Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    09-10-2024 13:11

General

  • Target

    1d9e0649296e83c003d1e27dcf9e1363bdf83bd754cdfa125ab9f5ca3acd61be.msi

  • Size

    2.9MB

  • MD5

    313c8404f8d47bf21fce21034c8dbf9e

  • SHA1

    e45effa5952409e2387b3e55194bca78e64c753b

  • SHA256

    1d9e0649296e83c003d1e27dcf9e1363bdf83bd754cdfa125ab9f5ca3acd61be

  • SHA512

    ff33ed4dca573cf158dc8baea1fbe27ef3ef3b188a24883d44d8ac97a972c80e241d0d3bc11e07448705de0672abec582ae58fbe54f55affb64ad754a6383f35

  • SSDEEP

    49152:2+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:2+lUlz9FKbsodq0YaH7ZPxMb8tT

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 37 IoCs
  • Executes dropped EXE 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 6 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1d9e0649296e83c003d1e27dcf9e1363bdf83bd754cdfa125ab9f5ca3acd61be.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2888
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2800
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 96A7D00FF8C72433512999F474DDA486
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1516
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIFE8C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259456760 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2848
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI13C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259457368 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1600
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI1079.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259461284 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1004
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI1C23.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259464232 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2432
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 71A50317D4A8034DB65EE1C06ED91815 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\syswow64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2736
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2772
      • C:\Windows\syswow64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:2704
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000B40hylAB" /AgentId="2d1ba0d0-8b15-4e2e-808b-d0a4ea98ed7f"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2352
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2236
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000398" "00000000000005AC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2208
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2976
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:1976
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2d1ba0d0-8b15-4e2e-808b-d0a4ea98ed7f "9efc5db0-6bc4-4c2f-ae16-c9b4cd0e4c8f" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000B40hylAB
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1672

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76fe00.rbs

    Filesize

    8KB

    MD5

    c89b37d2c8a0ddddd16ef2e8ae34b52f

    SHA1

    8f81309e94a5b82c371f2c7acf133a41cf4d92fc

    SHA256

    f474a1d6768f8ae9425e111f7bdedf48b736c69691791564343dfb340e533a31

    SHA512

    6895c5c99d53b779412f7a596c42ccbbf11903a9b8dbc05a7f4529880c5b1c8f03fb3774487cbd659afe82d329c40684ea19f85e79a230ea887629b3a7c694f6

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    142KB

    MD5

    477293f80461713d51a98a24023d45e8

    SHA1

    e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

    SHA256

    a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

    SHA512

    23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    210KB

    MD5

    c106df1b5b43af3b937ace19d92b42f3

    SHA1

    7670fc4b6369e3fb705200050618acaa5213637f

    SHA256

    2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

    SHA512

    616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    2c4d25b7fbd1adfd4471052fa482af72

    SHA1

    fd6cd773d241b581e3c856f9e6cd06cb31a01407

    SHA256

    2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

    SHA512

    f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

    Filesize

    94KB

    MD5

    9d8b5941ea5b905e8197a175ef2b15a9

    SHA1

    86a078e94b5578ec4125f50f78c8518a8ce1d086

    SHA256

    c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

    SHA512

    fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

    Filesize

    23KB

    MD5

    23ab73166acc683ca5c27700845a2384

    SHA1

    fbeb65030c7aefe7eb1382bf0bb7242804685330

    SHA256

    53771f8f6f9009b1b3163219e077a56e8a725dfd12c4e73644bb316a8a9a700e

    SHA512

    616d4062d88e3e1d0298eefa14f3db99e5c114cffc641c641d13b3139b8427e3fc29a11cac7551f1fe07bd2915883f300dcbff81bef4c81c04b728c644f9c624

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    17d74c03b6bcbcd88b46fcc58fc79a0d

    SHA1

    bc0316e11c119806907c058d62513eb8ce32288c

    SHA256

    13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

    SHA512

    f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    224B

    MD5

    61612778eecc21136aadb02fd5decb50

    SHA1

    10f5deaf83ad8bb64e087e9a995e6ddb0bf4f008

    SHA256

    27b637c4173e4e9c7794657d7bb8fc0468a28ebcac933e7eab5457d1104a1b9a

    SHA512

    1c16238e463a082ea07001c39172f1b2d7555618ddcfcc47842fea55eeeec205d75812e579e17e0de78fbd1dcb6f2847382f586f00f5be93b56cdba790fa428c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    49f81e02e900578aff50f485d189fbbb

    SHA1

    9190a1871e3eb234ae94429fd6f1998944181c0f

    SHA256

    5d2757275b4f49b2e96c4b69745e9c94f466f483c2f2c9807db3d65f68303b26

    SHA512

    f259d7979c3530550be77da2ac3dedcbfe7eeaf04465ab3d7a5081352028258ea99f4e5374062c2fe4551cb0a17865bccddcb3dcd7760aed449c6ad0019c42c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    e389f29380f3c95a9fcf747c391fbb2b

    SHA1

    5fd218751f1fc78ff7a5a49f75c8b45a6c7a93da

    SHA256

    6a64b106ba830238ea26fb5046355758e73592a444444a91022c3c2e311e3596

    SHA512

    07d6185c17cac7e6583c1f7627a5c8ac603f8e61ec386bdde901a1240181fab60f56951891ef9c3504b3d402c61445a7058fbb90783be1c18a030824d7090fe2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    538b13653faee9d0c971a2a939970f0c

    SHA1

    e41f158d96c9624dd315641411a7139ea66e3fa4

    SHA256

    3054fe29cece969e01e2abeebc2201ff8c706468506505e23e9d807979583353

    SHA512

    1e402a9d3056770ab5112bbc1cf6b3166760aeb6dbf98a747d5dfa985fb6e3ad4738e91e07c13f2830e8dd0d6483e96172beba415da90a0bbfd3af9d725f258e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    12e4837b0c283c1472550f52f5e02c17

    SHA1

    fd7bd37826af7ba2d4ce04360eb1683ead92b0c5

    SHA256

    c91719c261221b14a8d8d94de1febe1f0d41663867891c9bf2d57b0c8fdde981

    SHA512

    0bb1a063757487ddc7f3bf3322f8d4e291c59e557c9f01ba281a65fcef946d226c542623251877dcfa2a6d3c8d730d8cf5d5e2e72b8ce6354a5d9817d8208753

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    14c7b043adffefa123179ae30d89fb25

    SHA1

    2421263e56bd5dd27e2e366522208716cc39be5c

    SHA256

    b8307ad631b036ac133a6ee8b4998a5e5eb6ededfb33c80d90d8dfc9e1f64148

    SHA512

    ec9098ca937875e65d6a539c677584733303dbdcc099dc2fb82f23b5a8e0689eb3b2eaed4c2df6aecba090875adacdfeb3e9d4439c78a8a2758a385fdd975f0a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    035b2cdea8d95570e08bd5268a9aa53a

    SHA1

    428db94c3ff60a516ea667d6b0c0cdb72b45e85a

    SHA256

    022d1199b568995d0f0238fb187216320c6f870cf5d0afdad2151cf9dfec3606

    SHA512

    755199000db1713e8d8169d967407184537dc649b379e5d4a58c016c897ae96610d8e5d4e4682738e6992a31380426aa55dd915d3c6e366b4bbbf8e9ce27612c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    0aa531811192d3c8c93050129e2b5845

    SHA1

    2a5d4d2241f7a634547bb7020be647acfc2e4edf

    SHA256

    b0c64bb58dba68e28ff20b5a546f41379a6616e796298831e577552f446ec58a

    SHA512

    e1d74631bc8e6bdd9067da58ba61df9be2b13383ac7e6659ffb72acaa813c219600f8084cd5ba1584ad0ad763005b8792aee1adeb52e1f128d351072a8ea31cd

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    984d069de2ad267057966e18fc68014c

    SHA1

    4dc99cb9b881bcc8f34c978e42300a325ee10cbd

    SHA256

    72d993b648ee0ed6c89464682af6db18e22fba0a03609e2f6f865fa37c528f2b

    SHA512

    68b630ad6eaa072c384cda44114bf3dbae266231ba83dffb9609a92ebffb10ea3eac5d43b1b0d514b20402d8ba6925563d0518e65b5bc5963bafe0fe9703c352

  • C:\Users\Admin\AppData\Local\Temp\CabDEBD.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE037.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSI126E.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\MSI13C.tmp-\CustomAction.config

    Filesize

    1KB

    MD5

    bc17e956cde8dd5425f2b2a68ed919f8

    SHA1

    5e3736331e9e2f6bf851e3355f31006ccd8caa99

    SHA256

    e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

    SHA512

    02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

  • C:\Windows\Installer\MSIFE8C.tmp

    Filesize

    509KB

    MD5

    88d29734f37bdcffd202eafcdd082f9d

    SHA1

    823b40d05a1cab06b857ed87451bf683fdd56a5e

    SHA256

    87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

    SHA512

    1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

  • C:\Windows\Installer\f76fdfe.msi

    Filesize

    2.9MB

    MD5

    313c8404f8d47bf21fce21034c8dbf9e

    SHA1

    e45effa5952409e2387b3e55194bca78e64c753b

    SHA256

    1d9e0649296e83c003d1e27dcf9e1363bdf83bd754cdfa125ab9f5ca3acd61be

    SHA512

    ff33ed4dca573cf158dc8baea1fbe27ef3ef3b188a24883d44d8ac97a972c80e241d0d3bc11e07448705de0672abec582ae58fbe54f55affb64ad754a6383f35

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    05145b119441514a304dd25e71a30816

    SHA1

    108771d5e4209fa5c987a992a50f43c8aaadd941

    SHA256

    3affd1dcccb5332d8ffa336a936a67258a56d28cb0cfd524646d148a105b0f6a

    SHA512

    9cc8b9ef18b745145119dd61c0948831f7b4ab3196adffa43bfb7bb2cb60b9fe93920be9df2c9a718271f75feda645c7a999910256fea934e24866ebb0588c01

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a5451f45a4c14cc4bd5deddf76df9c1b

    SHA1

    d293278e801eb1cc52ae8bc76f96e0eb3c6436d4

    SHA256

    c90e964bdd9d0a69996fcf73737212ccfcf677c062b46d8bf916fdf4b208253f

    SHA512

    ea8c571f64041f39892357e53c2db07b6228267eafc1ccaeec03e6f82ca1311c8260bf6ab19282f0a3696dcae80f1079e9397f519af3baccbca907b2e1f59842

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d6c1e09012391d35439e24ff53e06c35

    SHA1

    3617634b2356fa797b9cc05202fb30b429d16c88

    SHA256

    99cb6d1da4c5dbc0c2646682fc2f42ca7463784143801b427c0e03dd7a8734e2

    SHA512

    0839674c6ac6f49c02207bf941bb089c7f133aead752a5ba3f0ec9d2de6bb8a5edf16793cf12f4ec45d5f74b12baaf4349a20670e845bdc58a9d4b40469e568e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e77eafa8b85bdf626a10c27002457092

    SHA1

    274f5e4aa88fec371470ac2684fe9b2cd729843c

    SHA256

    bd25f81ad120d1eb848bdd5294fb2ea722b2a1baf06135438a75c071a8cc0d55

    SHA512

    e6558c00828aceafc566bad3ac61470bb73e19fbac38ee01bdf014a3a28f47c51211e0068ac80829835cdb932e69a4d66247b064491fb29386018880fea83975

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2cb8e85d904a21decd714ade06edb220

    SHA1

    3c13081f5002eb881caa38427b4c4bb549050521

    SHA256

    f1c90a983931ab1a49a2820395602a117e529835be6a65fb258d455e8c71b323

    SHA512

    5a06add65eb424dfb288702040cf0b5fd914b34a20556af0f8ca65636ce11a34fe880c3e276549c515395511d3a2516de6a4d4e28f65b4a1c6b505c7020f3c66

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    815be8316e546b2a2ea656888c7fed6f

    SHA1

    efea71a897d8248121eadcc857501ebc28638e93

    SHA256

    5abeed3da1c44650f6c802afbc806c603119d72cefa111b237d860581c50aec6

    SHA512

    9642fcd779fda10ae5bde1c19a715216fc93a5a473e7c02c69928e9bfddb57cde09ec632158abd3126b43b811724bf2af970471c20f3c75280106ee07876e18f

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9048fbde4b8b54540071dcc9eb3db2cb

    SHA1

    6c0365afdf53ae7f8a71ed983914130f990a4544

    SHA256

    62dc7980750ec6f2c7594ee44b155d9d0d9c3bbeb21e037ff77ac476f7471212

    SHA512

    ac55bdd392e89b14403d7cf05220e490b0b4992ffb130b37b29431bb4ec437f4ac570b71fbf31d7f3a5a35117889d1f7016d0854f56786e1524819aa235b193c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a9eff28d131ecdc5f62ba532c03a2113

    SHA1

    06c6bc625bc23d49020fbea52e42e7140592e58a

    SHA256

    73ecef7f5a3369cda144725e85fa8948fb5c667c56a01afc47fc40c34b806e9d

    SHA512

    707b9993c928493e24687a524678237223fecac1fef7be9816130fd1bf3dcdbe380475719a1684c0ee324af598914788640f9ff025f9c08da8fe998866e81d57

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a6216c1d814f24b0f3f413455c779526

    SHA1

    8ae049fde9159890ec0d6c60536a4451f9a1c916

    SHA256

    169405b58e949fe28653f4956e80bd074da281a6c15b7f51ca3e9eedeed55b2c

    SHA512

    167dee9f3f0ce0fb52407bed340cb07b70e70e50012b7d08abe4f07f4d7237bc3e19855a8ebde8e743f7af0379eb295a626afb61954b62c2bf444470de9aba29

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7eef009ca191315e03a3682c995c1bd6

    SHA1

    95ca73f34e177959589aa0339ec2c81462d9c60a

    SHA256

    10189fb2be3a2a7c3a84e2117755c976c0c40017e9160a036ef3757b327a76e4

    SHA512

    b13dce5143c13618cb8818be5a3a8dc9f52faeb73daf6eb071bb83ecf4e67aa6764b4346947f887cc84a0cbfffbc8c26c437205c187484199bb2af7b0d5e2473

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fe1c9354d60b6d7587f6f8cade78b9e5

    SHA1

    984d7b2dc309203eb7935ad0b7b6f54d8d05fe4d

    SHA256

    f5b7777a68fc51eeb1ebc25f79a358988d9f18e3abb8fb09d424c84b464f942b

    SHA512

    b7619be3178790c1c586f7248c9b6553a0e69d516877025b9e4cef2849af70aed8af1149de3c23cd0d1305efcb3e261dcc81828fb4c02dfcd89db3d9903a7b30

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    fb43841ed84c6fcd351d05d406e962f5

    SHA1

    d9f61198fc3a50e64a70d1d7e33df6e49c72de4e

    SHA256

    2ce1e80da795636c5057f2c39e50232456e25d5bbc5d0b6f554498ef2d3250e3

    SHA512

    1a7ce91c32b31cdac31d6ba47395501b127911bead21af54d3480f0104e943936952ea5dccaeff72c449abe4a1597074fdf429a7fd91a2049b68f2595bf5ce58

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e53223009ad0213f9e797b4c197aeb0b

    SHA1

    d975540df37eedc2780b3af3b736595f779b3541

    SHA256

    091f3325c4377ae1eb7541c38ab01f64a46fbddfbb646764498ce7482d90189e

    SHA512

    fd75afb028d5435c4fd3399b6d2ee81a21d5b5ab4a0e9bb445f667c45871da089cfd49e0d057efa36e27dd9a2491fc0bd88cfe6d946120c475bc067d7c46ced8

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    54ebe232485dde44ab7de47811889152

    SHA1

    c1be2ff0fe18a63b9516213250ec0cd1d6485679

    SHA256

    fb8265613ff0b1a5ae34197cfbcb2ced25dcea70e7e754234d201a52ecd34d33

    SHA512

    8d996b9999e821d349cfa2d40a42f3032fa8b4ac70d032695507d673b6ade5b690585b06ba8bf10226d33845cc7e439a281bfbf9cead7202dc2f54a263d4890e

  • C:\Windows\Temp\Cab2913.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Windows\Temp\Tar2926.tmp

    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

  • \Windows\Installer\MSI13C.tmp-\Newtonsoft.Json.dll

    Filesize

    695KB

    MD5

    715a1fbee4665e99e859eda667fe8034

    SHA1

    e13c6e4210043c4976dcdc447ea2b32854f70cc6

    SHA256

    c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    SHA512

    bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

  • \Windows\Installer\MSIFE8C.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    25KB

    MD5

    aa1b9c5c685173fad2dabebeb3171f01

    SHA1

    ed756b1760e563ce888276ff248c734b7dd851fb

    SHA256

    e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

    SHA512

    d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

  • \Windows\Installer\MSIFE8C.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • memory/1600-101-0x0000000000750000-0x000000000077E000-memory.dmp

    Filesize

    184KB

  • memory/1600-105-0x00000000007B0000-0x00000000007BC000-memory.dmp

    Filesize

    48KB

  • memory/1600-109-0x00000000024A0000-0x0000000002552000-memory.dmp

    Filesize

    712KB

  • memory/1672-1262-0x0000000000C40000-0x0000000000C70000-memory.dmp

    Filesize

    192KB

  • memory/1672-1267-0x00000000004E0000-0x00000000004FC000-memory.dmp

    Filesize

    112KB

  • memory/1672-1265-0x0000000019350000-0x0000000019400000-memory.dmp

    Filesize

    704KB

  • memory/2352-233-0x0000000001330000-0x0000000001358000-memory.dmp

    Filesize

    160KB

  • memory/2352-245-0x00000000005B0000-0x0000000000648000-memory.dmp

    Filesize

    608KB

  • memory/2432-313-0x00000000025D0000-0x0000000002682000-memory.dmp

    Filesize

    712KB

  • memory/2432-305-0x00000000007A0000-0x00000000007CE000-memory.dmp

    Filesize

    184KB

  • memory/2432-309-0x0000000000800000-0x000000000080C000-memory.dmp

    Filesize

    48KB

  • memory/2848-76-0x0000000001F60000-0x0000000001F6C000-memory.dmp

    Filesize

    48KB

  • memory/2848-72-0x0000000001EA0000-0x0000000001ECE000-memory.dmp

    Filesize

    184KB

  • memory/2976-1165-0x0000000019460000-0x0000000019498000-memory.dmp

    Filesize

    224KB

  • memory/2976-294-0x000000001A480000-0x000000001A532000-memory.dmp

    Filesize

    712KB