Analysis

  • max time kernel
    145s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • resource tags

    arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
  • submitted
    17-10-2024 11:17

General

  • Target

    MuddyWater.msi

  • Size

    2.6MB

  • MD5

    809334c0b55009c5a50f37e4eec63c43

  • SHA1

    24b60847bc0712c9ba0b8036c59ee16c211fa8bb

  • SHA256

    2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b

  • SHA512

    a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd

  • SSDEEP

    49152:r51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TzOFNOnUI:rPCMr2NMRmk/XeM9TEeRvx+ch/TzAr

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 18 IoCs
  • Executes dropped EXE 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MuddyWater.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2348
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2808
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding F8B6200F9F81A464B229F55EAFA018BA
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIFD16.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259456432 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:580
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 576C3831C00E71D0ADB124BFD099AF1B M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Windows\syswow64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1392
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:684
      • C:\Windows\syswow64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:324
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000008IyacIAC"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1596
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2700
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005D4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2012
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:2648
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" aae74a31-f065-4c9e-8dc6-1c340b22fc32 "d1a902a4-8296-4f97-b8e3-44183ce1aa04" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1944

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76fc6a.rbs

    Filesize

    8KB

    MD5

    0a2e28e781750fabbdf9948be91458e4

    SHA1

    3cc8abc34e0f56d041007778eec0001754c37450

    SHA256

    c8391040a9c2bc6da5e0c9a59c01c61aae0dbea22aff956237a1575271bc627a

    SHA512

    a16a2fe6c0e57fa8855fbf3e849a7f353ebf6d8363162d81014a8b165319b5f7a03c910996f301d094a276984279ad942fb07a68921601962667c48fa0f6e50e

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    140KB

    MD5

    2899046a979bf463b612b5a80defe438

    SHA1

    21feaa6f3fbb1afa7096c155d6b1908abf4ea3b9

    SHA256

    486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8

    SHA512

    8c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    209KB

    MD5

    a41c23558b3c07f8c749844bb553d545

    SHA1

    8473013cf5f2be8158c13f1056675d1cbd10586f

    SHA256

    a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766

    SHA512

    5930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    64e122b28a1e548c1cca376e32cdd248

    SHA1

    4506de40b8422c9be58333f35325a86674ca650c

    SHA256

    0ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215

    SHA512

    36fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

    Filesize

    94KB

    MD5

    9d8b5941ea5b905e8197a175ef2b15a9

    SHA1

    86a078e94b5578ec4125f50f78c8518a8ce1d086

    SHA256

    c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

    SHA512

    fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

    Filesize

    23KB

    MD5

    d563269be437a720223534366e3b8b8a

    SHA1

    54e600a8e94f1f0ef9abbb4123eed280e3d2a8bc

    SHA256

    dd5f4dda8874325be14ea739f26ee1492777e346d92771d5365dd45117780cc6

    SHA512

    8761d6ba1a11fe91c11ee3fd73a85becb23827baa1db41da6a9e2190cad0d3d168c5ca46f54ef8df389db6bc71569efcd84e6d0bc3d54aec11dd04aeb16332a6

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    82b17dc9838e1e21e5c6f53d2867e94a

    SHA1

    a09bfe6582bff9193337cc7dbab79d0b6b723205

    SHA256

    8e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00

    SHA512

    c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    169B

    MD5

    430051c01b3d9dc4e16b7e57c04fdccc

    SHA1

    2404c0427a0d129c7fc62ec9da8dd64e6fb2511f

    SHA256

    cdb86ba1eb539a0f06bbaddbc3be485b27dcb3a4dc7654360a0f3e8263cc774d

    SHA512

    4c346beffdd8735651951d5172d8a79688b010d5896e6f74625cf2ca07c784727d7478a4b20d3a769536cae8490646dd43a3b2f98795da70ddb509d288e0dd5a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    65e2192e4dc04fc206f436f9a86e1023

    SHA1

    6435da8290f576c8604ddcddbb40bacd19458c8e

    SHA256

    8df5fb73b8f3f863f2829e3911cd5446c5426437ec869bb87309c639ede8aec8

    SHA512

    215b8f9c268587b4ba022e2d5374cfaa0d680a7f5277db9207367a4d9387d91ddefb4686c4449a6e80e473be6d67ddb7d80247586401c4dce9656a5e17290a31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    eeceb3251441abeae81509d5ce1626f4

    SHA1

    8fb5a5fafcbe46ec6eec7336a0c7d43fe7d65334

    SHA256

    037873c51f408c96c3d3ec8cd05d4550a965b3e449d12a078a2505041e43b0ff

    SHA512

    e6a93fb7f18e2074e2d7f1772277f8692a9acd8fa15bfc72ee1911c0484fa6f17f553dc945904373c41c5757ce9ec828318314c4a822c75a0d9cd3d06f50bc4e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    72db13da5fff7268cc2462be217daac9

    SHA1

    3eab5c472f6a341d752a3c38a9447db3eaeede10

    SHA256

    08441bff263e0edff40c3d7b80737a4bfc3a0c93832daf1166bb512045282735

    SHA512

    7d88cd7fc9371eae08d40e19f4d9f2204fa83716056d8ba5ba332eef278861907bc967b3e8f74c8a12e1be15f481ea7216c3ff669917943d462df3bc0c25de89

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    f2193a13826d108e1aeb08295c68d44b

    SHA1

    fce16fce55593849d3a055d7d2ec7377806c9ecb

    SHA256

    3d1e797a08db22bb135cd8d1a2661d359a4d16bc7bc33bb68c2bf9520ea96560

    SHA512

    e64e33cfb7645f973b8716bba9b7abd1f0e3838d2e192a0c50d698c7a5693b9e65e69cf56c42967678cc06dfac8138908371ab9f6ce9d22b4d8fe07e13514718

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    27bee8d9ce331b07ffbd709af76a23a6

    SHA1

    c4febf62a06a29954b06d8a36f296832650ae397

    SHA256

    533b5055363ad5e421a6111c99073eeeaf8d2bd54d6470ea8c1cccb51aa5cd11

    SHA512

    0a1972339b3d0e56f47ebd48ecd17bdc51b75c3688f4a608a34f3f8c774f34232e9a21dd103101c2e807be9e41b73b64aac9aabb7ac113d0a433e9705d2f3137

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    282cde934e31d4c219ebe4fa08140fa7

    SHA1

    f98dedb52b2e4b00730279f78e1598195de98aa6

    SHA256

    7d96a5733c26a6c580d0425fcac1a340bea98d23a42b2df4f76c94ec19c68fb1

    SHA512

    28b9291861416d3a3ed92ecae06a257be6ab8ceec2ad53856c9a798aaf3414245d496788a1a0efc4af8895b1f32a86de477b854f2d24363c878692e6af5ffac2

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    867c576ad7fba0f005f807a1a18605e3

    SHA1

    0b22506d57b5968cd29788eb4db7a621cc6d3105

    SHA256

    4df1d53a5294897cb147403fd8735bb6a5cbfdef6be8b753d6cffdd1d2b5597d

    SHA512

    5e2a23791de37aaccbe1ea36d96cc21c874ed27c84de8b7070f3e72cb3705ba388491819c06f9e290b9c74479091a96487d22be44216e7af28d6e1a38b917352

  • C:\Users\Admin\AppData\Local\Temp\CabDE7F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarDFC9.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSI82.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\MSIFD16.tmp

    Filesize

    275KB

    MD5

    672e03b9d7a2d50f3e935909a198928b

    SHA1

    6cc8a45126243c6ad8a6336ef1789e6a8b5dd33f

    SHA256

    c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d

    SHA512

    bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372

  • C:\Windows\Installer\f76fc68.msi

    Filesize

    2.6MB

    MD5

    809334c0b55009c5a50f37e4eec63c43

    SHA1

    24b60847bc0712c9ba0b8036c59ee16c211fa8bb

    SHA256

    2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b

    SHA512

    a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2ec3141841a0c83687d1b8310ea12dd7

    SHA1

    fb668c467e7fde5171a8979247a6f74fbde8cd37

    SHA256

    0c119c50c289b5a889457ca74a5e176a307d3750363d5887cc68ff3ca762fed8

    SHA512

    0aaeb48ce709407f7c16fa946274482c6173ae224d75248a3b452dd010d4771b2087ae074d29740c3f5c12d1a7045a6f435a2d351bdd49cee42d9a1acadfb45d

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    af284f6701d9c9336f86423ea3bd4dc8

    SHA1

    55d9a701285c406ddd86d115ce9eb47cf4a1cd1c

    SHA256

    0d1af50817fcdcf8d3ef31e01e620bbf09b590ccb3b748e4dc07321ed22afc68

    SHA512

    220f6a5f7d3c95261523cec3eebd8c34b1b73b64a834862f4c59d961b9abea9783a066f41834f6e2322cdf0c1167e8f4c169da3d654ca8925c11c25835d9931c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1d800d2281a3eb7845be8c8c3468b602

    SHA1

    1aa01e393ced6609fda67a69a07e9250925439fb

    SHA256

    cebd8bc301142c8ff22be1f85146440527cc876156cb953525270188d43e6e15

    SHA512

    afb6cecde9fded0eef9facd75094c18157546cb51dbe376049c305345c4d5adb29bab30749dcef62734630be8830d5cd1d4057bfa0cf32f84360561316d9182a

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7a2abcdccc5691539b1a082b21bb8721

    SHA1

    f7066cf7682e2d8e45de292a1e851c06473edd32

    SHA256

    12b843a69e707d2e7b05b8a82116a4a4e3a104cee12c63c04edba6d3910409b7

    SHA512

    da20d414b457d1da5acf855cc9a4f09de06a485b39f65c406f02ee65f35fa79ba72d6f101bc51491e45e356befa7e9eb25b26505be93c9e139442a7079328413

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a56f4ab4160601d8d267aea22cbf3254

    SHA1

    b7a184182d2f65a4c9ef4b4cd0c0f6a57e58ca68

    SHA256

    1ec11a237b8bffe328b7cbd64f9b179762d9847772c9dfe540e47500f8fa2297

    SHA512

    c2c6f43fb53cc35650acd1259dd99f37c7fc71d312c49fc0161c3caf530ef367b5425024acfc9963d3e97f0eec7136ce38189cd0bd2743be770918d1e8be360c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d2cc9f74747deb7b56392fefe9f3f1a7

    SHA1

    ac86206ca3f9aba02efaaaebdc5d0086d633cde0

    SHA256

    9c499603bdd80dcf908bf5673ea569587e1c57fbaea57535437679ca44fbda3f

    SHA512

    42f4a5a8f9cc041d81815006cbeed8779a1b1df9434b414d4658390363f80069126e0e8bb18cb77f9e0338351e9d51bd917aabf83b81018e1f8ffd180943b2a2

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3bf4e9cb2fe2d2bef87252fae0d29963

    SHA1

    94d31e23c7de1374496209df36552b465f672538

    SHA256

    1991c13874092ca1fdd48e7fbcc648428a9e6884e037f9e8d29761d6b8c0bc7b

    SHA512

    8b8760407faee95191d709c238cc1bd633ca1e557b40bc0f1daf3fda31903ff050bafb58aa3f587a0f26e922774f872b2215d4c58a12f66db92f26f2e20c07e0

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    1ee73b3a158827fc46e8aef3e71bd739

    SHA1

    cd84a6148ecb5ea97f51699b0d51884f25bd1c8b

    SHA256

    a6826e163535cf3b5f512f6aa3db4e191a20df0dd149b87cdbd0051c5b977983

    SHA512

    7a76a3ec5727c70f05cab4ba0739ee01a15cd1f136cbeb1ba79841b287739644a810e6d4e7bb0cc779e8840d088ff5c22e8315bbeec98c610eabcd50b99dc930

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    57f6cf8b6e602b60401dd7e17b5a542a

    SHA1

    f5b2f00785bf5ee6fe9bbb50d02d16834b543211

    SHA256

    48d05db600239442fac663c7ac9b0dc6c2a6216494d80981d86a11738640bb39

    SHA512

    36d50ef026f218660a90f98efbceb162c5ca05b462c70f1b640eab0b1e17fd426bbef1fe4c9d9b70944dd1196c14786bd3da13c5ae970f5171fe3a419d46ea91

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3f988b5d24ae6d8184715ea3deb4615e

    SHA1

    1c9f614bf69a4ab64b368cc136ea93727e967c2e

    SHA256

    2a75c5e38324a4bfbebff4fcf6a48f134a8db49124ce1a1494683f8ac8652858

    SHA512

    2942294a012546b0c6b4a13988d8b8e37d96f02a594bb5a0c34443f9da9647b0c9a5743dec482934cb0656925a407b8549ca2d2d7f297617e9678a8369d8a993

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    9cbcfb8bbde2dc2c52d59362c7a42a09

    SHA1

    1c95f17ed02b0541b1e4384ebd7cc162e1c92903

    SHA256

    d901a3c02f023d066c3727d62c5bea15654ac4ac6f4f8e01e20584f31dba9ba9

    SHA512

    555bd4498279ac4dd3f4484e7ae7b3df60b3851786ac76be86bfd238af65bce5565080697743b85aff0261a72e9874c8e9201416f9956986f9ae37ad754e6e04

  • C:\Windows\Temp\Cab12A6.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Windows\Temp\Tar12A9.tmp

    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c38ce7e3bb0d647aa38d6f1c91a27ff8

    SHA1

    ccb36e3973f155ffebcde8fd490c3d39511b6140

    SHA256

    23340079a71d4f7a3d45fa697f2d669cc3c4c32b4688c8d6768cc6bce49eea1d

    SHA512

    7745cb85d4982a636fbeb30a85da2539fefefa7b7ce09f1c35e96f9deac8f395d213651d6d8114f37e275cab5e937dacfdc83a6480ed1f6091d8207b856b5caf

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cc34d107010ca46307a710c13d889a93

    SHA1

    4e3e858b54c783e13eb04e3116d25d180c544970

    SHA256

    fea304f51e4a5d43bfc1d0911a2de374456dceb5c441225bbc559d7c6880e445

    SHA512

    74198954d46281a50459c3f14af4655a6c9fcf1f40d331bfb9ac2305f2150f9fad62b30c3a414bb0ed743cd9008acffdf4d77f3ec801fa309f9a207758301ecd

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c746f0aa2db33d113c27d968737330ba

    SHA1

    e608cf855cf171a7cd293e5093be9b6336274221

    SHA256

    3d4e33135acd386de2e41ac782384606d50a99e3998c29ebc5c28459b3f8b7bb

    SHA512

    75a2d60a9e1e94987654453ee1e16947231c4653414e1bb2ab1827cf7814760fdea3b036f642f71383853591c8a2962c72b4017ab4a3004af6099e4f490397cd

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e61759c49f40400aed3cc41080563ce2

    SHA1

    16b3c33d12aa28e3a8bb5a9cad6941ca1961bb16

    SHA256

    c096e2640bb8a6ef24c438913db3073b675765e0a61063d33c0931fd76a907b4

    SHA512

    2eefc001a122b57af69aa9e45327cbd7ee445b69df3fdcb158bd3307d950d4ba1ac15ecb8cd0dca5a4a9a49453aaa7cda906943e2c687e98e7ddfdf8f23d0159

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    550b0ebc5351b1400ed51b4420d05973

    SHA1

    5a1043ea42ca0f15867d2a664b6717aa6dd297c9

    SHA256

    29be6bd284c5cae8d7a51ff5d2a6611021ede01e8917fed931965fb19354a6a4

    SHA512

    d4f2305e135e90494dd03caa88365050e2e477e695f0aac5c2c70aac0e4183a296e94fbd19a62c5cd136fbc45fa6f8f84b8601bfedc86bba977e96a463a00c2a

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    32585650ecf7831ec8303b554cfdf1f8

    SHA1

    9e1d5c1593adeac2dfc8b9727a1853f414e3b014

    SHA256

    4724e9dbdbd4151fb7adb4dbdbd8e4b6a8514817d4af8f20b9aa51b86530bfc1

    SHA512

    db6cceff92586221d31124427f6e3f4febc84b79467f794d749abe93b63c6e1448bdd6414f8fc8afc7fb6db99aaf0fd543405097958fbe4394a8950989b0beef

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6aee606b4b6195bcc86bd89292b4a595

    SHA1

    ef3ad602ecb6fe80cd372d2ee089442fa7def3e7

    SHA256

    40ee0bcf63b40a2519ecc262c4b5560cb44d9ef5785962c76aae6866cd8d80a4

    SHA512

    f71f1162307c3bb373945a934c2a08dc87a0624c10b91da83688c5e50cb236f68ff695f63a53d1baa65c7b135b9d79dc02d24e05192fe1eef069e3312a4f71f1

  • \Windows\Installer\MSIFD16.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    19KB

    MD5

    4db38e9e80632af71e1842422d4b1873

    SHA1

    84fe0d85c263168487b4125e70cd698920f44c53

    SHA256

    4924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa

    SHA512

    9ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77

  • \Windows\Installer\MSIFD16.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • memory/580-75-0x0000000000C60000-0x0000000000C6C000-memory.dmp

    Filesize

    48KB

  • memory/580-71-0x0000000000B80000-0x0000000000BAE000-memory.dmp

    Filesize

    184KB

  • memory/996-168-0x0000000019D60000-0x0000000019E12000-memory.dmp

    Filesize

    712KB

  • memory/996-867-0x000000001A4B0000-0x000000001A4E8000-memory.dmp

    Filesize

    224KB

  • memory/1596-112-0x0000000001100000-0x0000000001126000-memory.dmp

    Filesize

    152KB

  • memory/1596-124-0x0000000001050000-0x00000000010E8000-memory.dmp

    Filesize

    608KB

  • memory/1944-981-0x0000000000390000-0x00000000003AC000-memory.dmp

    Filesize

    112KB

  • memory/1944-979-0x0000000019420000-0x00000000194D0000-memory.dmp

    Filesize

    704KB

  • memory/1944-976-0x00000000001D0000-0x0000000000200000-memory.dmp

    Filesize

    192KB