Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-11-2024 12:28

General

  • Target

    c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi

  • Size

    2.9MB

  • MD5

    ca547b71f62c449c8e365701212469d9

  • SHA1

    43d9688cb60427723cf098896d762b010487bbee

  • SHA256

    c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621

  • SHA512

    6ebe3885cc2ddad0c8579ece4344d6c3b75929e389270aabd409ecdea3772f7baa1b866e0f4a37e706441c8a17d1e243cb9cd81b659fec42db69fcfff1fa6f2e

  • SSDEEP

    49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Ateraagent family
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 18 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 18 IoCs
  • Drops file in Windows directory 37 IoCs
  • Executes dropped EXE 3 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 35 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 63 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2104
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5CD72771D08C49E17DB647A717853C03
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1948
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIE552.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259450348 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1568
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIE811.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259450941 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2952
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIF700.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259454763 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2260
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI1C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259457477 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2196
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ED39A78AAAFA8920BB6ACE09C0AD22A0 M Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1864
      • C:\Windows\syswow64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2324
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2220
      • C:\Windows\syswow64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        PID:1668
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="51ac33d3-e48b-47e8-ba10-8dc10f38f9fa"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1652
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2752
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "0000000000000494"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2100
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:596
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:2844
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 51ac33d3-e48b-47e8-ba10-8dc10f38f9fa "dd9b44de-b360-4724-ab81-f3944ecc3f62" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:1344

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\f76e4d5.rbs

    Filesize

    8KB

    MD5

    a03897bfb1d3978b932c6c2d7d45e96a

    SHA1

    ff74c5ceeafe4a334fc46bc73cb41e46d444c803

    SHA256

    705ef5bdba3deaa88aa9bed0ca266397057d6d1c21c47578c6e17c10d6e8b2eb

    SHA512

    5c3c035bcbb63fb7424f477ce1d50c89349375c60a5ec62c355dc51c652194809cbaae6ac9050e172b02b7425a0b60c63f7d42ac67dc43c999b2d681c760ad11

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

    Filesize

    753B

    MD5

    8298451e4dee214334dd2e22b8996bdc

    SHA1

    bc429029cc6b42c59c417773ea5df8ae54dbb971

    SHA256

    6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

    SHA512

    cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    142KB

    MD5

    477293f80461713d51a98a24023d45e8

    SHA1

    e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

    SHA256

    a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

    SHA512

    23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    210KB

    MD5

    c106df1b5b43af3b937ace19d92b42f3

    SHA1

    7670fc4b6369e3fb705200050618acaa5213637f

    SHA256

    2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

    SHA512

    616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    2c4d25b7fbd1adfd4471052fa482af72

    SHA1

    fd6cd773d241b581e3c856f9e6cd06cb31a01407

    SHA256

    2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

    SHA512

    f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

    Filesize

    94KB

    MD5

    9d8b5941ea5b905e8197a175ef2b15a9

    SHA1

    86a078e94b5578ec4125f50f78c8518a8ce1d086

    SHA256

    c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

    SHA512

    fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

    Filesize

    23KB

    MD5

    231937c9315532a439ebf2623b73020f

    SHA1

    8e20fe89edc62c2ad8131bbe92d8e69ae3602c5c

    SHA256

    5261789fb4ff74e17f5c3db81d994e1ec2597915cd8caf165af62c2011568c08

    SHA512

    43e6cae783bdccecf1fb8a464b722e7cdf29e1ec7cc16731f36af507ba9d4deaeac2afeb076af3ec7bbc2c925f8e443684ab7756a9d8418605a10f6e2cebf111

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    17d74c03b6bcbcd88b46fcc58fc79a0d

    SHA1

    bc0316e11c119806907c058d62513eb8ce32288c

    SHA256

    13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

    SHA512

    f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    224B

    MD5

    ac874e8ddedbe4fc5a293da72a2c42b9

    SHA1

    25c1fcf2f01c9ab6a2747f74bcceb1c0e6fa0c0e

    SHA256

    81c033cc9d7fb0ed6b11964a79d77a0f9b3d3dc33b807407795052b34326043d

    SHA512

    7e60b2ecd601c03513314423a9de91dcfd2883634432b62a996055110a05cb360b5ec4761c52ced6dd7fe3941d683778a8251088e801f4efb2b1aa4d810cfa44

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    7795df33fc7dd3aa62e0bc052f9dfbad

    SHA1

    ea227ec994561b5bce01c5228f9c337286fbec9c

    SHA256

    6ad47d714f3dd55b2fe9072e829542851d2ecf60cb88254002c60449e8aca736

    SHA512

    de11027f0ca32119ebbb17976ecbe6582ab6af8caa7ce522d75c4185da722550f1f981064db9be6074eb1c6c096c933c2de7ee42b1f31b4fedc9982f87157f9d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    29dd7378778c44788bac45d70ea7b440

    SHA1

    7a3c5e30c0c9a9be505b18fd2c24422d5e3dbe56

    SHA256

    69354ff510301b85c14cc1ecd0e5b3c98308b820cfbce483389a7b9a437f67d5

    SHA512

    9e67bee1ae05b0f2408210a6662926cc9da6ee2864820a4704adffae9dd78b80e79ee32e83f5a5e35bed9603e82795a38570d56cc93384b82dc6254940079fe7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    eb9a1d98cc4b6ac3d674a6621df5a758

    SHA1

    5e9bc182d48b8e86a61d8a3f4b5add9c88da6800

    SHA256

    20d856d68dba3e2246ebb62a5eaedcefda221accfa1b9362b33afad33b6e48c7

    SHA512

    1054d82e5e1b2f2c1416d31f01ff2c172aca8dcc31a622cdd959f918b78a474bd9b40a9b7316122a8262fac24d6236860e2eadd665030a61d56c5c0a153f81c7

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    0afe1fa658d36d32f0609b5abd71b570

    SHA1

    26e59eff7b66e62897c831bf6f81ad47eab606fa

    SHA256

    0e951bed3583d952906f852614f414a3c31fb02f27f995a4287d7e4cce433273

    SHA512

    6ea5b8b6d6daa036dd2ea20806030273e9a902b075e280d6e44ba912149cbb9be85f2a82129aca26d0a1bd3583eefc722e6b162f2f8339df6268846ba6f270f0

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    5edd5a946a134bfeacdea3f53b0c63e4

    SHA1

    7fea3bc75a7ad0aa3ad5de9d25609cfad10a1f90

    SHA256

    10bd9a94a59e3c59a98c3ad656731c9624ea1d8ce8561d072eedab987bc90339

    SHA512

    c1ebff8d901d72bced81f6532972bb2a8754f31ca268a1c96b166f6ebadb9d42d6d137ff26a09f6194389ef84355afe90c883d11f57a703a4bfe9c088e9ba553

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e0d4ca5f84cb82d9936fc0076f5fd263

    SHA1

    84c645c9e2f72dc644b63e4da522c07075747389

    SHA256

    471aeb69f3c937890a54fe7b1bb168891b3b3cb8ec41c1ab0d12b192a0449430

    SHA512

    b968e724b819b524b667f980ea15f98dc0d2eb2e457d35123445f2e378bdc7fd03e38e4dd3476421878ca431c16b3349e3f744167ecc4c3a884692680f45c513

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    857ecf491168db8ac96a5e2d7ff80272

    SHA1

    08a92137bbe8dd2f5430c8c0163676453aa2fc11

    SHA256

    b1cca8edd0d3fab6d965f91857f15745dd95440827d3c6784313136573fa82d6

    SHA512

    b93cf13e24b4b497c9ee522dabcc2409a82f45d90430bb6802bab93ab6efdf96b5bc6d303cc78507d6125876fdd3117e622739be577fde874942d508e5050556

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    d6ec7b14f15028d128414ee97100e251

    SHA1

    589c2c293666d28afa31b3c2d3eb808dd281751b

    SHA256

    88fc4a98a325c5722f34d3bdc666f3e02130a24b7604f9e8b3b5ff47edfd260f

    SHA512

    3881690675dfd9669cfadc970ce99b453d833981f4edf4f1ae861d34d717a39bcac348a80f89316051500b90acdc34fafd9e79586c83a852251dc7815931e01e

  • C:\Users\Admin\AppData\Local\Temp\CabC88F.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarC9E9.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Windows\Installer\MSIE552.tmp

    Filesize

    509KB

    MD5

    88d29734f37bdcffd202eafcdd082f9d

    SHA1

    823b40d05a1cab06b857ed87451bf683fdd56a5e

    SHA256

    87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

    SHA512

    1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

  • C:\Windows\Installer\MSIE811.tmp-\CustomAction.config

    Filesize

    1KB

    MD5

    bc17e956cde8dd5425f2b2a68ed919f8

    SHA1

    5e3736331e9e2f6bf851e3355f31006ccd8caa99

    SHA256

    e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

    SHA512

    02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

  • C:\Windows\Installer\MSIF888.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\f76e4d3.msi

    Filesize

    2.9MB

    MD5

    ca547b71f62c449c8e365701212469d9

    SHA1

    43d9688cb60427723cf098896d762b010487bbee

    SHA256

    c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621

    SHA512

    6ebe3885cc2ddad0c8579ece4344d6c3b75929e389270aabd409ecdea3772f7baa1b866e0f4a37e706441c8a17d1e243cb9cd81b659fec42db69fcfff1fa6f2e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

    Filesize

    1KB

    MD5

    55540a230bdab55187a841cfe1aa1545

    SHA1

    363e4734f757bdeb89868efe94907774a327695e

    SHA256

    d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

    SHA512

    c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    1KB

    MD5

    a266bb7dcc38a562631361bbf61dd11b

    SHA1

    3b1efd3a66ea28b16697394703a72ca340a05bd5

    SHA256

    df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

    SHA512

    0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

    Filesize

    230B

    MD5

    a3111eeef4be94208dd9cf6578f97e4f

    SHA1

    9e0e20f13886342b60529088049c11332523e96f

    SHA256

    f1a617df1b8c338d4c0d5e6fca66b0540e139aefddc7a3a20603bc2bf9a7c25c

    SHA512

    5c01e141f4b3ec2dbf2aa19fca7e40085d925cc5c65bf40849f9e4b780d7b3af78ecffd39d36e4a7b75fbbedba4d8f01631e283bf8d5b9e7f23f39517ce912f4

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    62597aa457410ba847228c3f4397b8ca

    SHA1

    ba38af3992ac85b807780b8d5ce9aae74857730f

    SHA256

    adcd5c9dd2f45f987dc53bf997f04da410ec2ac767b29d90d707720464e784c6

    SHA512

    ba3ff43d40f6008f975006df7199da1ad3dcc8880e6e2b78d8b9b4bed11c49048158d86322892cdee52c519bbda913be154bbed7f90fb9992554868748f07017

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    a84d01f4a04af103dab721c5020256d0

    SHA1

    f2d4c9af543c5f615bd71127c3c382c24c9812fe

    SHA256

    db82e2f76bad9f94825445896a9ca0673b6e263ab1b5bd9ddf460a7cc2985ff8

    SHA512

    31b4cc73800bc5438974b7f6326248859413eaba0f1975f3747d0e8d294f147129ee83b8b7e69e0dd0c58eafdc6b4389dae97603e75a2dee59a47b766695b881

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    2d5c767a19871bdfde20d0c0341e35fa

    SHA1

    366280b894317439e4778dd47665915589bb8059

    SHA256

    ea8a2019408714a941911a249abab3968e1b2f61a79426d23439ee0d559ab341

    SHA512

    a47f56aacf1d484e0c60bd1265fadb46aca39a5401726515ee1f196adee60c54da1184815f78083fcecdc445365c981d0363d0e83b86d6cc686ba86eb962fa8e

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    5d039f0fb01df208fc8e41bde17b4757

    SHA1

    b1192f10ae715c5bbc4a24e84d681a1c4bc76b3e

    SHA256

    6af402963f6b780f006c2cc250d00e1a03f2d35597b2cf942c1b35abce1c1746

    SHA512

    d17207e950264f1f4ced4992496376ed0bf7e6ee040a49f362aea51584f6ac83498d3d8043ee7809aef4a7e18c6214498ebf23ee4343eca29c84e988776d6dac

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b08c96c6e2ba9b717d16aba8bf46307d

    SHA1

    a9f1d5c75cd308277fcb4527dbdfac22e9ead07e

    SHA256

    87abd3e4a33f7c862ae3850dc8eea9c62a31a8c418309a7f52a6e366d5e84c9b

    SHA512

    3eeda6077ab960051238d16ab420f59c0cc2fbd3d4d11ca92ad8c8e4ae3d2b4a01cca0cf7764c7e705081d299620fa24ec4a8072186f8457166445a6e6b20210

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f7beef891787680589e3218a1956ba22

    SHA1

    35148c313f71b317a2e6c6ff070538d8b0653a81

    SHA256

    b53766567a279f1bae57a78c8118c88e9691eea7b6c3ee30e759487fc5c4dc87

    SHA512

    b86c09387bd7c28b84ce62212904f84bb6799c25083c09f7fe469f053a923a05324ba0491a1841ad12a551025d80745bddf30d7ec87a4ee675c263b40d7a4676

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    11cb21ca7781243546fff8aba9585056

    SHA1

    cfcff684d7e8b3a92e86ca1765aafb9c2fb57318

    SHA256

    0f564e8534b1fedf681d2dea9c0c326a5c8278bd91f5ed12406113a7f6ed2538

    SHA512

    cfb59f15e4a0957e3668dd3755fbf044aa8316b2a15a58abfe0929746f93b88e150eb4b4b847a89da2c482e535348bfe2b668a07d40221f560b646739bcdb0b8

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f9e54ce84a0c8a04e8bc1ab69fc154f9

    SHA1

    787e57e52630eb0ec06dfd18f3837132ca045ba6

    SHA256

    e0b69835e0034ef6de96c0e647aa981c7005883e2c61be08361591c0a89a8d17

    SHA512

    0a1861cc39524e1991c6e6acce542d8afaa25f93f5dad5c489550acc6c9f2ff75c01d34a92c7958b71ada308f024700269c1256fe73005aa82c06efbfb8fde71

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    9a4f687829f67d7eade9526530bfac42

    SHA1

    96625629242570fed24acc385d4f89d9fda76c2e

    SHA256

    7274c1fa8881105626f63d57659975cce0897bdfb0362f5ae9241aa09da4c958

    SHA512

    51d67479218257d8ca056a542fa6680a2dd5a0a080fd63df8795339304c80e682e91285b337f477f1c937faa3e08b9bf7136736fff8a8c60e6f1d961face41f5

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    c28d9a370ce906ccafe7509c3d7f98ef

    SHA1

    3529ae320cf6be2c684ee4f246a06e7536e7ca49

    SHA256

    33dc79657c0384e14ce2a5599450410c6d10077e7926b4391d5dfc1f5fccddc4

    SHA512

    4a598aed2880ccbe50b3ff9f4e980d2bd8ef146d4f32bc1260000ac50b430322f9f8dd4659478d62bd1d9d14fafd3b038834db1b9e1ad4bc178e1bba092dd400

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b47c580efce1726a8281a02908df45da

    SHA1

    fa16ca3069d40593ea27251eb9c553a3b29551ad

    SHA256

    cd4de30e0e8f89d8f79759801c973f52a37135dca3e1e955c193d09b275c97f1

    SHA512

    80869dfb99c32b56caca8890eab66434776bd565be418f30caf92fa3b017652a8f6c32e2b3d7a042f8741442608fee2c2592e4d990cdfd9b9239c2854853fccb

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    b42bf4aee833fddd58cf50ea3165eec8

    SHA1

    9eef1eef9f0a361b596c260363e3f9d6091cbb1d

    SHA256

    d3174100190127ee3746ad79cc3d7f483dcfdcb87f44e519d67d1fa09e7ab2fc

    SHA512

    7dda3239c15593836b02d5a85300e31a3559e2543861abe8f1dadfbf7511637db66f93167ac260373ded6f1dcc76acda54aa8cfce5c3c43677c2a92a5f3449b1

  • C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

    Filesize

    242B

    MD5

    5c1bb61fbab27cb590b24aefb25a1c31

    SHA1

    9fe5cf1d0bdfb321bdbe2ac3d78ea3f65f39c6a6

    SHA256

    45b0948e31b544389381a8598890af050a9e9ca806abf193bc343b187d50473d

    SHA512

    202c26dc7ddf2a1c906b28da583d7c352bb9cca426f27e2aa29d7535053f34a880305e403dccb7aa8095f2bcab7c5c8d58df0117af89b2378c36e8ec0be41bcd

  • C:\Windows\Temp\CabE62.tmp

    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

  • C:\Windows\Temp\TarE75.tmp

    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

  • \Windows\Installer\MSIE552.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    25KB

    MD5

    aa1b9c5c685173fad2dabebeb3171f01

    SHA1

    ed756b1760e563ce888276ff248c734b7dd851fb

    SHA256

    e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

    SHA512

    d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

  • \Windows\Installer\MSIE552.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • \Windows\Installer\MSIE811.tmp-\Newtonsoft.Json.dll

    Filesize

    695KB

    MD5

    715a1fbee4665e99e859eda667fe8034

    SHA1

    e13c6e4210043c4976dcdc447ea2b32854f70cc6

    SHA256

    c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

    SHA512

    bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

  • memory/596-1087-0x0000000019410000-0x0000000019448000-memory.dmp

    Filesize

    224KB

  • memory/596-293-0x000000001A530000-0x000000001A5E2000-memory.dmp

    Filesize

    712KB

  • memory/1344-1187-0x0000000000490000-0x0000000000540000-memory.dmp

    Filesize

    704KB

  • memory/1344-1189-0x00000000003F0000-0x000000000040C000-memory.dmp

    Filesize

    112KB

  • memory/1344-1184-0x0000000000810000-0x0000000000840000-memory.dmp

    Filesize

    192KB

  • memory/1568-76-0x0000000002000000-0x000000000200C000-memory.dmp

    Filesize

    48KB

  • memory/1568-72-0x00000000008E0000-0x000000000090E000-memory.dmp

    Filesize

    184KB

  • memory/1652-233-0x0000000000FA0000-0x0000000000FC8000-memory.dmp

    Filesize

    160KB

  • memory/1652-245-0x0000000000ED0000-0x0000000000F68000-memory.dmp

    Filesize

    608KB

  • memory/2196-309-0x0000000000430000-0x000000000043C000-memory.dmp

    Filesize

    48KB

  • memory/2196-313-0x00000000023D0000-0x0000000002482000-memory.dmp

    Filesize

    712KB

  • memory/2196-305-0x0000000000390000-0x00000000003BE000-memory.dmp

    Filesize

    184KB

  • memory/2952-109-0x0000000002560000-0x0000000002612000-memory.dmp

    Filesize

    712KB

  • memory/2952-105-0x0000000000A40000-0x0000000000A4C000-memory.dmp

    Filesize

    48KB

  • memory/2952-101-0x0000000000350000-0x000000000037E000-memory.dmp

    Filesize

    184KB