Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 12:28

General

  • Target

    b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899.msi

  • Size

    2.9MB

  • MD5

    6e58d9af76a06f068fc49d0f5f895966

  • SHA1

    6eaf5813536f716cab6ccdda47e8f0beaa74b30c

  • SHA256

    b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899

  • SHA512

    4d314dcc18f09ce95453470101efc55e690657e2288728839f04d7060a1f767a4be0d1b48cc0a980979d35c440144cc2cbffd767732b19e4af4c5333a8fc93e9

  • SSDEEP

    49152:1+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:1+lUlz9FKbsodq0YaH7ZPxMb8tT

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Ateraagent family
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 37 IoCs
  • Executes dropped EXE 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:288
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2520
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding AD85C4DF53632EF517B6242747585696
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIFDB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259461206 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1036
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI12B9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259461845 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2912
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI2198.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259465652 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2428
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI2CB7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259468475 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1540
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 6C3F51CFD75E2215C74527BA277603BB M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2224
      • C:\Windows\syswow64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2300
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1724
      • C:\Windows\syswow64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:556
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="22" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="21" /AccountId="0013z00002eDbtlAAC" /AgentId="60b47b86-9914-480b-b633-304cb1f24492"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2488
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2600
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "00000000000005DC"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2828
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:1544
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60b47b86-9914-480b-b633-304cb1f24492 "b03f25b1-5420-44f8-8784-dc47684c7167" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002eDbtlAAC
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2236

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f770f2f.rbs

    Filesize

    8KB

    MD5

    177f3fecfe926100baf03b1dbc6fb0b0

    SHA1

    d6456cd55caf1e61567ce2c9eae32a5cb512938f

    SHA256

    f79667e6e4b32cbfdf95e42f5bd44b57757b4365842923881ce95fd92c5f7227

    SHA512

    a4578bc3335b248b0005156eb85bf60f97c9ed79ecc2a81eb39467d34826f9a421aac18435c56d603a2153f40403a56c47e486b05de162b6921239583f7be72d

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    142KB

    MD5

    477293f80461713d51a98a24023d45e8

    SHA1

    e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

    SHA256

    a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

    SHA512

    23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    210KB

    MD5

    c106df1b5b43af3b937ace19d92b42f3

    SHA1

    7670fc4b6369e3fb705200050618acaa5213637f

    SHA256

    2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

    SHA512

    616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    2c4d25b7fbd1adfd4471052fa482af72

    SHA1

    fd6cd773d241b581e3c856f9e6cd06cb31a01407

    SHA256

    2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

    SHA512

    f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

    Filesize

    94KB

    MD5

    9d8b5941ea5b905e8197a175ef2b15a9

    SHA1

    86a078e94b5578ec4125f50f78c8518a8ce1d086

    SHA256

    c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

    SHA512

    fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

    Filesize

    23KB

    MD5

    c34e18030bc9bb5ade202e50656e0352

    SHA1

    1d363d2311b9b890187a185375b844d382adddca

    SHA256

    82d19a1dfc817eea4ad4f6afbb1d7ad78e1099b503f69973cf13710b04e3f757

    SHA512

    2eff285e4ad9f4b5e2e1208ac8e9886e0c7399775e8b95a87344d593b93d7a0ee62923ecd53caf97174520a1bfe92b59231e533d3bd62181659736d38a5d9dbf

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    17d74c03b6bcbcd88b46fcc58fc79a0d

    SHA1

    bc0316e11c119806907c058d62513eb8ce32288c

    SHA256

    13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

    SHA512

    f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    217B

    MD5

    28435c9c3e1a34180a3a8b69f3e33494

    SHA1

    fbfce91389bee1d7425ca92192b7e5ebeb909732

    SHA256

    df9f3836448ddd16d1016f6c5e0b695a83d4997593be23d338b4472ab8ed5b3e

    SHA512

    37a20bab60a0f39bde674789c288bfe852db3c77a00a36aec15f4a2cb82cac0400eb4d5daff66716caa2e0162c693ca718e4710d49e256bbfed23f654399ef9c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    7795df33fc7dd3aa62e0bc052f9dfbad

    SHA1

    ea227ec994561b5bce01c5228f9c337286fbec9c

    SHA256

    6ad47d714f3dd55b2fe9072e829542851d2ecf60cb88254002c60449e8aca736

    SHA512

    de11027f0ca32119ebbb17976ecbe6582ab6af8caa7ce522d75c4185da722550f1f981064db9be6074eb1c6c096c933c2de7ee42b1f31b4fedc9982f87157f9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    29dd7378778c44788bac45d70ea7b440

    SHA1

    7a3c5e30c0c9a9be505b18fd2c24422d5e3dbe56

    SHA256

    69354ff510301b85c14cc1ecd0e5b3c98308b820cfbce483389a7b9a437f67d5

    SHA512

    9e67bee1ae05b0f2408210a6662926cc9da6ee2864820a4704adffae9dd78b80e79ee32e83f5a5e35bed9603e82795a38570d56cc93384b82dc6254940079fe7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    eb9a1d98cc4b6ac3d674a6621df5a758

    SHA1

    5e9bc182d48b8e86a61d8a3f4b5add9c88da6800

    SHA256

    20d856d68dba3e2246ebb62a5eaedcefda221accfa1b9362b33afad33b6e48c7

    SHA512

    1054d82e5e1b2f2c1416d31f01ff2c172aca8dcc31a622cdd959f918b78a474bd9b40a9b7316122a8262fac24d6236860e2eadd665030a61d56c5c0a153f81c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    7ee1f87dbf1293bd8c1ce1e8785b798c

    SHA1

    ad4e73529e975a77a854151adafed3a2ae61281b

    SHA256

    e0913d2df47878a684fe7a73c00af0dcdb1879f2d0382914de6a71ebfbdd95bd

    SHA512

    c2d04ed25b4e77cf207624c4a66de096cecb89ebc202cd7c45f11251ed1fb54a8899c1edfa1ecd77149670b96e49bdca466c174f73d95b3592ac3f339fa5dcc1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    af8032387a1fa6a46684f9abfbc5b16c

    SHA1

    10fc150a36e24bdc041517e47477656b969f7559

    SHA256

    bfecba6e8fc7c54e1816e42a47f1a404dce20c54cd5c0de6390683743da1fdbb

    SHA512

    0705abf5aa73e92c9ae43cf30de85e7602a4c0f4aa77ee1e2b1be0dd1bf42294605da58a5cf59e7077eb942441884602990136d75ce06bd0126df484c9988e13

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ee5e824c6874d9212e18bd870100c526

    SHA1

    1835132b32103f3254aca0cb416b3afd0d3c8509

    SHA256

    4ab9db059ab31d7d8302d3fe732b9324d695ab99b6392a80794d7d48d0460087

    SHA512

    d403d7e50ccf348f7366153f188363ed456ea747e13ebaa8afe5fed6dbe785007bdb6c95530e262e6e8d5e3a24aa297759ea51b2cef4f670558ef2c503c320ac

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a01b1ead84cb898e4305faf459d6d615

    SHA1

    f2c704ded0443e31b325fec063559304948a4d0f

    SHA256

    48948e09317c44e7dcb62e120979ae37a6b4aa3a54b66444feb5850420421c82

    SHA512

    52ad8b3ec4ae98b911e57ef9345ae2d0760e0afa3e09faec47f472dc93952317cc5f51e8b49709d01193081bbc69bdd0af09994dddaab26746b3355641ad1afb

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    414659e0f606a6183502e776a9034c37

    SHA1

    5c841d78757b93a5e23bf88b5ef7faa3c3f87808

    SHA256

    efd9703c18115fb994300e2b429220a6498d94a4e399c6439a738183cbd2d076

    SHA512

    28574139e3c63937420a547bb56d7ec3a52374700d75dd7571bd15ba27d892a9ccc22625501fdf790bf4dd67f07343939180043b2b6a0ef902ebb34f1b494fce

  • C:\Users\Admin\AppData\Local\Temp\CabF144.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF29E.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSI12B9.tmp-\CustomAction.config

    Filesize

    1KB

    MD5

    bc17e956cde8dd5425f2b2a68ed919f8

    SHA1

    5e3736331e9e2f6bf851e3355f31006ccd8caa99

    SHA256

    e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

    SHA512

    02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

  • C:\Windows\Installer\MSI2330.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\MSIFDB.tmp

    Filesize

    509KB

    MD5

    88d29734f37bdcffd202eafcdd082f9d

    SHA1

    823b40d05a1cab06b857ed87451bf683fdd56a5e

    SHA256

    87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

    SHA512

    1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

  • C:\Windows\Installer\f770f2d.msi

    Filesize

    2.9MB

    MD5

    6e58d9af76a06f068fc49d0f5f895966

    SHA1

    6eaf5813536f716cab6ccdda47e8f0beaa74b30c

    SHA256

    b8788ba7d7d7f8fce00f8446b778b9f9b9852e4ec2f3766d6e32c68b50950899

    SHA512

    4d314dcc18f09ce95453470101efc55e690657e2288728839f04d7060a1f767a4be0d1b48cc0a980979d35c440144cc2cbffd767732b19e4af4c5333a8fc93e9

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    cd68787748becbf0d2aa5d374f94697c

    SHA1

    080d839cfdde21de25a40c5ea615ad09ff35cbaf

    SHA256

    31d5e3b44c41a6f4fa79b909ea7090f43fd01e7a6f2f895d90bef3bb0ca4d943

    SHA512

    3a795e35bd394f057cc91247b5e42b050f7db8bd23a09fcbd7dcd9bbf5ffe48d121dd0f99bdab8235a4c2665689bc26433db4bc622a917d8509a8c054cb2905e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b26606f4ee2b8931cf0b619814b5cc0e

    SHA1

    c5a8d2ad9f2f58b8aeeaec597033971e9b2150db

    SHA256

    557cdd3c6c0ec3b5405dfc0c508f2341c45e7ed05780f56fb3f60a930cb35b1e

    SHA512

    060451593cd3453ec77c2401776082555b3108d682782a595e57ea2b5efe08de3ea22e50900f6ee098cbd4b346bf7131c16b717542b50d157b5973c885f900b1

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    92334857bdbb8f25ff24d25bb90a5538

    SHA1

    edfd2b7cc3465ae1587b6fde87c79f286a9c69c2

    SHA256

    7424749aad90882f0de9c164ee8d78cd6c11a39d54bff13be00eecb42015eae5

    SHA512

    ce91c88cbcb8c0bb18bffead3fe1e6c48c571274a76f5ba673abd4add0518c48483349a6c6d2275447ee70c6b87e856ff801e6c443991b7da06ccbf3fe52052c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    90d1a9784e00f14f0d31342f9ac31621

    SHA1

    412d799b55234e996810534d5c9e5d77a2f83aab

    SHA256

    ba49b0bc88c40a64d8479a71c71096d1c943fc4cbca43cfada6eff5eaf39e624

    SHA512

    986e3270da69f1cd2e86329289443d62f6cf7f466c737bb39490179d9aa27bb0814a9428948d0139789638ced11e17231850b4d5736825b21d9d77546f2a950b

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9822d3575c468908e0e981318d1dada5

    SHA1

    802f539ab47ea0b45e10afd027699a53bab6d0c4

    SHA256

    063616fe8cec6c1b7480caf7a2807abfdf9c6e014a840c97cd2cb7b86c2791ce

    SHA512

    02844a519da7a25c09601949c25e5648883bf264b0675fb31cf10b4564a0c2f96f21d75af015e0ec4fa8c3ffa60fbb1ba8b66ba265c024c74521dbfaa5ac0bdb

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a48a194e558e70213c21dc2b36a7446e

    SHA1

    d888f1d85f0d53aa3f1f6de612b64ce7f4277923

    SHA256

    bb66c250ca4d0ab92046167b10e95c5d2cadcec39572986fc4325d0ee5bfcb33

    SHA512

    41082b7647aaafb2c5815976fb1226a2906f35ffefbe92e126857ca9b22b991c6278c8d5814edab0cac5656d66a60fdc825063075511bc0a0856c86688f544b3

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    cb1d9677d4438730f4e9067dc3732e72

    SHA1

    0a5c127fe2727a05b414ddeee260b37c602ce2b4

    SHA256

    3c15a67a21b9a1184e354f5672d7081c1e4a03f6a56a17e2223c1e4ea090a7cf

    SHA512

    442e188c27024da0dd742489ffc6457891810ef9434527681dfe9c1edad4ee435a6641e7fd2aeae75f79a2dfd28d3798aba609800ae7d53cc199876c2d7762c3

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a29deb84163bfe4e44e84a238ccf7f8d

    SHA1

    2249119e507405eaff1e56166ca42a6fd4061a60

    SHA256

    0eb2a97790163745975c4108b1c1305e82119d44d28fa9c3963507c8c70fb1c1

    SHA512

    4c1a7c91aca4c4aa06f2bfddb79ec53782d66295e886d429bdd4cf465a9030442ec2ced10b944b15f54809c3b0fd23683010db8225f329fd28ac17e9a87f5e4c

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b4f16a406b524273a3c318ead7e6377b

    SHA1

    f31c51176a77dfede2fe102297b1f2989dcd2a13

    SHA256

    3d1f03a6fb219f7b84ca671dbac9f3f8b893e32b6e8e89c4699ea0adb0eaca7a

    SHA512

    0ecfdc9b58324e5e06107cc8a9256c39365aa1bda7f8be618bef978a0e56c9e858d36acb52641c9c6caeb3466c7bf473ee6495e9c336986b5da0ef7c6256b7ac

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2e01e27303a4eee5a1572d63c90b41a1

    SHA1

    04b2d4ae58a529324df84e65f602f3b51c8e874e

    SHA256

    56950360ecb6e0bb4e36af400347c1bf3bb49d46aae42f6a952b9178850fe300

    SHA512

    b644b787da6302d52c4001feab86763380bf9fe39e02eb081878fe8959e37508f742ae5a40ac63f83a1b14d73ca15c57c5b27835696b1dff5f166f9c18aaae86

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8ccecf4329233193110f93492412bd3b

    SHA1

    cdcbc0b0588e0b608d84553fe399fc5a9cb1a421

    SHA256

    4c95ba8e5d091c2f5ed4f9d6d1b2a26b1ad6e706d29dbfac84b5625c89567c23

    SHA512

    ecff6873cbfe117862ce3b0aa4111da6de78b0ae410a8c04c85bef4408bffff011a42d793c773793cd768c19b2d7ad4acfa3af9ddf110a07a7e779f913e49c98

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    36ae1bc8357ae3b65d58483436fad73c

    SHA1

    eb960cfb899449000993a70413f7f32e9c517469

    SHA256

    74b633052920654a8d44ed75693f0a61ea483eff4e9d450afc746a14410eb936

    SHA512

    e944e8ac1b1606cc06d7ff915d2385d44b55ffc8905f6718ae7dcb51d8188de27d038d9984d4260bdaaf873aee6195b2d01e8f19b3a1af84f941c6ff68604a93

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    eadd5d7e9209b890c50b98241f395e0d

    SHA1

    5c3a3255c9ba837c989b5643f57a474b81e748ee

    SHA256

    9891d58481e40c7d80e5ecbdf55f0783f0b22741af223cc9fc5c5ff47a9b5740

    SHA512

    33ae9f10840c151f70979a56dbc4f59b5beb9ea6967728469c968875d778dfc0e1d1e7c649ce2365a95a54965103a3c6be0fba4188b2725b919cfaa85437159f

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ca5920f79ed1073ba6da3e7a1b75e158

    SHA1

    d4fdf6b80de33503169a228564edc95fbe24d8bf

    SHA256

    fea906cdd0e0d62c6c4ba85f6031bc19317739442a57d5d99b8c2145a111437f

    SHA512

    10a01f45aca4c4d95b45f66587e2d71846011d5b2b7248e5cb4dd9baf5f195534006f68c40f8ddc17a72f3174604eefea6b774974423d3cd79e999e86e6e468b

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    196d2815d038a7b4dcb60a371c878b8a

    SHA1

    25bad9e4bc6a4f76f6fd124171ee2907ca368ffd

    SHA256

    cb37132590235a524d5903fdda22256f9974ad9148bbd837bb33179d7d373b4e

    SHA512

    c523c79085a91b364cedbdb05db75330810cef2ed270ae93e87f660954366c15875d1f36e6432310e999ba2e809c40bbb3a0019c226240689dd9291b326210dc

  • C:\Windows\Temp\Cab3997.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Windows\Temp\Tar39A9.tmp

    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

  • \Windows\Installer\MSI12B9.tmp-\Newtonsoft.Json.dll

    Filesize

    695KB

    MD5

    715a1fbee4665e99e859eda667fe8034

    SHA1

    e13c6e4210043c4976dcdc447ea2b32854f70cc6

    SHA256

    c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    SHA512

    bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

  • \Windows\Installer\MSIFDB.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    25KB

    MD5

    aa1b9c5c685173fad2dabebeb3171f01

    SHA1

    ed756b1760e563ce888276ff248c734b7dd851fb

    SHA256

    e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

    SHA512

    d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

  • \Windows\Installer\MSIFDB.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • memory/1036-72-0x0000000000810000-0x000000000083E000-memory.dmp

    Filesize

    184KB

  • memory/1036-76-0x0000000000840000-0x000000000084C000-memory.dmp

    Filesize

    48KB

  • memory/1540-313-0x0000000004C60000-0x0000000004D12000-memory.dmp

    Filesize

    712KB

  • memory/1540-309-0x0000000000600000-0x000000000060C000-memory.dmp

    Filesize

    48KB

  • memory/1540-305-0x0000000000710000-0x000000000073E000-memory.dmp

    Filesize

    184KB

  • memory/2236-1238-0x00000000008B0000-0x00000000008E0000-memory.dmp

    Filesize

    192KB

  • memory/2236-1266-0x0000000000510000-0x000000000052C000-memory.dmp

    Filesize

    112KB

  • memory/2236-1253-0x00000000191C0000-0x0000000019270000-memory.dmp

    Filesize

    704KB

  • memory/2372-297-0x000000001AD00000-0x000000001ADB2000-memory.dmp

    Filesize

    712KB

  • memory/2372-1141-0x000000001A440000-0x000000001A478000-memory.dmp

    Filesize

    224KB

  • memory/2488-233-0x0000000001140000-0x0000000001168000-memory.dmp

    Filesize

    160KB

  • memory/2488-245-0x000000001B260000-0x000000001B2F8000-memory.dmp

    Filesize

    608KB

  • memory/2912-101-0x00000000003E0000-0x000000000040E000-memory.dmp

    Filesize

    184KB

  • memory/2912-105-0x0000000000390000-0x000000000039C000-memory.dmp

    Filesize

    48KB

  • memory/2912-109-0x0000000004C50000-0x0000000004D02000-memory.dmp

    Filesize

    712KB