Analysis

  • max time kernel
    150s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    31-10-2024 16:31

General

  • Target

    Arquivo_9126034.msi

  • Size

    2.9MB

  • MD5

    64585a798dd0bea132febaa7cda9ab86

  • SHA1

    45b16e677e32a61fab1ec0c7c229b37134dac718

  • SHA256

    9d69ae8da13e65fc49ce5a7a5936a3b2441e78fbe6e134315fab2cd1e820f731

  • SHA512

    a048308fbe3f4687799db105d3c7bb1abbc65f4811c685393f9bee105c81e22e25b1dc2e73968ae32523a159ecc40a476b3f46791cbd156ea81a09e2b658bbb9

  • SSDEEP

    49152:3+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:3+lUlz9FKbsodq0YaH7ZPxMb8tT

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Ateraagent family
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 37 IoCs
  • Executes dropped EXE 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Arquivo_9126034.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2468
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DCA58103D98C31299620C181A851FC00
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1752
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI3A92.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259472406 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2808
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI4128.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259473810 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3052
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI5E4A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259481189 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1592
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI7615.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259487289 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2948
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 18EE1581A4CF2ED0C0DD85A0FCF1B1C4 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2080
      • C:\Windows\syswow64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1312
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3000
      • C:\Windows\syswow64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:1916
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LlkxmIAB" /AgentId="02fd3f9d-7228-47e1-84e0-9ff50a23f7a5"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2852
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2656
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000564" "00000000000005F8"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2952
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:328
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:2704
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 02fd3f9d-7228-47e1-84e0-9ff50a23f7a5 "3991b2de-4325-49d4-aa1d-1033418db0b2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LlkxmIAB
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2716

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f77392c.rbs

    Filesize

    8KB

    MD5

    6edc258cc361ff9e34c44e57080e8d3b

    SHA1

    009446e785d9ec2b1d0776d90b11fc1a61de3eb6

    SHA256

    52a7d800fd947414dbc442233710229381e67825d978f0c0bcdf509e9c4da5e2

    SHA512

    e2b7575f4616d48adf6a77dcc504ad90285a0abadbbec0ca69f51eba807db56425a43d97ff43a790259137162544c276c63c95cb42474ecffccd3cad4a9f19bf

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

    Filesize

    753B

    MD5

    8298451e4dee214334dd2e22b8996bdc

    SHA1

    bc429029cc6b42c59c417773ea5df8ae54dbb971

    SHA256

    6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

    SHA512

    cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    142KB

    MD5

    477293f80461713d51a98a24023d45e8

    SHA1

    e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

    SHA256

    a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

    SHA512

    23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    210KB

    MD5

    c106df1b5b43af3b937ace19d92b42f3

    SHA1

    7670fc4b6369e3fb705200050618acaa5213637f

    SHA256

    2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

    SHA512

    616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    2c4d25b7fbd1adfd4471052fa482af72

    SHA1

    fd6cd773d241b581e3c856f9e6cd06cb31a01407

    SHA256

    2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

    SHA512

    f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

    Filesize

    23KB

    MD5

    ae5bc3be8758f7b97204046249582c12

    SHA1

    2f7ec3698a3124005f059b3b0764260b69603181

    SHA256

    2f7dfa7eeb8e1d53250911b861456820d2feba4b1ec747b9c2b2f2b37d3af4f3

    SHA512

    461d41fc510fd194928041af0204aa61513f8bf3c4aa108a2bbb6475fa8ccae5e8ab936b7fa920eeea5f3c55459a2101310997aa1eb0ad4b438e70b57dd9102b

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    17d74c03b6bcbcd88b46fcc58fc79a0d

    SHA1

    bc0316e11c119806907c058d62513eb8ce32288c

    SHA256

    13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

    SHA512

    f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    238B

    MD5

    a339b0f9149a53a8618423f977136793

    SHA1

    a16eab3e1496f21eb464482cba5618bcf7a98e1d

    SHA256

    f79056d2c3b14077b8349db18f523534497a16c94c65dd5567664e37989c8062

    SHA512

    a701e1860db57d0a34d8a7fce5c7e6b8a1317e82332cfa966db4be24502d66ae2aac27471579046734cc8500d4d37037034ba2293768a0ec65d1b853a5d168f1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    213d08513e32bb6741bec453fd3759aa

    SHA1

    f7df0a9a4bcd1c840e5459102672921d7912fabb

    SHA256

    8e95d9099eebd14015e359e21a16a7b28fe2e3a206189c7e0dc7b5bd71d0744f

    SHA512

    c75a4f233621bab3306e3f6509ada296f2891c8999e8fe8fa0c48a3ebf45626b5b52b1e52af1b914b4c6e0ff881ee64405779c717adeae6973f7106446d678d7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    edb4e3317b95e16a448b0cd9282ae23a

    SHA1

    0f6e826bd5c7c642334855aa206da5038f29eeef

    SHA256

    bb75eeb18bda565003475de62ef5c37ca005d2809c0da6fdcdeb82c07b6a71ff

    SHA512

    4e353ab569b7a5177f776584ebd28e70cba33acb6589fc4bc1f698fcd9b4c5edc16ab0e770c3c3e98833928ff5f407c953e9609176c3cc0b16b10cf0fae1557f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    bcfd43b53a47b2dcf107efdcbd0b59a4

    SHA1

    75b548df2aecb2dec9a995c9ff974be78959411a

    SHA256

    b0fa8ff8516c233400ff93675d5091c6747a19287d70c92c470fb30978868fa6

    SHA512

    f473cfef0228f41b471e67ad3dbfe5715ba9aab9eb541f27445da87b8944bcd6a3560ab3e5e57a440f8a626b9137fdcd85aa2a50366f67ec61f478b4c7cea634

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    0884bdbeb8149c425d732539dc3e50a8

    SHA1

    901fa185577c7b9ce928b5eaf1e878dff04e203c

    SHA256

    7749f12515e04e78f40fb3ea8bd55ff39637d8630c1d9352b92d0d9c250406d1

    SHA512

    4d95dc0a3a1dfe41fdc5792af537a88a66cb389e0880796f74efd84c39634dc3db83ee79377f42a642f2098532dc1956151fe50b0eae4b513a93ed9a80e28a53

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    4a453e390023f0d23bea81d403c70fe3

    SHA1

    ad8325348dacad57e810f03e08b548ab80a413af

    SHA256

    a46a2aa1e6f6d72f73cd4f5945eb791cfa9c831fff92388679c136585302f4ce

    SHA512

    c272ba5d7e8365ab2ace82696483012bb560ab8f1a97533fb0d86684ed1bcf62d36c0814e0de5ab9445faf9ef4ed8039085d7c5efd51ced39ba03f9b377f76c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ba9c5317aa54376944686ec33e67303d

    SHA1

    e62965b04f317d83a5c21bce9f39ac58a3e87d50

    SHA256

    74454b4454e52be9957642f6bb3644a1f2f6acfa3c738676a5e716b279376aad

    SHA512

    1ede693ebb035ca4aba8fdfac40bee36ada59eb7181f6f59747cdba8f41512a8ef6fa17e82410d029a9df72a57fd8d90f8c4515c4f93f61173e414058e146a58

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f5be7973ea4c8e5b5c29c0b5f070f60a

    SHA1

    d8727a9efe3a589e2790d318c983647ef5bab792

    SHA256

    e1ee4e93145d90423f3a8ca526417b670c0b79e6f8b042fba83cc83ec4e46df4

    SHA512

    c932de92977da988bd2ba929610f709bae5087e2330d9af015c7110a0a0597b4cbcd71b27d15d44b590fff3424cd51d821546b502198f3f935b322b676942721

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    cead5daab6b229e3094d5d41e8eb0a80

    SHA1

    7ea78da3da7b00f1d2ae6d1f92643e882fa797a6

    SHA256

    6a696dd52b13b8072759430ee9246bfa16157b43794a7bdc72edc4bed779d562

    SHA512

    15bb88563a50486b18d1403ff9844bb28ec7d1b4f15a78d95f2d86bd918cf2f8e7e8647aef71d000c217b3432b26f4775fb61c4c79791393e775376e27ace96d

  • C:\Users\Admin\AppData\Local\Temp\CabE4B6.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarE767.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSI3A92.tmp

    Filesize

    509KB

    MD5

    88d29734f37bdcffd202eafcdd082f9d

    SHA1

    823b40d05a1cab06b857ed87451bf683fdd56a5e

    SHA256

    87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

    SHA512

    1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

  • C:\Windows\Installer\MSI4128.tmp-\CustomAction.config

    Filesize

    1KB

    MD5

    bc17e956cde8dd5425f2b2a68ed919f8

    SHA1

    5e3736331e9e2f6bf851e3355f31006ccd8caa99

    SHA256

    e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

    SHA512

    02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

  • C:\Windows\Installer\MSI4128.tmp-\Newtonsoft.Json.dll

    Filesize

    695KB

    MD5

    715a1fbee4665e99e859eda667fe8034

    SHA1

    e13c6e4210043c4976dcdc447ea2b32854f70cc6

    SHA256

    c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    SHA512

    bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

  • C:\Windows\Installer\MSI635B.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\f77392a.msi

    Filesize

    2.9MB

    MD5

    64585a798dd0bea132febaa7cda9ab86

    SHA1

    45b16e677e32a61fab1ec0c7c229b37134dac718

    SHA256

    9d69ae8da13e65fc49ce5a7a5936a3b2441e78fbe6e134315fab2cd1e820f731

    SHA512

    a048308fbe3f4687799db105d3c7bb1abbc65f4811c685393f9bee105c81e22e25b1dc2e73968ae32523a159ecc40a476b3f46791cbd156ea81a09e2b658bbb9

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    df070d5d704ac11a62409142ef600757

    SHA1

    c0fbd7bd61700e4c0103ec9755f5bc07dad2e547

    SHA256

    5104d376a3eb5f8be0c18eeab2825471273cfdf52b78a2620c8d6922d4b89249

    SHA512

    738b8aad34fe930993ce17e53ffa96805ffee8d67d83394753c65a08d6f3db73e2aa2a45f8590699960fa2794ce995c66c537110975cda62808b03f6788cbba3

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a6e55da9ce6a9f0d4316fadb621349a8

    SHA1

    0972a89c6f6e570d38003e3180314f02c57d9ebe

    SHA256

    bd604a0dcc08083d0ad498f0d555659d7232ac61342f648dc33a3a5865815c45

    SHA512

    a3aa57fed470747353de86814d1c694fc09757e6013ab36f02e735376c0ebdced39757da9f5b0562f7772435289c6384849b255d72fc9bc9b46a36974a441d7b

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    933fb0c73e05fcb1f4b6b0b92bb0a663

    SHA1

    094fa3f38c13c63c2541b1c205550691ba2aa708

    SHA256

    9c3a1cbf8d8081d38cb35cbbb14c1a34fc15053d6aa86ab2972772c55c24740f

    SHA512

    0b04206e50d079d896a9e60e87b4b051d7425dc838964ceec8012787ca43ee8d8fe5cf52c7b042964fa37a29948f007f847f8586da05f55c00054b0a18eb4866

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e9995f63372530ece5bedfc7b12f9854

    SHA1

    cfcf600e92dafef8665175d5b0516585207f918c

    SHA256

    7d739d9fb793c70e06c966f18a1f89a06bf4a64d4caaa254afe215965d35fd3f

    SHA512

    29152a449800fe416a70d4faa236a57d42e3e271381936f7db522a8388795047335b032fcab904fff7218d5f722a29bb1ae53622164cfae03fb8234a7a482a7e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    867efa47003bbeb892f53daeba1edcf9

    SHA1

    401671b244623b0f23ef5dd686d76a408759ae4a

    SHA256

    7e1b771b026b2fcb445a6998d6cf7aa73b7203f449e550889f5c8c67c20c2cb7

    SHA512

    1b07d2b5d1cca34f3db2b186cfaeebd8605c513d97a26206e014e68e4f034a214a4fdbb231a3fbd85098020e36a55ee5a2938a67dc02ba220d277ae652abbecd

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c9a1a30d6f4cffa288e1c3550a0bbe56

    SHA1

    ca42806258fd4a727b2166c8f795a7d31e42b385

    SHA256

    062986d7422e7bc7310e1b880db351fd396a37c4d711dbdf643fddcdc8dc5ef1

    SHA512

    39e44895b6fa478ffa2c153454274070f9595ea9ce521b6d27d598fbf550e0f1794fbc7c4c380cc879f78ffe4876a44f5312013ac35c38869b98e701a9eb5be8

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ec5263d374a2e24ea3e8707f33989883

    SHA1

    7aa5f07fcc1ceccca6a4020384d551643b70dc6f

    SHA256

    629d7fa19473387ff3c27ccb38b3503152f689526461eabc7f409deeeabcbf48

    SHA512

    c25a8f1f550b198b1c5b65a521051bb6c47a496699df1b081e80aa45efb65222b7723dc7cee7ca8ef601a0c67173b7cb32e81235b70d62da1c446efb3d1a2de4

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    3f136d3bf03f7fe8484127fbe9e66768

    SHA1

    da2afa9856a528b968470e11a55fa531d3855201

    SHA256

    efdb04ce331e4f619b309591a1cfb35c3f742b1c8fc61615d575da3fb7936b49

    SHA512

    deb2e4c80b96794a1c69c25e5f7a9aaf888a7259531868ac8a9038786d3df47c7c4563d7d3160f5ba46c8fe65d1a034e0076f295a853e9aec2cfeb85244cdedf

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    770d37c7981ed20d725dc20f3ae5e17d

    SHA1

    59baa094fa556af17ec1f66cc05eeb50d30210e2

    SHA256

    6c349fba8d8de6cbf8dd3859197a3cbbd0ff8bda9841193b8d5c9c7f6c2fc0b5

    SHA512

    9cf609f2e843162254d50ab7ccfc2626b8137675dfc01f9c15f247f2e48e14871ffc8e20081ff4302a1c7ec373d81e561e2d508e1cf0091545dde659ad173e2d

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ad68341a7d4d3b4fbd64b8d753342e6f

    SHA1

    cb1058da7c911e127371dedbdd7655232d40488f

    SHA256

    d6fbaae9f8830942b99a084a104801f26af678293bc9dc1f2475e0c0a08cb2e3

    SHA512

    278ef081525491ac0ccd68753498ef778a6b304e00328f1630cc11f303578d2036afcf586444903f46e7757f498ec6f60583117bc70f58641593bfade0dbd595

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    96bbd4504d56ebc38d30d18a493d3572

    SHA1

    fe89253f0ac37c95fec40cc0d7d1c10b3f19830e

    SHA256

    97e3f51c48458b9c193e38bf8136e726ef3fb795778cd577e7d8bcfc2ad002e1

    SHA512

    d621742c1c36b552027e088145fb5adc889eed1d7b618d27f68dcf910af99128383335e5ae85b3eea4268454d3430791583a59ea05e46dfb8c8adf3ac40297dd

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9c20bdb92c921d266f7aab31df8fcce0

    SHA1

    5b5de10f6f5229e53e6896543c2970b2a4e198ad

    SHA256

    97f4532487af5cb29f32da878019ab43721148469a28e3be762139c2df0be3cf

    SHA512

    576012926db03cb510d90065049a3eba1896aac49c823b7b66c29c4c3a61246dada883c077d3849aaa15c816358a6fd0874063fd64c6cdbba169e1760dafe2b4

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    00f0414864678ba1279455aeb9d49421

    SHA1

    3ae5401d5e9ee57fb69f9eeba5415f21963f86a7

    SHA256

    dc54578ae8ee10e288ab0e0627e9e077a4b12775dc35458840fc11f135571467

    SHA512

    36f7b63e66ed745d005c86b78a9f2437cccc511425807b1a713d83cd010dcceac8b7d69b91362d2698156bea3b2e6a7afa6180dd80676ff8b4b1bc6a64d638bf

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f98a82bff3a438cc0cc8c0b12ebd6a10

    SHA1

    34f6ba18746f9f8171a2948a528aef408c5710bb

    SHA256

    f49b3a47e0443d75d99c75fd66eec4283f5bb6fc47efa310a962da99aaf23bdd

    SHA512

    6a2e0155450e3808a30858eb9c96b944b791f9111ef16cbf98d8cdb0fc596b6238a5b6c02b064caf0b28af54cbdf6d6384e7df8ae24a9e93f90509b42b29eb0e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9b3949d2f71af007a33890416c7028c7

    SHA1

    e803425d3714870b4b47cad908653c792fdce78d

    SHA256

    204a2f097a8395ff950fca8c1052beb1b74d609db4be0c3cc33dd13de8d33e51

    SHA512

    a040009df0f4aa7a3a522b388598d6623663ed81b38c61c430e89b69ab44833ae39c17fcbfd33ec6d85671a3e46458c44017f6aa5692d58ddbf33d11f9cfa31c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    9b689e2c3cb894edae16dbdc8e161492

    SHA1

    837e6c38ef2f5a0da91f777d0d0da9b6a6da39fd

    SHA256

    0ac08c37ed4a039d738253fa5cdbc1de25752c49b162d330ad434dab4e588e63

    SHA512

    4f8ef9c6b37ac37bbdc96bdc7d6b9a4cedfacb0819712175487bfdcd6b23fafac15643b51636bbbb8563314fb616d1a5507bddf34dabd1dfd972b22366184f30

  • C:\Windows\Temp\Cab867E.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Windows\Temp\Tar86A0.tmp

    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

  • \Windows\Installer\MSI3A92.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    25KB

    MD5

    aa1b9c5c685173fad2dabebeb3171f01

    SHA1

    ed756b1760e563ce888276ff248c734b7dd851fb

    SHA256

    e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

    SHA512

    d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

  • \Windows\Installer\MSI3A92.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • memory/328-309-0x0000000019C60000-0x0000000019D12000-memory.dmp

    Filesize

    712KB

  • memory/328-1016-0x0000000019C00000-0x0000000019C38000-memory.dmp

    Filesize

    224KB

  • memory/2716-1211-0x0000000001230000-0x0000000001260000-memory.dmp

    Filesize

    192KB

  • memory/2716-1226-0x0000000000170000-0x000000000018C000-memory.dmp

    Filesize

    112KB

  • memory/2716-1223-0x0000000000B80000-0x0000000000C30000-memory.dmp

    Filesize

    704KB

  • memory/2808-76-0x0000000000680000-0x000000000068C000-memory.dmp

    Filesize

    48KB

  • memory/2808-72-0x0000000000620000-0x000000000064E000-memory.dmp

    Filesize

    184KB

  • memory/2852-245-0x000000001AC30000-0x000000001ACC8000-memory.dmp

    Filesize

    608KB

  • memory/2852-233-0x0000000000150000-0x0000000000178000-memory.dmp

    Filesize

    160KB

  • memory/2948-313-0x0000000004540000-0x00000000045F2000-memory.dmp

    Filesize

    712KB

  • memory/2948-308-0x0000000001D40000-0x0000000001D4C000-memory.dmp

    Filesize

    48KB

  • memory/2948-304-0x0000000001CF0000-0x0000000001D1E000-memory.dmp

    Filesize

    184KB

  • memory/3052-109-0x0000000004A20000-0x0000000004AD2000-memory.dmp

    Filesize

    712KB

  • memory/3052-101-0x00000000008D0000-0x00000000008FE000-memory.dmp

    Filesize

    184KB

  • memory/3052-105-0x0000000000940000-0x000000000094C000-memory.dmp

    Filesize

    48KB