873757d3e6826492a8d597da114e1714

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\smartbar\sqlite3.dll
      Filesize

      353KB

      MD5

      fec17d5fb09a03376d3aa204c65562a7

      SHA1

      2966508d76523b2c2d28713612b472e7256c66fc

      SHA256

      1e384af4479ba64bd2fa02b00603205c4b0a99a468cfa4cc33cdca7bac845bec

      SHA512

      4e250955a0b6e2a22d41cf24eecc88d3a36de1308c089d8f8ab02beed434f0ed44583f048ca2b436788b7c80ec1c7f0cd79166b3e62d040566c99aa536b9c11e

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp
      Filesize

      977KB

      MD5

      29e45861cdcc7635c36f49bf1884a387

      SHA1

      745248debbe1315b9b00561b4c460e81490a8031

      SHA256

      399dacf948c88a1471bd83d60ad2757ae51bfa12a27a4315f7263de0791fbe60

      SHA512

      e55057622bcdc6581996e4e323f1c188b04d8ff662b98c06bf472e03a6553ca6f71ff2474841c1e9f199517276374f8c4e1b50808f9aa3d7d807e92b49baac5a

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      172KB

      MD5

      34d4a23cab5f23c300e965aa56ad3843

      SHA1

      68c62a2834f9d8c59ff395ec4ef405678d564ade

      SHA256

      27cf8a37f749692ab4c7a834f14b52a6e0b92102e34b85ffcb2c4ee323df6b9c

      SHA512

      7853f1bc1e40c67808da736e30011b3f8a5c19ddf4c6e29b3e0eb458bea2e056fe0b12023ceac7145c948a6635395e466e47bdd6f0cfa1bd7f6a840e31e4694c

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Microsoft.Practices.EnterpriseLibrary.ExceptionHandling.dll
      Filesize

      77KB

      MD5

      7868ed46c34a1b36bea10560f453598f

      SHA1

      72330dac6f8aed0b8fde9d7f58f04192a0303d6b

      SHA256

      5c17864f1572acec1f93cf6355cfd362c1e96236dcba790234985a3f108d8176

      SHA512

      0cc913337e3334ff0653bc1fad044d9df60a8728c233dcc2c7f6139f14608740b70b57c25a9d2d895cbc4d59508779f342a72406e623d30365ae89fb2a3607ba

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Infrastructure.Utilities.dll
      Filesize

      12KB

      MD5

      92471753ed0cd346b8e14ddd4e690286

      SHA1

      531c66411d369653ae50c600353ec032c3dcddf3

      SHA256

      dff46ec62357a4fbf53bfd823d30ae8f97d5035faec2411b55957b3411b16ab4

      SHA512

      838ab115df9add69b28280121565ac16947cc0fd1aeea179baf5d26354ee15ef0b17d4a33b052b5e7a26d38e839f54465e59e3693ce75039f8748094849a3236

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Installer.CustomActions.dll
      Filesize

      115KB

      MD5

      b803602a28155ffa74eb946db821255c

      SHA1

      a97cebdfbf5efe7abd22eac26ebe831d85ff791a

      SHA256

      0ab77ebcbe447662d32b06fa407818e910336146c23b6bd047a2b40ecc7ac237

      SHA512

      c480801c670d8583dbf5e35ce28317137ff524459a86df940bc9b8eedbaf39efd01ef0859da1ae804011f7b2b79fe6871d8ff71337f94dc4c9271ede2f458206

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Resources.BrowserHelperUtils.dll
      Filesize

      7KB

      MD5

      c4b103538e6da479bb991a5f9616c18d

      SHA1

      f3009a742b67584dd56b676d735de64e545043cc

      SHA256

      1c27a567b077929cf06732785a6d556aa3f74929fef182df3cc2cf03e0b8651b

      SHA512

      0f3cbc65525a4d46ae061830d8260e25ed8c300574ca63cccae3f7d850ad153c85c43a155637dd8842c6dd259399ea591fcf976522ccbc4b917e976f0afb08d9

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.XmlSerializers.dll
      Filesize

      72KB

      MD5

      467b6a01eb8eb3db672f4f9837ce7009

      SHA1

      ac3a503383d4714ee1e2827a59dc9542b96131d7

      SHA256

      dd596aee8b8aeeb899352367f81d3839c520c6d6aa5dad1b347b2c412f89523d

      SHA512

      3cfc491fb7f5f527b3f7759a3df55b8080f305bf0025d3d00640c215df092345e2f36e1412e3d3bc22697f393053b48dea441d180efd09ba4206b2bc27fb6243

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Resources.HistoryAndStatsWrapper.dll
      Filesize

      61KB

      MD5

      a8bc65f0217d3b42cd9e25069843bcda

      SHA1

      439db02dfed38948805714bb56be8c146b684a08

      SHA256

      95ab36bc1f83dbea610bbae9c5cae2adde1b319ce9975ed0edcbebc3ea78937a

      SHA512

      bdede6c48d04219a23931cebbbe2aeb2d4bc951ee873e7cfefbf2606b43221fc4a153b17aa59264f0f45509e35fba77a3b8e3bae9ab378f02294bc0e3d76c793

      Download Submit

    • C:\Windows\Installer\MSIB9F9.tmp-\Smartbar.Resources.SetBrowsersSettings.dll
      Filesize

      137KB

      MD5

      46d8dfb0268a72af530cefd00879e473

      SHA1

      2fe5fd0373989cbe96838fcc58c053ad53573cb4

      SHA256

      454f0450aae4d5870a1bed638f8b31042730fe28b29c8c6d03b733df1d5d5acb

      SHA512

      80962e5a4b9dd2bba610e55e4ffe9fec2df823831da700b5ca3e3e2e6e9aca5f351f201042e18bafb5de865b52fa8441a290585576da84ad2c33563e2fdb8747

      Download Submit

    • C:\Windows\Installer\MSIC0F0.tmp-\CustomAction.config
      Filesize

      806B

      MD5

      796621b6895449a5f70ca6b78e62f318

      SHA1

      2423c3e71fe5fa55fd71c00ae4e42063f4476bca

      SHA256

      09be5df7a85545fd93d9fd3cd1d6c04c6bfe6e233c68da6f81c49e7a35fcbb84

      SHA512

      081cf1dadb3a0e50f0a31ab03e2b08e80298c06070cd6f9b2806c08d400c07134623f7229a6c99910c6243dfa53c6e2c05d09a497aae1e701bc34b660cf9e4c9

      Download Submit

    • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
      Filesize

      416B

      MD5

      57f663e34922130aabc1923193548e4a

      SHA1

      99280bccc2ca1c596d174e894715fc75de0b246b

      SHA256

      4051374be8ee523ed5f21796ab8bd9fc2bfa061a03d3dc3a25a1804be830ae35

      SHA512

      aa8ef69cbafc8ada14c5235939fd7c69a2a4c8955d66c815c3446296a0179c0dfed8bdee55da79fbf994003e5c0aa9d16db9a71380cbf5ffc670f17bcc36d5e1

      Download Submit

    • C:\Windows\assembly\tmp\DGEACC5A\System.Data.SQLite.dll
      Filesize

      890KB

      MD5

      cb2463b868e099162133ce299dc34f0f

      SHA1

      533c11d63cb04bd75595d7bbaf790e8148be1fa4

      SHA256

      c0b4dcbbd20e12b26c3184269f5bef46869fb348f26db9b93a43b8663828b9bd

      SHA512

      a684cd62a086c36cb9b0a339bcb2c899c727044e16ddc09fee2711f28db7f44af58b22b315a528732eb8000ba15a160aa2a333a8839a47fbdb2c6ba619de68df

      Download Submit

    • C:\Windows\assembly\tmp\TGHPU1R9\Interop.SHDocVw.dll
      Filesize

      141KB

      MD5

      e8f79d170cdcc2e375572aede770fe82

      SHA1

      d7d9665e897c802a84093d88fe4012eb3b9de866

      SHA256

      2ea55ae45d3bc7408455bebfa62425369e1d9423d98f6a6741540de9f2da8e54

      SHA512

      e4e7ee4e63c0e8f1dcaebac96790ce957e41896dd49ce4fef5a2d9c032aeb9163abfc339a9d8aa15f4eeb12f6d7b261e820a0ef5c19d252bfb6afe18c58b8e26

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\CSCBECC.tmp
      Filesize

      652B

      MD5

      0e51fe218c5c3c4eaa2430fc611be7bc

      SHA1

      466297305bcd4d2c8097fe5c83a50729f6d90001

      SHA256

      7bd110ec6c8551ecf4666041e240959aab1ae71f4eb04256de98d73cfc50d18c

      SHA512

      1458301ce8d7958ec29e720c4a558a0a9001bfcc97e0c9458df495821531a98e1760d58d100028205b8e1e44b81a40e9d4c942dce6dba2bb880f2c72ea7935f9

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fwdtksct.0.cs
      Filesize

      144KB

      MD5

      80d63b882b411290f39d49cd220b9099

      SHA1

      c045a403ee8e63bf0f745ae71d573371cc5fd547

      SHA256

      588b5a7b7054402f78db94a328401454031310687eb90aa81871d3dc029c9da2

      SHA512

      df6ddc155b36e3440023b3cfe7b6f86aaa8c9a525d2154fc432f4db03068e8ef0734da57fede2606e011d70392b3ae4744ce11387d23267b656eca2028a207bd

      Download Submit

    • \??\c:\Users\Admin\AppData\Local\Temp\fwdtksct.cmdline
      Filesize

      614B

      MD5

      0c0a5f6eaede1e4f02902bea37066bc0

      SHA1

      a96b38429328de278b38df164ea64209ef60998b

      SHA256

      420a04515a2bf3543325d180c808d50c16aa8f660364b7dd1d3b4d64eeb15128

      SHA512

      0049c0c5ae5298424a5852554c40ea1eae57660856303e7c321809d58e7065826ede83b06b9170632f5e0c40f4e4df4f05f771a6fbd26343318532e77e351f5d

      Download Submit

    • memory/320-888-0x0000000002010000-0x0000000002036000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1168-892-0x000000001C710000-0x000000001C736000-memory.dmp

      Filesize

      152KB

      Download

    • memory/1908-889-0x000000001CE40000-0x000000001D5E6000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/1908-890-0x000000001D5F0000-0x000000001DD96000-memory.dmp

      Filesize

      7.6MB

      Download

    • memory/2208-794-0x0000000000680000-0x0000000000763000-memory.dmp

      Filesize

      908KB

      Download

    • memory/2208-710-0x000001CAC1F40000-0x000001CAC1F60000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2208-681-0x000001CAC1B90000-0x000001CAC1BB6000-memory.dmp

      Filesize

      152KB

      Download

    • memory/4032-891-0x0000000060900000-0x000000006094F000-memory.dmp

      Filesize

      316KB

      Download

    • memory/4344-886-0x000000001EED0000-0x000000001EF6C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/4344-885-0x000000001EA00000-0x000000001EECE000-memory.dmp

      Filesize

      4.8MB

      Download

    • memory/4344-884-0x000000001D330000-0x000000001D348000-memory.dmp

      Filesize

      96KB

      Download