Analysis
-
max time kernel
145s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
17-10-2024 11:17
Behavioral task
behavioral1
Sample
MuddyWater.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
MuddyWater.msi
Resource
win10v2004-20241007-en
General
-
Target
MuddyWater.msi
-
Size
2.6MB
-
MD5
809334c0b55009c5a50f37e4eec63c43
-
SHA1
24b60847bc0712c9ba0b8036c59ee16c211fa8bb
-
SHA256
2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
-
SHA512
a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd
-
SSDEEP
49152:r51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TzOFNOnUI:rPCMr2NMRmk/XeM9TEeRvx+ch/TzAr
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a0000000162e3-169.dat family_ateraagent -
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid Process 3 2348 msiexec.exe 5 2348 msiexec.exe 7 2348 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 18 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AgentPackageAgentInformation.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
Processes:
AteraAgent.exeAteraAgent.exemsiexec.exeAgentPackageAgentInformation.exedescription ioc Process File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe -
Drops file in Windows directory 18 IoCs
Processes:
msiexec.exerundll32.exeDrvInst.exedescription ioc Process File opened for modification C:\Windows\Installer\MSIFD16.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFD16.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\f76fc69.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI82.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFD16.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI121.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76fc69.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIFD16.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76fc68.msi msiexec.exe File opened for modification C:\Windows\Installer\f76fc68.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFD16.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI81.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB2.tmp msiexec.exe File created C:\Windows\Installer\f76fc6b.msi msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exepid Process 1596 AteraAgent.exe 996 AteraAgent.exe 1944 AgentPackageAgentInformation.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2648 sc.exe -
Loads dropped DLL 9 IoCs
Processes:
MsiExec.exerundll32.exeMsiExec.exepid Process 1528 MsiExec.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 580 rundll32.exe 1528 MsiExec.exe 2640 MsiExec.exe 2640 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
MsiExec.exerundll32.exeMsiExec.exeNET.exenet1.exeTaskKill.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe -
Kills process with taskkill 1 IoCs
Processes:
TaskKill.exepid Process 324 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeAteraAgent.exemsiexec.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates AgentPackageAgentInformation.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AgentPackageAgentInformation.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AgentPackageAgentInformation.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\PackageName = "MuddyWater.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\PackageCode = "8461E24D8232BC14CB270C3BD27759E8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\ProductName = "IronSword" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Version = "17301510" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B\INSTALLFOLDER_files_Feature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\DeploymentFlags = "3" msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeAteraAgent.exepid Process 2808 msiexec.exe 2808 msiexec.exe 996 AteraAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exeTaskKill.exedescription pid Process Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeSecurityPrivilege 2808 msiexec.exe Token: SeCreateTokenPrivilege 2348 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2348 msiexec.exe Token: SeLockMemoryPrivilege 2348 msiexec.exe Token: SeIncreaseQuotaPrivilege 2348 msiexec.exe Token: SeMachineAccountPrivilege 2348 msiexec.exe Token: SeTcbPrivilege 2348 msiexec.exe Token: SeSecurityPrivilege 2348 msiexec.exe Token: SeTakeOwnershipPrivilege 2348 msiexec.exe Token: SeLoadDriverPrivilege 2348 msiexec.exe Token: SeSystemProfilePrivilege 2348 msiexec.exe Token: SeSystemtimePrivilege 2348 msiexec.exe Token: SeProfSingleProcessPrivilege 2348 msiexec.exe Token: SeIncBasePriorityPrivilege 2348 msiexec.exe Token: SeCreatePagefilePrivilege 2348 msiexec.exe Token: SeCreatePermanentPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 2348 msiexec.exe Token: SeRestorePrivilege 2348 msiexec.exe Token: SeShutdownPrivilege 2348 msiexec.exe Token: SeDebugPrivilege 2348 msiexec.exe Token: SeAuditPrivilege 2348 msiexec.exe Token: SeSystemEnvironmentPrivilege 2348 msiexec.exe Token: SeChangeNotifyPrivilege 2348 msiexec.exe Token: SeRemoteShutdownPrivilege 2348 msiexec.exe Token: SeUndockPrivilege 2348 msiexec.exe Token: SeSyncAgentPrivilege 2348 msiexec.exe Token: SeEnableDelegationPrivilege 2348 msiexec.exe Token: SeManageVolumePrivilege 2348 msiexec.exe Token: SeImpersonatePrivilege 2348 msiexec.exe Token: SeCreateGlobalPrivilege 2348 msiexec.exe Token: SeBackupPrivilege 2700 vssvc.exe Token: SeRestorePrivilege 2700 vssvc.exe Token: SeAuditPrivilege 2700 vssvc.exe Token: SeBackupPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2012 DrvInst.exe Token: SeLoadDriverPrivilege 2012 DrvInst.exe Token: SeLoadDriverPrivilege 2012 DrvInst.exe Token: SeLoadDriverPrivilege 2012 DrvInst.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeRestorePrivilege 2808 msiexec.exe Token: SeTakeOwnershipPrivilege 2808 msiexec.exe Token: SeDebugPrivilege 324 TaskKill.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 2348 msiexec.exe 2348 msiexec.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exedescription pid Process procid_target PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 2808 wrote to memory of 1528 2808 msiexec.exe 35 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 1528 wrote to memory of 580 1528 MsiExec.exe 36 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2808 wrote to memory of 2640 2808 msiexec.exe 38 PID 2640 wrote to memory of 1392 2640 MsiExec.exe 39 PID 2640 wrote to memory of 1392 2640 MsiExec.exe 39 PID 2640 wrote to memory of 1392 2640 MsiExec.exe 39 PID 2640 wrote to memory of 1392 2640 MsiExec.exe 39 PID 1392 wrote to memory of 684 1392 NET.exe 41 PID 1392 wrote to memory of 684 1392 NET.exe 41 PID 1392 wrote to memory of 684 1392 NET.exe 41 PID 1392 wrote to memory of 684 1392 NET.exe 41 PID 2640 wrote to memory of 324 2640 MsiExec.exe 42 PID 2640 wrote to memory of 324 2640 MsiExec.exe 42 PID 2640 wrote to memory of 324 2640 MsiExec.exe 42 PID 2640 wrote to memory of 324 2640 MsiExec.exe 42 PID 2808 wrote to memory of 1596 2808 msiexec.exe 44 PID 2808 wrote to memory of 1596 2808 msiexec.exe 44 PID 2808 wrote to memory of 1596 2808 msiexec.exe 44 PID 996 wrote to memory of 2648 996 AteraAgent.exe 46 PID 996 wrote to memory of 2648 996 AteraAgent.exe 46 PID 996 wrote to memory of 2648 996 AteraAgent.exe 46 PID 996 wrote to memory of 1944 996 AteraAgent.exe 48 PID 996 wrote to memory of 1944 996 AteraAgent.exe 48 PID 996 wrote to memory of 1944 996 AteraAgent.exe 48 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MuddyWater.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2348
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F8B6200F9F81A464B229F55EAFA018BA2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIFD16.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259456432 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:580
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 576C3831C00E71D0ADB124BFD099AF1B M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:684
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:324
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000008IyacIAC"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1596
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2700
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005D4"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:996 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:2648
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" aae74a31-f065-4c9e-8dc6-1c340b22fc32 "d1a902a4-8296-4f97-b8e3-44183ce1aa04" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1944
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50a2e28e781750fabbdf9948be91458e4
SHA13cc8abc34e0f56d041007778eec0001754c37450
SHA256c8391040a9c2bc6da5e0c9a59c01c61aae0dbea22aff956237a1575271bc627a
SHA512a16a2fe6c0e57fa8855fbf3e849a7f353ebf6d8363162d81014a8b165319b5f7a03c910996f301d094a276984279ad942fb07a68921601962667c48fa0f6e50e
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
209KB
MD5a41c23558b3c07f8c749844bb553d545
SHA18473013cf5f2be8158c13f1056675d1cbd10586f
SHA256a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766
SHA5125930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f
-
Filesize
693KB
MD564e122b28a1e548c1cca376e32cdd248
SHA14506de40b8422c9be58333f35325a86674ca650c
SHA2560ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215
SHA51236fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD59d8b5941ea5b905e8197a175ef2b15a9
SHA186a078e94b5578ec4125f50f78c8518a8ce1d086
SHA256c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d
SHA512fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5ba66874c510645c1fb5fe74f85b32e98
SHA1e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c
SHA25612d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9
SHA51244e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568
-
Filesize
23KB
MD5d563269be437a720223534366e3b8b8a
SHA154e600a8e94f1f0ef9abbb4123eed280e3d2a8bc
SHA256dd5f4dda8874325be14ea739f26ee1492777e346d92771d5365dd45117780cc6
SHA5128761d6ba1a11fe91c11ee3fd73a85becb23827baa1db41da6a9e2190cad0d3d168c5ca46f54ef8df389db6bc71569efcd84e6d0bc3d54aec11dd04aeb16332a6
-
Filesize
588KB
MD582b17dc9838e1e21e5c6f53d2867e94a
SHA1a09bfe6582bff9193337cc7dbab79d0b6b723205
SHA2568e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00
SHA512c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430
-
Filesize
169B
MD5430051c01b3d9dc4e16b7e57c04fdccc
SHA12404c0427a0d129c7fc62ec9da8dd64e6fb2511f
SHA256cdb86ba1eb539a0f06bbaddbc3be485b27dcb3a4dc7654360a0f3e8263cc774d
SHA5124c346beffdd8735651951d5172d8a79688b010d5896e6f74625cf2ca07c784727d7478a4b20d3a769536cae8490646dd43a3b2f98795da70ddb509d288e0dd5a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD565e2192e4dc04fc206f436f9a86e1023
SHA16435da8290f576c8604ddcddbb40bacd19458c8e
SHA2568df5fb73b8f3f863f2829e3911cd5446c5426437ec869bb87309c639ede8aec8
SHA512215b8f9c268587b4ba022e2d5374cfaa0d680a7f5277db9207367a4d9387d91ddefb4686c4449a6e80e473be6d67ddb7d80247586401c4dce9656a5e17290a31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5eeceb3251441abeae81509d5ce1626f4
SHA18fb5a5fafcbe46ec6eec7336a0c7d43fe7d65334
SHA256037873c51f408c96c3d3ec8cd05d4550a965b3e449d12a078a2505041e43b0ff
SHA512e6a93fb7f18e2074e2d7f1772277f8692a9acd8fa15bfc72ee1911c0484fa6f17f553dc945904373c41c5757ce9ec828318314c4a822c75a0d9cd3d06f50bc4e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD572db13da5fff7268cc2462be217daac9
SHA13eab5c472f6a341d752a3c38a9447db3eaeede10
SHA25608441bff263e0edff40c3d7b80737a4bfc3a0c93832daf1166bb512045282735
SHA5127d88cd7fc9371eae08d40e19f4d9f2204fa83716056d8ba5ba332eef278861907bc967b3e8f74c8a12e1be15f481ea7216c3ff669917943d462df3bc0c25de89
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5f2193a13826d108e1aeb08295c68d44b
SHA1fce16fce55593849d3a055d7d2ec7377806c9ecb
SHA2563d1e797a08db22bb135cd8d1a2661d359a4d16bc7bc33bb68c2bf9520ea96560
SHA512e64e33cfb7645f973b8716bba9b7abd1f0e3838d2e192a0c50d698c7a5693b9e65e69cf56c42967678cc06dfac8138908371ab9f6ce9d22b4d8fe07e13514718
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD527bee8d9ce331b07ffbd709af76a23a6
SHA1c4febf62a06a29954b06d8a36f296832650ae397
SHA256533b5055363ad5e421a6111c99073eeeaf8d2bd54d6470ea8c1cccb51aa5cd11
SHA5120a1972339b3d0e56f47ebd48ecd17bdc51b75c3688f4a608a34f3f8c774f34232e9a21dd103101c2e807be9e41b73b64aac9aabb7ac113d0a433e9705d2f3137
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5282cde934e31d4c219ebe4fa08140fa7
SHA1f98dedb52b2e4b00730279f78e1598195de98aa6
SHA2567d96a5733c26a6c580d0425fcac1a340bea98d23a42b2df4f76c94ec19c68fb1
SHA51228b9291861416d3a3ed92ecae06a257be6ab8ceec2ad53856c9a798aaf3414245d496788a1a0efc4af8895b1f32a86de477b854f2d24363c878692e6af5ffac2
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5867c576ad7fba0f005f807a1a18605e3
SHA10b22506d57b5968cd29788eb4db7a621cc6d3105
SHA2564df1d53a5294897cb147403fd8735bb6a5cbfdef6be8b753d6cffdd1d2b5597d
SHA5125e2a23791de37aaccbe1ea36d96cc21c874ed27c84de8b7070f3e72cb3705ba388491819c06f9e290b9c74479091a96487d22be44216e7af28d6e1a38b917352
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
2.6MB
MD5809334c0b55009c5a50f37e4eec63c43
SHA124b60847bc0712c9ba0b8036c59ee16c211fa8bb
SHA2562722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b
SHA512a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52ec3141841a0c83687d1b8310ea12dd7
SHA1fb668c467e7fde5171a8979247a6f74fbde8cd37
SHA2560c119c50c289b5a889457ca74a5e176a307d3750363d5887cc68ff3ca762fed8
SHA5120aaeb48ce709407f7c16fa946274482c6173ae224d75248a3b452dd010d4771b2087ae074d29740c3f5c12d1a7045a6f435a2d351bdd49cee42d9a1acadfb45d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5af284f6701d9c9336f86423ea3bd4dc8
SHA155d9a701285c406ddd86d115ce9eb47cf4a1cd1c
SHA2560d1af50817fcdcf8d3ef31e01e620bbf09b590ccb3b748e4dc07321ed22afc68
SHA512220f6a5f7d3c95261523cec3eebd8c34b1b73b64a834862f4c59d961b9abea9783a066f41834f6e2322cdf0c1167e8f4c169da3d654ca8925c11c25835d9931c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51d800d2281a3eb7845be8c8c3468b602
SHA11aa01e393ced6609fda67a69a07e9250925439fb
SHA256cebd8bc301142c8ff22be1f85146440527cc876156cb953525270188d43e6e15
SHA512afb6cecde9fded0eef9facd75094c18157546cb51dbe376049c305345c4d5adb29bab30749dcef62734630be8830d5cd1d4057bfa0cf32f84360561316d9182a
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a2abcdccc5691539b1a082b21bb8721
SHA1f7066cf7682e2d8e45de292a1e851c06473edd32
SHA25612b843a69e707d2e7b05b8a82116a4a4e3a104cee12c63c04edba6d3910409b7
SHA512da20d414b457d1da5acf855cc9a4f09de06a485b39f65c406f02ee65f35fa79ba72d6f101bc51491e45e356befa7e9eb25b26505be93c9e139442a7079328413
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a56f4ab4160601d8d267aea22cbf3254
SHA1b7a184182d2f65a4c9ef4b4cd0c0f6a57e58ca68
SHA2561ec11a237b8bffe328b7cbd64f9b179762d9847772c9dfe540e47500f8fa2297
SHA512c2c6f43fb53cc35650acd1259dd99f37c7fc71d312c49fc0161c3caf530ef367b5425024acfc9963d3e97f0eec7136ce38189cd0bd2743be770918d1e8be360c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d2cc9f74747deb7b56392fefe9f3f1a7
SHA1ac86206ca3f9aba02efaaaebdc5d0086d633cde0
SHA2569c499603bdd80dcf908bf5673ea569587e1c57fbaea57535437679ca44fbda3f
SHA51242f4a5a8f9cc041d81815006cbeed8779a1b1df9434b414d4658390363f80069126e0e8bb18cb77f9e0338351e9d51bd917aabf83b81018e1f8ffd180943b2a2
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53bf4e9cb2fe2d2bef87252fae0d29963
SHA194d31e23c7de1374496209df36552b465f672538
SHA2561991c13874092ca1fdd48e7fbcc648428a9e6884e037f9e8d29761d6b8c0bc7b
SHA5128b8760407faee95191d709c238cc1bd633ca1e557b40bc0f1daf3fda31903ff050bafb58aa3f587a0f26e922774f872b2215d4c58a12f66db92f26f2e20c07e0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51ee73b3a158827fc46e8aef3e71bd739
SHA1cd84a6148ecb5ea97f51699b0d51884f25bd1c8b
SHA256a6826e163535cf3b5f512f6aa3db4e191a20df0dd149b87cdbd0051c5b977983
SHA5127a76a3ec5727c70f05cab4ba0739ee01a15cd1f136cbeb1ba79841b287739644a810e6d4e7bb0cc779e8840d088ff5c22e8315bbeec98c610eabcd50b99dc930
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD557f6cf8b6e602b60401dd7e17b5a542a
SHA1f5b2f00785bf5ee6fe9bbb50d02d16834b543211
SHA25648d05db600239442fac663c7ac9b0dc6c2a6216494d80981d86a11738640bb39
SHA51236d50ef026f218660a90f98efbceb162c5ca05b462c70f1b640eab0b1e17fd426bbef1fe4c9d9b70944dd1196c14786bd3da13c5ae970f5171fe3a419d46ea91
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53f988b5d24ae6d8184715ea3deb4615e
SHA11c9f614bf69a4ab64b368cc136ea93727e967c2e
SHA2562a75c5e38324a4bfbebff4fcf6a48f134a8db49124ce1a1494683f8ac8652858
SHA5122942294a012546b0c6b4a13988d8b8e37d96f02a594bb5a0c34443f9da9647b0c9a5743dec482934cb0656925a407b8549ca2d2d7f297617e9678a8369d8a993
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD59cbcfb8bbde2dc2c52d59362c7a42a09
SHA11c95f17ed02b0541b1e4384ebd7cc162e1c92903
SHA256d901a3c02f023d066c3727d62c5bea15654ac4ac6f4f8e01e20584f31dba9ba9
SHA512555bd4498279ac4dd3f4484e7ae7b3df60b3851786ac76be86bfd238af65bce5565080697743b85aff0261a72e9874c8e9201416f9956986f9ae37ad754e6e04
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c38ce7e3bb0d647aa38d6f1c91a27ff8
SHA1ccb36e3973f155ffebcde8fd490c3d39511b6140
SHA25623340079a71d4f7a3d45fa697f2d669cc3c4c32b4688c8d6768cc6bce49eea1d
SHA5127745cb85d4982a636fbeb30a85da2539fefefa7b7ce09f1c35e96f9deac8f395d213651d6d8114f37e275cab5e937dacfdc83a6480ed1f6091d8207b856b5caf
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5cc34d107010ca46307a710c13d889a93
SHA14e3e858b54c783e13eb04e3116d25d180c544970
SHA256fea304f51e4a5d43bfc1d0911a2de374456dceb5c441225bbc559d7c6880e445
SHA51274198954d46281a50459c3f14af4655a6c9fcf1f40d331bfb9ac2305f2150f9fad62b30c3a414bb0ed743cd9008acffdf4d77f3ec801fa309f9a207758301ecd
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c746f0aa2db33d113c27d968737330ba
SHA1e608cf855cf171a7cd293e5093be9b6336274221
SHA2563d4e33135acd386de2e41ac782384606d50a99e3998c29ebc5c28459b3f8b7bb
SHA51275a2d60a9e1e94987654453ee1e16947231c4653414e1bb2ab1827cf7814760fdea3b036f642f71383853591c8a2962c72b4017ab4a3004af6099e4f490397cd
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e61759c49f40400aed3cc41080563ce2
SHA116b3c33d12aa28e3a8bb5a9cad6941ca1961bb16
SHA256c096e2640bb8a6ef24c438913db3073b675765e0a61063d33c0931fd76a907b4
SHA5122eefc001a122b57af69aa9e45327cbd7ee445b69df3fdcb158bd3307d950d4ba1ac15ecb8cd0dca5a4a9a49453aaa7cda906943e2c687e98e7ddfdf8f23d0159
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5550b0ebc5351b1400ed51b4420d05973
SHA15a1043ea42ca0f15867d2a664b6717aa6dd297c9
SHA25629be6bd284c5cae8d7a51ff5d2a6611021ede01e8917fed931965fb19354a6a4
SHA512d4f2305e135e90494dd03caa88365050e2e477e695f0aac5c2c70aac0e4183a296e94fbd19a62c5cd136fbc45fa6f8f84b8601bfedc86bba977e96a463a00c2a
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD532585650ecf7831ec8303b554cfdf1f8
SHA19e1d5c1593adeac2dfc8b9727a1853f414e3b014
SHA2564724e9dbdbd4151fb7adb4dbdbd8e4b6a8514817d4af8f20b9aa51b86530bfc1
SHA512db6cceff92586221d31124427f6e3f4febc84b79467f794d749abe93b63c6e1448bdd6414f8fc8afc7fb6db99aaf0fd543405097958fbe4394a8950989b0beef
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56aee606b4b6195bcc86bd89292b4a595
SHA1ef3ad602ecb6fe80cd372d2ee089442fa7def3e7
SHA25640ee0bcf63b40a2519ecc262c4b5560cb44d9ef5785962c76aae6866cd8d80a4
SHA512f71f1162307c3bb373945a934c2a08dc87a0624c10b91da83688c5e50cb236f68ff695f63a53d1baa65c7b135b9d79dc02d24e05192fe1eef069e3312a4f71f1
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1