1cd8f56f9213249e555dedda4380add02cbe74fb81a5806ef1eec3935a7f041a

Analysis

max time kernel
284s
max time network
288s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/11/2024, 14:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08112024_1447_BluetraitAgent381.msi
Size

3.6MB
MD5

0c7d30468c0d5975866b6f10017330d9
SHA1

0f2d7d1d9fa10d46e8d73c75db7509f950578bc6
SHA256

1cd8f56f9213249e555dedda4380add02cbe74fb81a5806ef1eec3935a7f041a
SHA512

6b42376e6c0b69eb5e005a64c1cf6e92a27938ede43badf599c496a508c7d10e5178109e899de79d4aa01b15d982c748f3e5ece657815916f68dcd3fdb2dfd5e
SSDEEP

98304:7JAqhv+JtUaJRWta/Tbs9JVzlgroDWX9Ha:7Jzhv+MaR/c93BW2S9

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2524	msiexec.exe
5	2524	msiexec.exe
7	2524	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 20 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\LibreHardwareMonitorLib.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\Renci.SshNet.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\System.Management.Automation.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\config.json	Bluetrait MSP Agent.exe
File opened for modification	C:\Program Files (x86)\Bluetrait Agent\config.db	Bluetrait MSP Agent.exe
File created	C:\Program Files (x86)\Bluetrait Agent\System.Data.SQLite.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\System.Data.SQLite.Linq.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\HidSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\Microsoft.Management.Infrastructure.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\libraries\paexec.exe	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\SharpSnmpLib.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\x64\SQLite.Interop.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\x86\SQLite.Interop.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Bluetrait Agent\config.db-journal	Bluetrait MSP Agent.exe
File created	C:\Program Files (x86)\Bluetrait Agent\BluetraitUserAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\defaults.json	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\Newtonsoft.Json.xml	msiexec.exe
File created	C:\Program Files (x86)\Bluetrait Agent\SharpSnmpLib.pdb	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76be22.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76be22.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIBF1E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBFBD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC134.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAC5.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	Bluetrait MSP Agent.exe
File created	C:\Windows\Installer\f76be21.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76be21.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBEEE.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{BB4D0FA4-BF8E-4478-98EC-07A9378FB205}.SchedServiceConfig.rmi	MsiExec.exe
File created	C:\Windows\Installer\f76be24.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
684	Bluetrait MSP Agent.exe

Loads dropped DLL 6 IoCs

pid	Process
1912	MsiExec.exe
1912	MsiExec.exe
2884	MsiExec.exe
2884	MsiExec.exe
684	Bluetrait MSP Agent.exe
1912	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2524	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Bluetrait MSP Agent.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Bluetrait MSP Agent.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Bluetrait MSP Agent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Bluetrait MSP Agent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	Bluetrait MSP Agent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	Bluetrait MSP Agent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\PackageName = "08112024_1447_BluetraitAgent381.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AF0D4BBE8FB874489CE709A73F82B50\SQLite_x86.Interop.dll	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3D245DC823B08CE4C834E4069DB850C6	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\3D245DC823B08CE4C834E4069DB850C6\4AF0D4BBE8FB874489CE709A73F82B50	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AF0D4BBE8FB874489CE709A73F82B50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AF0D4BBE8FB874489CE709A73F82B50\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\PackageCode = "7FB72B44A34AA224E8FB7B282F1F07EA"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\Version = "50855937"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AF0D4BBE8FB874489CE709A73F82B50\paexec.exe	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\4AF0D4BBE8FB874489CE709A73F82B50\SQLite_x64.Interop.dll	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\ProductName = "Bluetrait Agent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4AF0D4BBE8FB874489CE709A73F82B50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	Bluetrait MSP Agent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	Bluetrait MSP Agent.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2780	msiexec.exe
2780	msiexec.exe
1912	MsiExec.exe
2884	MsiExec.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe
684	Bluetrait MSP Agent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2524	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeSecurityPrivilege	2780	msiexec.exe
Token: SeCreateTokenPrivilege	2524	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2524	msiexec.exe
Token: SeLockMemoryPrivilege	2524	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2524	msiexec.exe
Token: SeMachineAccountPrivilege	2524	msiexec.exe
Token: SeTcbPrivilege	2524	msiexec.exe
Token: SeSecurityPrivilege	2524	msiexec.exe
Token: SeTakeOwnershipPrivilege	2524	msiexec.exe
Token: SeLoadDriverPrivilege	2524	msiexec.exe
Token: SeSystemProfilePrivilege	2524	msiexec.exe
Token: SeSystemtimePrivilege	2524	msiexec.exe
Token: SeProfSingleProcessPrivilege	2524	msiexec.exe
Token: SeIncBasePriorityPrivilege	2524	msiexec.exe
Token: SeCreatePagefilePrivilege	2524	msiexec.exe
Token: SeCreatePermanentPrivilege	2524	msiexec.exe
Token: SeBackupPrivilege	2524	msiexec.exe
Token: SeRestorePrivilege	2524	msiexec.exe
Token: SeShutdownPrivilege	2524	msiexec.exe
Token: SeDebugPrivilege	2524	msiexec.exe
Token: SeAuditPrivilege	2524	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2524	msiexec.exe
Token: SeChangeNotifyPrivilege	2524	msiexec.exe
Token: SeRemoteShutdownPrivilege	2524	msiexec.exe
Token: SeUndockPrivilege	2524	msiexec.exe
Token: SeSyncAgentPrivilege	2524	msiexec.exe
Token: SeEnableDelegationPrivilege	2524	msiexec.exe
Token: SeManageVolumePrivilege	2524	msiexec.exe
Token: SeImpersonatePrivilege	2524	msiexec.exe
Token: SeCreateGlobalPrivilege	2524	msiexec.exe
Token: SeBackupPrivilege	2652	vssvc.exe
Token: SeRestorePrivilege	2652	vssvc.exe
Token: SeAuditPrivilege	2652	vssvc.exe
Token: SeBackupPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	1388	DrvInst.exe
Token: SeLoadDriverPrivilege	1388	DrvInst.exe
Token: SeLoadDriverPrivilege	1388	DrvInst.exe
Token: SeLoadDriverPrivilege	1388	DrvInst.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeRestorePrivilege	2780	msiexec.exe
Token: SeTakeOwnershipPrivilege	2780	msiexec.exe
Token: SeShutdownPrivilege	2884	MsiExec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2524	msiexec.exe
2524	msiexec.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 1912	2780	msiexec.exe	34
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35
PID 2780 wrote to memory of 2884	2780	msiexec.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\08112024_1447_BluetraitAgent381.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2524

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DFCD4D7BAF1A5811781D046A7541876
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8B2879FDC15A11296E14E243260B129 M Global\MSI0000
  2⤵
  - Drops file in Windows directory
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2652

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004BC" "00000000000003D0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1388

C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe
"C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:684

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76be23.rbs

Filesize
223KB

MD5
3828279d0ec8fd2c4ed736fec1d1d109

SHA1
4bbbd3c4194bc8c0094f48c0a32fc676765351f1

SHA256
b2f8acb506af155d073e879f1c3a79f957fd3a3ea67eb81e245fa4e3e116f13d

SHA512
096651317652a14cedad64b670dd5b9fce23facf64cb72425dea37d1f7a19d15cefb3147ff1fc0bdf3aefcd461283325ac23f6156a34b10946fe15ff8cc14954

Download Submit
C:\Program Files (x86)\Bluetrait Agent\Bluetrait MSP Agent.exe

Filesize
144KB

MD5
0bf209e4007d441249ae049c623f6544

SHA1
52c4d547190f60ba2f9a69764365a6f9bb1d78f1

SHA256
53313cd27befc363c5d49ff70de54ef0dace6e6470b9b53875f40b67980ea263

SHA512
afc05675331082d8242cdfa187533b152dfdcd7ed78bcb3169f46c75a349e3688e89ae6c88194287f33ae1cd62aa95b6d96c53bd024a36b5ec3ad6e675d6ea7e

Download Submit
C:\Program Files (x86)\Bluetrait Agent\Newtonsoft.Json.dll

Filesize
695KB

MD5
195ffb7167db3219b217c4fd439eedd6

SHA1
1e76e6099570ede620b76ed47cf8d03a936d49f8

SHA256
e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

SHA512
56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

Download Submit
C:\Program Files (x86)\Bluetrait Agent\System.Data.SQLite.dll

Filesize
421KB

MD5
edd007cf3fcb18ccef985f58004b1aee

SHA1
c3a697e0552ab600132f8fd4635f78517d4cb4e4

SHA256
9b0581b003161d1605405ab4ae2a31e03bf3287673c148f4a1d90253aaad2c30

SHA512
f848b4c4ba2f95ab9e8f90b5de8d169013b6c0ed7465c24f378c3df44d5bcc52e44c15e05973392e4d53c5b53007c8122ce4fd632d0ac203040fed10abb0b75f

Download Submit
C:\Program Files (x86)\Bluetrait Agent\System.Management.Automation.dll

Filesize
303KB

MD5
abcd646cb66d95ce0283ac6a888befb7

SHA1
5f375e113da40c0870d0027625e1ffb129a9727f

SHA256
40aecc98d1878c93acad8f41db3c310c382be92c3bce396e3f6e6a03a37df193

SHA512
f69f25e39264b5552b80b3500f917c202c1ab16d2f03ca42f7d30104f6492a427bc3280e68f813d01c1ae0b1d111ca7403df4a040e5358ca0737c8e7a1a4410f

Download Submit
C:\Program Files (x86)\Bluetrait Agent\defaults.json

Filesize
150B

MD5
c5e8ee5b64c5c90671d9f622c44d961f

SHA1
cb0e5bf2d02c786010a4a90b7472a33bec9993d8

SHA256
bda80f52fe54822967f104e46bc300d4c8f07365ad1c446b5995e02493560354

SHA512
6cacc76e49b9df5becce19a7337a7b6b361a52387a0c17f812e2e194137455d1e0e4a9b5ec137d178715261597bacaf399377107ab37bcc6cb113fd52b78acfa

Download Submit
C:\Program Files (x86)\Bluetrait Agent\x64\SQLite.Interop.dll

Filesize
1.7MB

MD5
65ccd6ecb99899083d43f7c24eb8f869

SHA1
27037a9470cc5ed177c0b6688495f3a51996a023

SHA256
aba67c7e6c01856838b8bc6b0ba95e864e1fdcb3750aa7cdc1bc73511cea6fe4

SHA512
533900861fe36cf78b614d6a7ce741ff1172b41cbd5644b4a9542e6ca42702e6fbfb12f0fbaae8f5992320870a15e90b4f7bf180705fc9839db433413860be6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
7a5523670eb6edef99a7e8c68a08f72f

SHA1
78dad216bdbe5eae1bc353a81163018b994d500a

SHA256
c2008c47d97a33763379c33a710ef7ebf95e1b8668382997a8eee5c7aa51cf59

SHA512
b40ac448bbc2d4ae3807c2efb799895cdb8e10dac2df5889ed19e2dafe1598abcfd379162f403861a322580ce83e55ea8ed7434855054d22cf01a31c5b7099ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_5001C7BC78598D0B752119C0FACA0CDE

Filesize
637B

MD5
af38f50bd1cc3aa82102915cf617fac0

SHA1
06187fd77a0e6ef81f7650ba96631c973c7b8e69

SHA256
18700357e0bfbb69c6a6da4d61d7b3fdfaa0642efaef5698b316c18017462a76

SHA512
4e932f82b33c93221f4e91a4d4db5d88359dbd2ccc685c75861a05cea63847262a08d5344aa699a27e1df9bffa824f89a11bd7efa86dedb77209979cc9d77f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
a49813a199dca7806e0d9e75afccf1ed

SHA1
509ff362730afd40ea482c760fb6a561af75e3f4

SHA256
fb0dc1baaa57ec867bd9332adec22afcf205192d60e923d63a152b9ee5379bd1

SHA512
686b7df717e7f247c682a072fd047d8acca25609d119a75e6ebdf750d66622e848aeee4605c7523c62611ca3184870bd5b6a3bb26d05ba259d6d89cd774e5706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
0d3beb5cc4c61bf7d846571cf7ba8f5e

SHA1
e19efe7d29aca68b788370f44085ef21d78a9a7e

SHA256
e2d9ecdc57af735e9aebc2a7124911a1bed9c89ef6feaee0802720e61fde83c2

SHA512
e82b3482e5761f7733c7c5ed2a61d5a6b57619b72f43e53864182f87e848ba4e5d784a0c8630c0e10ab55aba63602c511f89660b3e5b253314a5c08e7e1e1092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4051a59d58f9169129dcbe1df31f3716

SHA1
dea922ac590322942a5e480d4fbc68d33d1e2773

SHA256
10099d9fb167002e6c8aaa4a46f4969a6353f0229b98ab3b7799d8b13222c0b9

SHA512
156ab7f91ff31fbb4b99c318fd80ba46df699d5e7b5bb2035b31da6a6ae1a00c7c7fb4690f323b7e22dc7993365376106f64710db967df50a877f4a25df4ac28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_5001C7BC78598D0B752119C0FACA0CDE

Filesize
488B

MD5
217b2322b9cc7d16d44dd3f5ec859bd3

SHA1
3cc3b2d4ad14f46769983c3cb8d4ee7e209ff414

SHA256
cd514dd46da3981fdc6c7e8c94267ae3bcc29a43cb8f0fadae72478ab34fd46e

SHA512
c2eb759e1306ce05339cbc8ca0349c6985f07f5fe10e9ab4f0cefe136f8f55ab28d1587c607dbc44d5178d816da689229ee6c663ee40fbd3e3cfe890d80ba15a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
f937c016b117507b929d45154ce8efe8

SHA1
0c41427d2682c97f1f027d79b6bbf8160843b12b

SHA256
4588e5889b04f78fbd8c745b1f47fc56646f0b5c4e7db9910bfc8964bb21a996

SHA512
60aecf4e8fd0fbe529ea76cb813cacffa6d2c2378a3c902696016740c05ef1250f853857d75bd40051cdede7e20802b180de160dcc816c68bc591b6ac413318d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA0A5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA0C7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIBF1E.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\f76be21.msi

Filesize
3.6MB

MD5
0c7d30468c0d5975866b6f10017330d9

SHA1
0f2d7d1d9fa10d46e8d73c75db7509f950578bc6

SHA256
1cd8f56f9213249e555dedda4380add02cbe74fb81a5806ef1eec3935a7f041a

SHA512
6b42376e6c0b69eb5e005a64c1cf6e92a27938ede43badf599c496a508c7d10e5178109e899de79d4aa01b15d982c748f3e5ece657815916f68dcd3fdb2dfd5e

Download Submit
memory/684-117-0x0000000019830000-0x000000001989A000-memory.dmp

Filesize
424KB

Download
memory/684-120-0x0000000000350000-0x0000000000375000-memory.dmp

Filesize
148KB

Download
memory/684-112-0x0000000019CB0000-0x0000000019D62000-memory.dmp

Filesize
712KB

Download
memory/684-166-0x0000000000AA0000-0x0000000000AEE000-memory.dmp

Filesize
312KB

Download
memory/684-110-0x0000000000AF0000-0x0000000000B18000-memory.dmp

Filesize
160KB

Download