Analysis
-
max time kernel
145s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-11-2024 01:01
Behavioral task
behavioral1
Sample
99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06.msi
Resource
win10v2004-20241007-en
General
-
Target
99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06.msi
-
Size
2.9MB
-
MD5
16a2d0c6e475bc422bf93644bef37e3a
-
SHA1
f81d7cebf47a0df8e55501ef8edb2ff9fbf8c78d
-
SHA256
99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06
-
SHA512
77fd886d244569e7074b87c48666e1b568fee6b8cde708f81b7b99e60744d7abe35bfaf46540a42f9cdc86d65cc84ae089d55567c702e608c0de7dbed628f79f
-
SSDEEP
49152:T+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:T+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0033000000019354-397.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exerundll32.exerundll32.exeflow pid Process 3 2192 msiexec.exe 5 2192 msiexec.exe 7 2192 msiexec.exe 11 2312 rundll32.exe 12 2312 rundll32.exe 17 1476 rundll32.exe 18 1476 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Drops file in System32 directory 18 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AgentPackageAgentInformation.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
Processes:
msiexec.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe -
Drops file in Windows directory 37 IoCs
Processes:
msiexec.exerundll32.exerundll32.exeDrvInst.exerundll32.exerundll32.exedescription ioc Process File created C:\Windows\Installer\f7698f8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp-\System.Management.dll rundll32.exe File created C:\Windows\Installer\f7698f5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9993.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIB5AF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB69C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSI9993.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB5FF.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI9993.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB291.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB291.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\f7698f5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9993.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9993.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB291.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB291.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\f7698f6.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIB5AE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIB291.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\f7698f6.ipi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIC0AC.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSI9D5B.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB291.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9993.tmp msiexec.exe -
Executes dropped EXE 3 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exepid Process 1264 AteraAgent.exe 552 AteraAgent.exe 872 AgentPackageAgentInformation.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 1704 sc.exe -
Loads dropped DLL 35 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exepid Process 1572 MsiExec.exe 1376 rundll32.exe 1376 rundll32.exe 1376 rundll32.exe 1376 rundll32.exe 1376 rundll32.exe 1572 MsiExec.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 2312 rundll32.exe 1572 MsiExec.exe 2056 rundll32.exe 2056 rundll32.exe 2056 rundll32.exe 2056 rundll32.exe 2056 rundll32.exe 1572 MsiExec.exe 2600 MsiExec.exe 2600 MsiExec.exe 1572 MsiExec.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe 1476 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exerundll32.exeNET.exenet1.exeTaskKill.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Kills process with taskkill 1 IoCs
Processes:
TaskKill.exepid Process 2156 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeAgentPackageAgentInformation.exeAteraAgent.exeAteraAgent.exemsiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs AgentPackageAgentInformation.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeAteraAgent.exepid Process 2648 msiexec.exe 2648 msiexec.exe 552 AteraAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exerundll32.exedescription pid Process Token: SeShutdownPrivilege 2192 msiexec.exe Token: SeIncreaseQuotaPrivilege 2192 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeSecurityPrivilege 2648 msiexec.exe Token: SeCreateTokenPrivilege 2192 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2192 msiexec.exe Token: SeLockMemoryPrivilege 2192 msiexec.exe Token: SeIncreaseQuotaPrivilege 2192 msiexec.exe Token: SeMachineAccountPrivilege 2192 msiexec.exe Token: SeTcbPrivilege 2192 msiexec.exe Token: SeSecurityPrivilege 2192 msiexec.exe Token: SeTakeOwnershipPrivilege 2192 msiexec.exe Token: SeLoadDriverPrivilege 2192 msiexec.exe Token: SeSystemProfilePrivilege 2192 msiexec.exe Token: SeSystemtimePrivilege 2192 msiexec.exe Token: SeProfSingleProcessPrivilege 2192 msiexec.exe Token: SeIncBasePriorityPrivilege 2192 msiexec.exe Token: SeCreatePagefilePrivilege 2192 msiexec.exe Token: SeCreatePermanentPrivilege 2192 msiexec.exe Token: SeBackupPrivilege 2192 msiexec.exe Token: SeRestorePrivilege 2192 msiexec.exe Token: SeShutdownPrivilege 2192 msiexec.exe Token: SeDebugPrivilege 2192 msiexec.exe Token: SeAuditPrivilege 2192 msiexec.exe Token: SeSystemEnvironmentPrivilege 2192 msiexec.exe Token: SeChangeNotifyPrivilege 2192 msiexec.exe Token: SeRemoteShutdownPrivilege 2192 msiexec.exe Token: SeUndockPrivilege 2192 msiexec.exe Token: SeSyncAgentPrivilege 2192 msiexec.exe Token: SeEnableDelegationPrivilege 2192 msiexec.exe Token: SeManageVolumePrivilege 2192 msiexec.exe Token: SeImpersonatePrivilege 2192 msiexec.exe Token: SeCreateGlobalPrivilege 2192 msiexec.exe Token: SeBackupPrivilege 1660 vssvc.exe Token: SeRestorePrivilege 1660 vssvc.exe Token: SeAuditPrivilege 1660 vssvc.exe Token: SeBackupPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 1732 DrvInst.exe Token: SeLoadDriverPrivilege 1732 DrvInst.exe Token: SeLoadDriverPrivilege 1732 DrvInst.exe Token: SeLoadDriverPrivilege 1732 DrvInst.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeDebugPrivilege 2312 rundll32.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe Token: SeRestorePrivilege 2648 msiexec.exe Token: SeTakeOwnershipPrivilege 2648 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 2192 msiexec.exe 2192 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exedescription pid Process procid_target PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 2648 wrote to memory of 1572 2648 msiexec.exe 34 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 1376 1572 MsiExec.exe 35 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2312 1572 MsiExec.exe 36 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 1572 wrote to memory of 2056 1572 MsiExec.exe 37 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2648 wrote to memory of 2600 2648 msiexec.exe 39 PID 2600 wrote to memory of 2572 2600 MsiExec.exe 40 PID 2600 wrote to memory of 2572 2600 MsiExec.exe 40 PID 2600 wrote to memory of 2572 2600 MsiExec.exe 40 PID 2600 wrote to memory of 2572 2600 MsiExec.exe 40 PID 2572 wrote to memory of 2800 2572 NET.exe 42 PID 2572 wrote to memory of 2800 2572 NET.exe 42 PID 2572 wrote to memory of 2800 2572 NET.exe 42 PID 2572 wrote to memory of 2800 2572 NET.exe 42 PID 2600 wrote to memory of 2156 2600 MsiExec.exe 43 PID 2600 wrote to memory of 2156 2600 MsiExec.exe 43 PID 2600 wrote to memory of 2156 2600 MsiExec.exe 43 PID 2600 wrote to memory of 2156 2600 MsiExec.exe 43 PID 2648 wrote to memory of 1264 2648 msiexec.exe 45 PID 2648 wrote to memory of 1264 2648 msiexec.exe 45 PID 2648 wrote to memory of 1264 2648 msiexec.exe 45 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 1572 wrote to memory of 1476 1572 MsiExec.exe 47 PID 552 wrote to memory of 1704 552 AteraAgent.exe 48 PID 552 wrote to memory of 1704 552 AteraAgent.exe 48 PID 552 wrote to memory of 1704 552 AteraAgent.exe 48 PID 552 wrote to memory of 872 552 AteraAgent.exe 51 PID 552 wrote to memory of 872 552 AteraAgent.exe 51 PID 552 wrote to memory of 872 552 AteraAgent.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\99943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C78E12A0D4CF5EB6A7C9DE32E9850E152⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1572 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9993.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259431004 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1376
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9D5B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259431815 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2312
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIB291.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259437306 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC0AC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259440801 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1476
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71C08CF48957DB27B603A1315404A8CE M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2800
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2156
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MsCh3IAF" /AgentId="70ae408a-9466-440d-a0ac-fab509a17f9c"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1264
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1660
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "00000000000004D8"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1732
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1704
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 70ae408a-9466-440d-a0ac-fab509a17f9c "63038810-8cbb-4d8f-9042-1357b8eec505" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MsCh3IAF2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:872
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD509436dd33fe82a5935de5a3f34409f56
SHA1b948496503a1218ac4441ce36d61704e46c7cd50
SHA2562f10399b662c61d96875bf864e3a3714fa55d70b0de28799bb62a2e9a6da1c9c
SHA512e1cf42d963e20894eab83d7980c7c47eade4b603a1648a67660b841a749418d11fe3e24987f93f2ea602f3a8cbce20efe3311653820be2ee1ec4ac64a79a7bbd
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5ba66874c510645c1fb5fe74f85b32e98
SHA1e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c
SHA25612d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9
SHA51244e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568
-
Filesize
23KB
MD5728994584fea3a855435864dad731c21
SHA1bbb32f1893222a8764e71b67fdc70241a629b89e
SHA2561f484fefb3bf571552e103507ab11fb6a723471aeb276ea02a231000b49d3f7f
SHA5123cacca5114b2ae3f7efba626fb6d60d27febda642b02fd02fa2beddc282dca8a0252dc60ef5f1ada3ffffccc2969201f3efe4dd21ab8ab96d493ea03f7056aaf
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
215B
MD514b0c013e902f21a1fd3d2bb17769297
SHA143a3e046e52cb4445a291592bd919f9743fce952
SHA256f1009ccc778645bffc1c31009d91df33d03f57c8f350842887bddbdd6decf353
SHA512bcd41ff2d510f6ac00d04faa878c3225a11d83b82f8d70de34edf910fc44b980e7602be38ca66f033d7690e6f1cf57a88ee1236b22c823e683cd1dead4fd5de0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5646afabf478eda786a8d5e0dee389b34
SHA1eac4daeba634957d051073a55e3b9a7c80991cba
SHA256ccb28545fc0777dc459b1e9c1b1eae508ffd640c399b8b93de03dee6ab1e9903
SHA5125b0770ce768d8aad0e5031bbc73c00a4ebbda78a43a77a20b7a4acc49acdd985e08f3b6bc631b25dde7e45edd81d51acd35a8f03ddd250f67deb8f613708ac94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5dda7e1956de2ae2d4bd35bc0704a2154
SHA14cee45a879ef15cc7379292df4ea20275549dc30
SHA256f65b87c1bc3b0930729a647c8078a7c5f6ea0fbc8272ad75740167069ccd6fc7
SHA51249427b506f07c4425fa87e2406048341b07b47ba16ab1eb302684c9436fadc1746ca418a8d021b6bdd2f699906e33929986327643fb59ed5fb287af818d757e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD585e4ef53daf9d74a4f483e3575e0182e
SHA1706b05f30e9ca50caa4d2ab06eebde684094f9f8
SHA256a155eddd3fefeb549e9a57df0fe3910f7f66cf43e310dc81fc4a59e2e9529af4
SHA51269e9854a575ce93964777b31caea6167a4291c57482bd342731bb02f04be93450694a75c7ba019ead54f38f25dfb96263111ba33a1db57f77e25cf8ee681f007
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD51d540f16d7986abc08dd0862d3030a3b
SHA19a5a2244c40e615ea507e01353ac03bae74f3d81
SHA256101e3fbf72b3c54fa72d66857ec992315ae0683873ee8a959316efa382740c88
SHA51288aee8d70259069b4886ef2543807f8754b3e97f5fffae7178554923b3e7d5c802b8c14dd50434e5fcea0ed1ba4f1cafc097b0b8a6f4a1869e439441c559da09
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD5bc5a4325868c3fe87be16d6e40672aa3
SHA1cfffa8b908bf50c7ea83cb592511a571b11595ad
SHA256607d4b0f64dda7e40ed25a46cf0c5b010e06e4a2dd344494a5a1b0902b3360da
SHA512d49c36915b52738b15734b2ac36083f6b274723364be8c14fb80763175deca0da58705045568b420aafe24f4aa5f110951507d494309c5022f1b021d9be37232
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fa1361c076a12cba39c8fe5582b5080d
SHA1d983a4c1487217d1963b4fe1f17579aee18943e9
SHA256e452e3c3f9f688c7326c83ea68a3a0dda68c2b66eb9b53e6800d8656c5eace86
SHA5124688b90b439a09e966f1475054178f2358d88eda4b1e51d32baa774056e5f69f43a9a728f4c4ef47b26e61f1f630344eaf3b3f4a8af0af4f374ad457da38ec26
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56e2ead1be7d0cd3f1dc0588d0440e2e7
SHA151dea7373c07ff48405da3f7d4e5ff8b1d99e653
SHA2564e28d345b43cf7b6055b69206ef100c78ffb7c4da9d43505e2552cead810176f
SHA512e2d239a5156e7240cfde1bd479525a561f6ecf49e9951654b22b0dfc0297d9bdac583c4a49420ef2db3e7ee8d8dd3ec8aa80a623499b6d567fd4ee21bc898bbe
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5b4110e338204a1541370bbf617795a18
SHA108b79e10502cdd7058cba9bcf414a7995262492c
SHA256a40e6e4864126528e352275ad29f8617a9affb33752f9ef5ddd0a4f6f0f19d76
SHA512d9ace807fcb33e80048b354a4358a8920b585cff40ceed051d2eb65d37017941509a84dce2e23922a21cf4ef8649af3ff1cdc907b57b7627d09a605057367bfb
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD516a2d0c6e475bc422bf93644bef37e3a
SHA1f81d7cebf47a0df8e55501ef8edb2ff9fbf8c78d
SHA25699943cbf5119b45787f6d349e0c8f65768360253e00451b9050923bfe4618e06
SHA51277fd886d244569e7074b87c48666e1b568fee6b8cde708f81b7b99e60744d7abe35bfaf46540a42f9cdc86d65cc84ae089d55567c702e608c0de7dbed628f79f
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5fcabc84fd08e2c6d4aedc407a95d4fa7
SHA1b72d90ef8c35109333ec40926509517bc05aa86f
SHA25658a6d2e50c7f31674b44a7c15d2dfb3fd0480f72393925504bfa9c2cc5c75bf2
SHA5129539f4777910c0fa796bc92965030cee66291d614f58d8a11fc2f62e8d1de0d7184923e65ca183544a4d95b1c8f95f14896708af153d1f08927f04d286f75c43
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5975c04fad741259248ce961f7a544e8c
SHA1079dc1e0be3df4ffd9da7fd036476adb9d1f7a9c
SHA256fceeaa57e19fd5256014778242ae3abbd51f702aa68be5f2ab8c9bc268eee735
SHA512c59dab533989062bdd01bdc060db9650bedd0b178bdfeec5d9cc029679c712b7e72260a376f6a1ccd9d653b122ef8915849da3a7808f4192b6d40ce19ef60d7c
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD548113222f1b325cbed36bc3c117b29c6
SHA10dbc8911426664a6c0f27383236e830e5431e641
SHA256fc3ac14c4b42892ced6b7dd1fb26a91cb73eb0024580e946e8e06880d40e873c
SHA5125cd8ce8f22bf02fb640a5ef5e925e4cfa925b02ed817f4ceaee9b9831e63d18ee68dce6b91de06721fb7c2e7284a1b006156c701dc86a8c559c05955aa368c85
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d38cbf0ef5e853f91f5b4c40be81118b
SHA1006b5a975091ed147ab9579b95c0a3bfaec127bd
SHA2561f250c8d9f7755bb823700d92c35724704f4db9ebbe8a8282ca8c6362a881a18
SHA51261d7e62c010be446d2d44b98f1ed21e30e99f26050afca08a6bdeac742f538b2fef82e1fad98b465c188aafc5d265038fa78e8f47ea15abdef0cded7626c1095
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a35d41176b5edf27cb7835fb1343d85
SHA1dbd2bf846a9e9840e472b94609bf2789ec0d3785
SHA256a2813b15d4da01f24d8c007165abd1d5c167c5039c6ea9af039f8fa25a3b3d6f
SHA512f996c848097a0a6bf66e7e32f868469e8fa857e518f2f3ebdc5b7f074a91e821308d1cdf54780e087c663afa701856df82c9831413472f64eaec895e8630393f
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5bfe8cc00ea8227f4cfecd8affc824a28
SHA17954dc06603664165b7d861245b9bd71b1cb0441
SHA2567b066705b95bbae7d8491db1cb391ff3737a209908bcbab4d71c6e2485bda0f7
SHA5128e417af9ab7dfa32464fbc27b16b5ba1ffa9cbc07ffcf55ae30eebc4092357711ef806b7b122d359a7b21eea27c7cbc369856b92132203375569b79779cf1c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f0fa3aacbc24f2fdc025ab854af0895d
SHA1179bb4c434dd151cf060b8f697cd59e5c06c548a
SHA2565065b0a9e13828da4b3da9b0eb4afb41f6499dd28885351dab271039bc8d8568
SHA512ccb774c2baeeb91b854c6db99a670fdb8b22e6e931e7e479df71f0a223a251c0215e5ea9d5a1fcd73b3fdd7c20c1d5087d4663503bef7af135aa8d61963c60ab
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5546dc34973b262d92f053f9bed7d5bf6
SHA16aadd53bd59126a6d47f321f4aeef45a15810ba6
SHA256ca7415f13523d69e7852cfacb7ff9a5be6177255ae62d118e00ea21907f855f5
SHA5124d455f47c3112c5f165c71f4370bedc7fa5206b13b728f6f74224a63de33c51f146cd602c81d186e47cc187b39a14e034a7221e89ea6143edca59f9c9736fc22
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD596b08c4b4042b23d663e694602835ca7
SHA13b0e6b5490c29e9239d43847fc238268213b91c2
SHA25667a1283b84bc327e0acb636055363e349309d97ccd9fc3e385c4898c97fbeaa7
SHA5129bfa6e7a6680b6335a20b91c83b518588dd3c7cbe84cb220b53237e5affb4da98933026fe40e606bc3d7e3baa791dbbd8a89024449a8baa1b78387f4374be0a8
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54f6c5a75c21bbff762e96a49dd5989fe
SHA156e056fdb54abff8e1d509036d7e8922a741b6cd
SHA256986cf19208a1328d6f097f0ce88e9800e893c4d6b6496d2b706587e7e0d3d945
SHA512568ead563cc236ae6670e8415e244c4a6ccd91977de560708a295f767dc84a8ff6838c2e60bfb09d9620f8c1d5cff85c8ba1f17674603b7906bc6124aacfcbde
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b9fdd64bed7ee25cdfeb34a57ac0f3ab
SHA115365be66f2ef230a025c045005a2521f7eefcae
SHA25670a8bed3905e80d72b87ae72e6e5dcc6776f01f7a6bbc56100d88cf0dc528fcf
SHA5121c9cbc67a6af598800b0a07f510041a75831345ef6a99f078ea4e614d6a507546d0eb5e08e3a11f08be90c92ae703e505142f1aa75a7384f1def6f733ea727aa
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e11c5b94d46536b05da602c44d526909
SHA194a8f210a97d4896c99dc6bb5284ee9f1fb4780a
SHA256744ec0da2ebe1bc9b521248359b9a84eba4c91577d3e415ecb98bf5ab6009ed5
SHA5120ebbd0382e40fa882a737e6da34bbfd4cd490585fd2bc8b5c62691650735819bd19a0b6e30f0bb44acbdace6fb309304d24f762faa4c035dd1f2da8ae05ab61d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5988566cce279fee12a560eb017f66618
SHA1236c9bc26a948f58cd3e2929374966e9116f43ba
SHA25697bd832441483803e7c1071cb84072c23a08225e0f93ce5714fcf7a4864662b1
SHA5127e4a448e3336d63908f16f298e1103490829264d1cdd0cd972f64ad7abc63a7b033bcd998643e7bab360f532f097c1018131adcb94e720ddf1fab894f7b04338
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD508533343a5c8c3ff53c18f1c0763811f
SHA159c91fc002ee6422deb890e9906f7a433db3fa3e
SHA25654fa7f287f42d9aeb4057f4d24f7523a5f4ddf6187958a248c4588fc27d62527
SHA512bc707bd0d49150205c53e4c7f2c65d52b5732e7c73f3b958a0a3b868f3d0084ea1f4e105fa0e96e1b8c040bea23b8bf4bd260e9008be8c563a4eeaf72905faef
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5f6d69f0165d03cbd1ef15116e621680e
SHA18df14c49c79d5cb52ecb6d94f6bdabf1409d013a
SHA256ba6a71087149a5e0964d40d7e8cba1ce45c8f24fb6eb37d162fd5dce0dab3381
SHA5124aba25f428ac80579803680f63e2329550344ccbdcea60897a7c89a8b67fdf56453cc9c77a8115e032496b1f2f8209af2a216288db1a3b08ba8b5ebbab24fe46
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1