435e9543dd0cbcac3848ecdc102ccf54f393faed95f7374ff4591e5427ca00b8

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.msi
Size

2.6MB
MD5

959a8c7e22f65f450f54d1b4f81ec7f8
SHA1

01b0d9739bdda255096c1e12d52fa0f8bc0ca8cf
SHA256

435e9543dd0cbcac3848ecdc102ccf54f393faed95f7374ff4591e5427ca00b8
SHA512

1bfc3bb943a9af604d46023e6a392928d079557a004e68e74f0b5815952d8ecae8bbe63312955ae70d01cdf6a5d35a9f440f0bfaf919b1aea7d45a71dfb63978
SSDEEP

49152:L51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TlOFNOnUI:LPCMr2NMRmk/XeM9TEeRvx+ch/TlAr

Score

6^/10

discovery

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2220	msiexec.exe
5	2220	msiexec.exe
8	2220	msiexec.exe
10	2220	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageAgentInformation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	AteraAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt	AgentPackageAgentInformation.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f762ede.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI353A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762ede.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f762edd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FAA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FAA.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\f762edd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FAA.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI349B.tmp	msiexec.exe
File created	C:\Windows\Installer\f762ee0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2FAA.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2FAA.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI34AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35E6.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2104	AteraAgent.exe
904	AteraAgent.exe
1540	AgentPackageAgentInformation.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2376	sc.exe

Loads dropped DLL 9 IoCs

pid	Process
1576	MsiExec.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
2016	rundll32.exe
1576	MsiExec.exe
1508	MsiExec.exe
1508	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2112	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Version = "17301510"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\882A5F5CFF587524FA965D19E026865B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\PackageCode = "8461E24D8232BC14CB270C3BD27759E8"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Assignment = "1"	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba87030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca60f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca6040000000100000010000000a923759bba49366e31c2dbf2e766ba872000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2572	msiexec.exe
2572	msiexec.exe
904	AteraAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeSecurityPrivilege	2572	msiexec.exe
Token: SeCreateTokenPrivilege	2220	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2220	msiexec.exe
Token: SeLockMemoryPrivilege	2220	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2220	msiexec.exe
Token: SeMachineAccountPrivilege	2220	msiexec.exe
Token: SeTcbPrivilege	2220	msiexec.exe
Token: SeSecurityPrivilege	2220	msiexec.exe
Token: SeTakeOwnershipPrivilege	2220	msiexec.exe
Token: SeLoadDriverPrivilege	2220	msiexec.exe
Token: SeSystemProfilePrivilege	2220	msiexec.exe
Token: SeSystemtimePrivilege	2220	msiexec.exe
Token: SeProfSingleProcessPrivilege	2220	msiexec.exe
Token: SeIncBasePriorityPrivilege	2220	msiexec.exe
Token: SeCreatePagefilePrivilege	2220	msiexec.exe
Token: SeCreatePermanentPrivilege	2220	msiexec.exe
Token: SeBackupPrivilege	2220	msiexec.exe
Token: SeRestorePrivilege	2220	msiexec.exe
Token: SeShutdownPrivilege	2220	msiexec.exe
Token: SeDebugPrivilege	2220	msiexec.exe
Token: SeAuditPrivilege	2220	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2220	msiexec.exe
Token: SeChangeNotifyPrivilege	2220	msiexec.exe
Token: SeRemoteShutdownPrivilege	2220	msiexec.exe
Token: SeUndockPrivilege	2220	msiexec.exe
Token: SeSyncAgentPrivilege	2220	msiexec.exe
Token: SeEnableDelegationPrivilege	2220	msiexec.exe
Token: SeManageVolumePrivilege	2220	msiexec.exe
Token: SeImpersonatePrivilege	2220	msiexec.exe
Token: SeCreateGlobalPrivilege	2220	msiexec.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeBackupPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeLoadDriverPrivilege	1944	DrvInst.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeRestorePrivilege	2572	msiexec.exe
Token: SeTakeOwnershipPrivilege	2572	msiexec.exe
Token: SeDebugPrivilege	2112	TaskKill.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2220	msiexec.exe
2220	msiexec.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 2572 wrote to memory of 1576	2572	msiexec.exe	32
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 1576 wrote to memory of 2016	1576	MsiExec.exe	33
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 2572 wrote to memory of 1508	2572	msiexec.exe	35
PID 1508 wrote to memory of 1892	1508	MsiExec.exe	36
PID 1508 wrote to memory of 1892	1508	MsiExec.exe	36
PID 1508 wrote to memory of 1892	1508	MsiExec.exe	36
PID 1508 wrote to memory of 1892	1508	MsiExec.exe	36
PID 1892 wrote to memory of 1056	1892	NET.exe	38
PID 1892 wrote to memory of 1056	1892	NET.exe	38
PID 1892 wrote to memory of 1056	1892	NET.exe	38
PID 1892 wrote to memory of 1056	1892	NET.exe	38
PID 1508 wrote to memory of 2112	1508	MsiExec.exe	39
PID 1508 wrote to memory of 2112	1508	MsiExec.exe	39
PID 1508 wrote to memory of 2112	1508	MsiExec.exe	39
PID 1508 wrote to memory of 2112	1508	MsiExec.exe	39
PID 2572 wrote to memory of 2104	2572	msiexec.exe	41
PID 2572 wrote to memory of 2104	2572	msiexec.exe	41
PID 2572 wrote to memory of 2104	2572	msiexec.exe	41
PID 904 wrote to memory of 2376	904	AteraAgent.exe	43
PID 904 wrote to memory of 2376	904	AteraAgent.exe	43
PID 904 wrote to memory of 2376	904	AteraAgent.exe	43
PID 904 wrote to memory of 1540	904	AteraAgent.exe	45
PID 904 wrote to memory of 1540	904	AteraAgent.exe	45
PID 904 wrote to memory of 1540	904	AteraAgent.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2220

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B19FDCDBB6DFB2BAC15974AD5CD9C053
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI2FAA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259403891 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    PID:2016
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8D0E927A77B51C1272924718EC74A5E M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1508
- - C:\Windows\syswow64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1892
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      PID:1056
- - C:\Windows\syswow64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2112
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000007gaJEIAY"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2104

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "000000000000039C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:904
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:2376
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 55402a9d-8f81-4b6a-a3bc-cd7715f8d746 "428053cf-d781-430b-891a-71d5d60743f6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f762edf.rbs

Filesize
8KB

MD5
2eee398fb5e51d61c0ed74a3b115a19b

SHA1
6c2944ea7e31b562348148f46dfa482f4c07e5d5

SHA256
4aff9e702a216e0b94bb16408c371111c36adab28f88ec3e62f91c3208262122

SHA512
4d3516c9352f1aff9aba0c5029e48fcfedd9a29ec58b6dd6f454b5b2e0ebb94763064e5c08bb22e85aa33598721d506fcdb7038eb07b5088e9abbb53dc60dd3b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
140KB

MD5
2899046a979bf463b612b5a80defe438

SHA1
21feaa6f3fbb1afa7096c155d6b1908abf4ea3b9

SHA256
486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8

SHA512
8c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
209KB

MD5
a41c23558b3c07f8c749844bb553d545

SHA1
8473013cf5f2be8158c13f1056675d1cbd10586f

SHA256
a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766

SHA512
5930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
64e122b28a1e548c1cca376e32cdd248

SHA1
4506de40b8422c9be58333f35325a86674ca650c

SHA256
0ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215

SHA512
36fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

Filesize
12B

MD5
e1d717a53b79233000376e06e7e818fa

SHA1
e9f5a584cc49acaf36d4837802b9a3ea7b5144e8

SHA256
b670eba39ceb4441a7c9b00d2ad56c22c762a985ab3620fa2df94af6a05d3bc0

SHA512
759a6ecbc46bac091a9c712f69125ea739651b185d1ffb26f79bffaf0d5c79ec10f9cb42408e098a89f0408f434919500cf07314ac4eae0948e4aba7a099178f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
163KB

MD5
3723dec9f9f58e9548cf705a08272aa7

SHA1
0eb60973068ba24edd449bed2be05c64a17c46e7

SHA256
2906684ef97d39b4aba921be2728dc50458b66045c328adedc33fe483a7ca877

SHA512
469b8ca4a0dc6433c90c141320ddcdf77e6b529f660326b249fd4a9d8bc22281079fde6ab71e02b03656f13f5af6d1c4185ac62ce470786091794b33d1433530

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

Filesize
546B

MD5
158fb7d9323c6ce69d4fce11486a40a1

SHA1
29ab26f5728f6ba6f0e5636bf47149bd9851f532

SHA256
5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

SHA512
7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
3ca5eae6bc6b5b68e86d7e94da6680b4

SHA1
8b1506e53cd0cc830450cf864bc300b9b249899d

SHA256
d297eb8b6b451e47bdd5118a311c30220a392c2e1c606004d822b8db978f6855

SHA512
c7d19f1e66d50a0891284c9aedea9bbed9fa82c0aa119c6c6b1e3ef23167727db89c741a70d8673d29aa652b1f97c61f821e5609d16151749f05b83816cdd16d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

Filesize
687KB

MD5
74b54353c4e2834907dcf55d0c329050

SHA1
bdf81278635673ed3c3f7d9243c56338b18ba950

SHA256
a0fcf15c913a9871724f36fd280aa3654a1325c24c46da42704fb79c72860608

SHA512
6b4d54bd31310fb5c1936e64c5d1fc7213fa672db1ee18953b62491724c6c407632f9999d8edcab9f15a8b99479572e11e00194b2be3008ba238a5675cdc44f1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

Filesize
23KB

MD5
16b924fa56931c5a26e433f835b3e359

SHA1
3876eed2db19e68ee1ab14efa924ca6a6bf403fe

SHA256
d1b6f2a9bc36d75498f14d2d8cfbc889ce09c5dffb7ad1ec9ccc56e06df05984

SHA512
1bafbc26e53e5ff0e45eb5ff08b31c8a2a7035fb1853d5257bc92165910b2d0e3aee360d19708067a2b795fc2ba1d1792242466e3efb349eef0459a74dfead92

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
82b17dc9838e1e21e5c6f53d2867e94a

SHA1
a09bfe6582bff9193337cc7dbab79d0b6b723205

SHA256
8e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00

SHA512
c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
158B

MD5
4db9233ffdd1abfa529055201d47c755

SHA1
8221ff3679ac505b4b6ef25a3ac7871ba921e8b7

SHA256
866acaede23d7468c4e91186206b2eaa0db3a4ae673592cbdb90b1793d87f71f

SHA512
37a4f105818f1a2b0c2b5c34c7ab1cfd50d916f0421f61df55da6587eb5599b4a919e4c3fd3c146683349d621c5f30eda6864c742372efa6c68d0e31feb62ce1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
9abfa0026b796b2b4c474f15856623d5

SHA1
4bcac56e75dfac0dff2a1afe4dfccb38983ddf9d

SHA256
958b9885c158e596f721373a787b680dd30a793a5620545b6d038eb6761614bc

SHA512
12e703681f826a57fe73268611e49ec077e531427c16b034e45c9435e5faa19cf0b2117bd803b041501bf199965ccf4abc81c95639a6dbbb3777c64be137b568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
acacf23d53fada183c9e96be5834f2c6

SHA1
64ad8008fe5a583fc141c68b77da4f768b24f57b

SHA256
3bf90b75af73cb7be45748ce7a0aa083cda22cb817fb5265496490102cca6d05

SHA512
11da415131ca37d9832f3f4e3e5ca2d3e9414b0c40233ff1a738eb7e95dcb9d4e0e7935b0e4bfa8d1f2e4b148926e9935c0b2051b83784b1bcf8a51eb8df20e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7919a6e82e13fdbc3b9bceff3e812dd9

SHA1
9e7a44e513d57bd7caee81e3d53bf01d44dc06e1

SHA256
e6638bbbd6c7095af8928670b9a5ee874ecc1b40778cd1226614f1db6d4e7730

SHA512
6947c67e7c9a1281083ee1494ba504fa31d78c636650d7efcd12b4a16aaf78d1b077e2be3b94cf36d4fdc7fb70848ecdf76759f69b3f5c5bfe5d2563137482c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
ba84f6015422383ce93e6d4488c9baa8

SHA1
245f8cc758e4e5e0d7a08695161939b356ee8271

SHA256
2335115b1378715098002b79c131be83487905cb9510077f3cb57ffbde6a57db

SHA512
93911964cc6f406979bfa6ba0fd2a89b4618e793d029575082175c74270b4b2d40f0f49424e74955057c9f4f22c1b8b37c9dc2da374a030716f9159d569b938d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
8ccef5ad664ea2ba02e3f50103dd3928

SHA1
ebc765e34b8636bbe240461682f4e95aab93246a

SHA256
24c71abc72cb6b2ade2c53349920077a2031efe05b12646101e23a3c60e9f923

SHA512
0eb5de93809b854ab5863bdb3e06371a3ed20517844c9cf000bb2107a4e4d38734d36e389c07fd081d71610f42a4afab9886c092ab28c9950153c55b29d4bde2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a3efcd741728674cded3d5627647bab2

SHA1
31d14e0669d98dd3c06a93ff5177b98d08141fc3

SHA256
78b24d527d5e77e67bdd4f3bd7800fa15e5f0b7c3e9a09f96e2ff98d7ac978bf

SHA512
2137fc0952d44dc322159b18b83e6bada294231e039711d61e8077b27d3b97f366f6bcffa8879f65a6cc3dca5dbedcb9a259ee12f9df591683a14fae3de0c295

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
7395141f2f3f21b5cb77dd6cc479e1f6

SHA1
2286a806b3ac089778076d358edae17aa291e75e

SHA256
c9fa14b1e3f8cb3f9659d5ab329d89be506868e470148b22fdc883511d0092b8

SHA512
282cf9b06883d6958cae7e883a47532e773dde370bdf02e87db34b213421b898e9ea144da24b662a6179a419495d242fad9322231449cff05365ac1e45ae55e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
d18e5c36db5061722378478b3fd485f7

SHA1
4553cb4fac8f34f44245f1662f1edd2c9d3ee40c

SHA256
2bf42395f879dddbe10ddee7636ccc98ac13cd5488a9d7bf0e74dbec516100ce

SHA512
bd3b6b047337ae0f5c2f7e039d2c654127d5a52f5f8904258c6355a94d86a5e11c756c5ef684fb36dc1f5bc7ceac0cfef7945919a55fa35f21d4e532f7bd37cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2F3C.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Windows\Installer\MSI2FAA.tmp

Filesize
275KB

MD5
672e03b9d7a2d50f3e935909a198928b

SHA1
6cc8a45126243c6ad8a6336ef1789e6a8b5dd33f

SHA256
c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d

SHA512
bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372

Download Submit
C:\Windows\Installer\MSI34AB.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\f762edd.msi

Filesize
2.6MB

MD5
959a8c7e22f65f450f54d1b4f81ec7f8

SHA1
01b0d9739bdda255096c1e12d52fa0f8bc0ca8cf

SHA256
435e9543dd0cbcac3848ecdc102ccf54f393faed95f7374ff4591e5427ca00b8

SHA512
1bfc3bb943a9af604d46023e6a392928d079557a004e68e74f0b5815952d8ecae8bbe63312955ae70d01cdf6a5d35a9f440f0bfaf919b1aea7d45a71dfb63978

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
019e8fe85254f69a6fd6a5904141beda

SHA1
b523ec4320e3af9e825e4fc084e41821a97dfbb3

SHA256
c4354610e069cbe46320e51a315aabed8a86ca941c47a58294dc0dc9642923eb

SHA512
28aad3858196f0d50bf88fb6a7a789f4852983a50d5d0eebb76ddb2ebadb5dcb84e1a403b054212352ef50f8caa2ed19b5633ca87238849a57b286f6f1cbaac9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
00eadca9508431616b38366fd7628742

SHA1
69af9efe9d469fc362ab2fe462310baecbf6b29b

SHA256
514d3e3322988e9d39cbc82218d266ddfb4d7a56652786d09d693f45da769b5e

SHA512
aedf74d4077df9cf3ce60e96e443f27b1f53e159e8e8f8c532e2c7b1a290966003ea7d4f69a9714434ea8f652024ddd4bfcff1e6b54e9ef6d9442ac33935573b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
507e5af4fb140cba2f0cc04ebc65b73d

SHA1
99841e188c6e3d4f809fbe733c168354c2416143

SHA256
90a2676dc468a8005d371ad7e1f3bfc6df2dafad018b91182f6fb9bbea9bc07a

SHA512
75b2951736d25fd8a88467d91b6575e3ab1efa525ceb1ff8e4a5f76c85fe0c21141b933f4050cd10f489c7b5e6543ac1b8053082b5642ba8cf829ac66f4a162a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d8c48dd3bafbfd951fe9dfc2e7e1c9b1

SHA1
746f55313549f68467b9b78de51c9d0ca9b0804a

SHA256
cac367d0170d751828d0245e261cc7a0550b867b639a43e9487b394b0a1e864a

SHA512
16d3e331241c177736b590f2c6605a2a6930e2e6b330759b5f5087c7cc2b08ab6c170bb035cce4a28c359bc60362439f63e3c4ee6b39814634c6077088a47758

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6b9a59403edbbd66dbae351dd43eb257

SHA1
787cc3f9f8d70442384a9a266b34a2a9ba68d6cd

SHA256
a76f4945a46a403d376d40be9e8991433ec5c41513812bea1bfabcdc2858f5d9

SHA512
5a77fb398f3630aa5c81d83ee78335ab883e538ae8c65e564d24d8152fce35583dde77416242c9ffe7d636445edf02932736f5d899160d026bc60a672a818787

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e2fba029125ce2128c2d247113c304b

SHA1
5b0ab03c949a76163038003344ffba643acdc6a6

SHA256
f43c9c84c18c17efb3155bbef7870a2a19160890e28179ab4b2443c18612f4e0

SHA512
1a8fe952c234f41186d17e55d374635dd5837cbe1eb1a425acced270b3c49dd4ed4226090ae78f17ecfc3f5b44adf5f07651ed3533ae676d5578512dae56737a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9ce7d88fb6526b7b4c2401e6aa92625b

SHA1
20c1485c6831759b9ca4164aaffa3c6909d3b8d8

SHA256
7e3f3e396542733960d21b398b381545008f7caddc0fa09f1e61de6374d3f6cc

SHA512
bd8e9fc729177a3cc5bec82cd3e6f328e1398695d6fcd22e848eb1b635259994c6d2f91128d0a4ad696d8639e36eb27bbe1604bef31f82b1364a1c4b89b83cec

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
ab9c7beb37009587f16ac7ffdbfd45df

SHA1
f9d579a153254bdc337e7c2584bce409006fbd3d

SHA256
ff7678bffb6acb1ae0896ef6bda3b6305bb00259223de09e9f8c11b9a268cc4e

SHA512
1a0274942f26dfc99cb246e2a6b0a125977f5d33f1fbc830cfe5b194e2d8776b468a1025359f040c434697df5108969703b14a0fdd42a56ae24e4b8031f7f0a1

Download Submit
C:\Windows\Temp\Cab4894.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar4905.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d33f525f5d8c7c2db1ddb93ff422da9

SHA1
3f044ee9686313649db05a41b6182aead893d1f5

SHA256
e0539cb34e8f745bd577bb968e45f649addd7b081d13f5a4c1e1d951fc3e3833

SHA512
3e96ac9e2566bc84d5c757d4a2727e00be94f58a36e969de147b10798d77022a70b8bacbc670bba57b92434cf1edf411ab8c966d24fa310006e6ee63fcc50f69

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
89bbb9aa71635aadab99d430dce67e16

SHA1
c0f98411a81686f347ea7e85cfbf7b5e006c71a3

SHA256
c2a2847c126a15fb8ea18dbd6a8d53c0719957c03fc8f1c9a1da50fe2e0fddee

SHA512
5bc03721ed617c914eff07ff2ce543ac17d22c5d5774466b70cb006851945ef3381be6e30ab5089ee3c37b5f32064249e65d2182f50240b2b4c8255488b20d76

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8bb9d380d54bec55bd68f4f830b41bd3

SHA1
8fcada0a575dd6019e8dc3a7e8c7283d57c6c88b

SHA256
02c3ad375a6df009a6cbd6006467f916bb28ce8155dca80cac8c98267b5cfa33

SHA512
93757ff21c021770038c3fcd60f75f25800a691d8159474b8839df69b028cefc94a7691992c73f930eb5fac87d810c38062904d22f159eee55ed67342f4a17c6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b49aa3230041ed410281a5af17d47e1e

SHA1
3692032d66de690ddd963f6428175fd3a3ae521d

SHA256
8be8e8814e8e89057c1793ebc0b98c4c2f482e98a373cdf4b9e577a39898e417

SHA512
5304e34dc431dfb3a882d56b85c5e3a03954c507cc0a1b885fc61e42988daf4300eb93b5cd256af5e86f4f4798241cbea1b696f202f6376e6e357b3d735adfe6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
db3a315aa6f3bf88d93a1bdfa3753164

SHA1
85b699e39a9ebf9cbd182e5ae108e667d2cf9e2b

SHA256
bc3b3d10377d9b8f369ef18c19fc9bc46f00917ed1a11b152f87cbc3b24be163

SHA512
5b46f7ea509666f998acc20c17d58109a120d0f071ee20ba742db39bd1220ec2e194ffca6f3b209a14d5172486e30c44cb0e85b6fc7572e947141b44bc79adbc

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7dbe79bf7b580b3c932a090817c0d2d7

SHA1
6ef68105b381d201df573b6f018d0f5720e05084

SHA256
14cb3f30b1fb4e159e4ee3d4a9a25f777b69d4124031d9726241a649f24b69b7

SHA512
8ff474a70c4c4a823a11fa96e6e96614712387b0aa832e454112760b1b76ea8de327a729d4754e436c1ec0b2186481c0276c8a9dba761720a06349ac1f236ce5

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c291d8b0e8f9f324d6c9671ec477b02d

SHA1
fa8f6d443fb12f6e1a17ea2536f6db36a3b0b8a7

SHA256
87fb95709394ffdb04a5ce8af6a5451aeedc90a1561aa28bf31dae0b7303fe85

SHA512
f18186e780a06a337571380525bf4dff9b3ca1ab94c61f357bf8be5988bb00c2c834175cc03f6fb9a7f2ab0bc2247bcb9b74fd0600d667a22da890ea1443badb

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
29f43340ca42d547010af7fe842b996f

SHA1
2d012dfcf5e33256967de80492918d282b677a09

SHA256
5da7131d01f5822bbeb4032b6836c8afa4bd02bb6af074d0298c6c70c37a503e

SHA512
235544108b8582e9d49b881c3996cf9ac3ecdc3ef2cc9c912e75e5ce1c68cb488eaeb9b256c8fdef95eaf8047127021ab5699ebee920df8d13dbf0c018559540

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
cb3f8bd109202287960148f01e87a96d

SHA1
8188d1e3dea2b193c6a922128c173ef9a58ad22b

SHA256
7a44028bd3056182a99f7ef2663e1e75475c304ed5082835d837c54d71497a6e

SHA512
1d1cd897d87148a1c27fa63160ebfee9371a9f6b36ce85208bf02b527a3947e135ee8a13bf20b47f1300a9ba3e19bc8e180a6102456ad4942b7682c60ae8a763

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
addd6796a22665cadd0eea15474b572a

SHA1
ef3688f3336e9e25ed50356c6ad90354dd96b0f6

SHA256
d761b63fb9a5ebfdd7e1f438435d17d1640beced05e89f483dfb8ee14e5a3d1a

SHA512
905910e4fd855f98c08ff103259986bfa8d03be8f16ff437ba9ed5f5a6f61e86a1e3344ca299122f42a30cdcc920c39f6abd1c2c664ef0ffea2c9071567bd3e7

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
df5f579ec9336d155c9802a5eadfbaa9

SHA1
f237aed6538818bf79881d9bf53bccb5bf875572

SHA256
afd3768265b47b4508b0747476f6938f1ce41a7daf1954fca3e4776c57d5549d

SHA512
cf0e3e6cf3f37ad7d06dd3b08a9896beb1b90e0318dd7431a5f0f2a6c69c98c92aeb67b2b49f51bf89c590244013875f7137124f49da0f28149a3f1c2558e4e2

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d7778daa177ef70ff534df086b6d285c

SHA1
b2fa6e10c05ec1bc8144129179f78a025ba49936

SHA256
be03b6305ef60608f90043450aae6acaa9c9bf0d187bf8a73106b8f480cb5ec5

SHA512
186bdae6b9b9d5128250903119b8ab41202564b94f76c40f6e3b98d0574145dd0ccfa51f5f7ab9ba3e02b42143b633360b08f9ddc4facf5316726b241d64a356

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ec430eaf3498711622ea43807de3106

SHA1
3244022c5fbae3c208d63890db374343c87ce84e

SHA256
8288324ea5a1efa6b596ccd48a476df0f128175b308d2e41dc47345244735849

SHA512
09206a8e17d292bcf1a592ce4fc5c318155595eda1e9e8cf61f72b3c6593cd555c189463a37fa9d284a50c14cbff038d52584fb8d9a8506e1652b0295372d7cd

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8ff5ae378e421e1886bd0efe1ef744b1

SHA1
48e3281851efe34c54964418485506bdbc5405bf

SHA256
2080352dbbd9f19b27fa141b733ca68e03971283d5681be78bb1790a3c681de0

SHA512
7b5e415f51d22ea95a72b047104d7dc914daec3a1f337934a7d106937aa4c53277ca3b42fe1c5c1ce24a58413c908dc6ab22407d9c955b32c3ca674e088cfc96

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
016eae2e7b71efde096897d80ff8ee86

SHA1
ba45b8016445fa668a6c7a579d1e15c131aa64d3

SHA256
dc21de20c125beff1aed6771e6e33f9f32a3dda87680db00c3625833757e6e79

SHA512
52a216e83d7f2ebe1b77da19fc93244c4ce6d01ab78891cbc10c5bfc1a2ec6c5f0a9fbcfb55fc4c82a1acf932d2dd603d2c3f113c7ce98472fe5c06ca962fcde

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
98f28a1e1e73082f5773ad263b63dafa

SHA1
5a61559efb7910015e74d96ce1f04e6b17ee8e5a

SHA256
d0371fcf5de5465a956f4f230df460f12da6f21af965e64fd8b4be539862aaf3

SHA512
35e3196baa246f67846a17c99c2a63f74a0a81dd667eee6138ac2e5631478d3675d0f90df54d36b4a370dfc97c7956a5339ae108e8782efb72b5346594c0f2a6

Download Submit
\Windows\Installer\MSI2FAA.tmp-\AlphaControlAgentInstallation.dll

Filesize
19KB

MD5
4db38e9e80632af71e1842422d4b1873

SHA1
84fe0d85c263168487b4125e70cd698920f44c53

SHA256
4924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa

SHA512
9ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77

Download Submit
\Windows\Installer\MSI2FAA.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
memory/904-178-0x000000001A720000-0x000000001A7D2000-memory.dmp

Filesize
712KB

Download
memory/904-707-0x0000000019C00000-0x0000000019C38000-memory.dmp

Filesize
224KB

Download
memory/904-877-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/904-166-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/904-168-0x0000000019CF0000-0x0000000019D70000-memory.dmp

Filesize
512KB

Download
memory/1540-816-0x00000000196B0000-0x0000000019760000-memory.dmp

Filesize
704KB

Download
memory/1540-818-0x00000000004F0000-0x000000000050C000-memory.dmp

Filesize
112KB

Download
memory/1540-815-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/1540-1450-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/1540-812-0x0000000000920000-0x000000000094C000-memory.dmp

Filesize
176KB

Download
memory/1540-819-0x0000000019C40000-0x0000000019CC0000-memory.dmp

Filesize
512KB

Download
memory/2016-75-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/2016-79-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/2016-74-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/2016-69-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2016-88-0x0000000073710000-0x0000000073DFE000-memory.dmp

Filesize
6.9MB

Download
memory/2104-118-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-167-0x000007FEF4D10000-0x000007FEF56FC000-memory.dmp

Filesize
9.9MB

Download
memory/2104-117-0x0000000001100000-0x0000000001126000-memory.dmp

Filesize
152KB

Download
memory/2104-131-0x0000000000B20000-0x0000000000BB8000-memory.dmp

Filesize
608KB

Download
memory/2104-119-0x000000001B5D0000-0x000000001B650000-memory.dmp

Filesize
512KB

Download