Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
08-11-2024 12:28
Behavioral task
behavioral1
Sample
c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
Resource
win10v2004-20241007-en
General
-
Target
c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi
-
Size
2.9MB
-
MD5
ca547b71f62c449c8e365701212469d9
-
SHA1
43d9688cb60427723cf098896d762b010487bbee
-
SHA256
c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621
-
SHA512
6ebe3885cc2ddad0c8579ece4344d6c3b75929e389270aabd409ecdea3772f7baa1b866e0f4a37e706441c8a17d1e243cb9cd81b659fec42db69fcfff1fa6f2e
-
SSDEEP
49152:a+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:a+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0007000000019c3a-433.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exerundll32.exerundll32.exeflow pid Process 3 2104 msiexec.exe 5 2104 msiexec.exe 7 2104 msiexec.exe 11 2952 rundll32.exe 13 2952 rundll32.exe 18 2196 rundll32.exe 20 2196 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Drops file in System32 directory 18 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AgentPackageAgentInformation.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
Processes:
msiexec.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exedescription ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe -
Drops file in Windows directory 37 IoCs
Processes:
msiexec.exerundll32.exerundll32.exerundll32.exeDrvInst.exerundll32.exedescription ioc Process File opened for modification C:\Windows\Installer\MSIF937.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF700.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF8C8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE811.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE552.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE811.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE811.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF700.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF887.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\Installer\f76e4d3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE811.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIF700.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF700.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\f76e4d6.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e4d4.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE811.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE811.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE552.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIF700.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF700.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIF888.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\f76e4d3.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE552.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE552.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE552.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\Installer\MSIE552.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp-\System.Management.dll rundll32.exe File created C:\Windows\Installer\f76e4d4.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI1C1.tmp-\CustomAction.config rundll32.exe -
Executes dropped EXE 3 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exepid Process 1652 AteraAgent.exe 596 AteraAgent.exe 1344 AgentPackageAgentInformation.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exepid Process 2844 sc.exe -
Loads dropped DLL 35 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exepid Process 1948 MsiExec.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1568 rundll32.exe 1948 MsiExec.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 1948 MsiExec.exe 2260 rundll32.exe 2260 rundll32.exe 2260 rundll32.exe 2260 rundll32.exe 2260 rundll32.exe 1948 MsiExec.exe 1864 MsiExec.exe 1864 MsiExec.exe 1948 MsiExec.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
rundll32.exerundll32.exeMsiExec.exeTaskKill.exerundll32.exeMsiExec.exerundll32.exeNET.exenet1.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Kills process with taskkill 1 IoCs
Processes:
TaskKill.exepid Process 1668 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
DrvInst.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exemsiexec.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe -
Modifies registry class 22 IoCs
Processes:
msiexec.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
msiexec.exeAteraAgent.exepid Process 2888 msiexec.exe 2888 msiexec.exe 596 AteraAgent.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exerundll32.exedescription pid Process Token: SeShutdownPrivilege 2104 msiexec.exe Token: SeIncreaseQuotaPrivilege 2104 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeSecurityPrivilege 2888 msiexec.exe Token: SeCreateTokenPrivilege 2104 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2104 msiexec.exe Token: SeLockMemoryPrivilege 2104 msiexec.exe Token: SeIncreaseQuotaPrivilege 2104 msiexec.exe Token: SeMachineAccountPrivilege 2104 msiexec.exe Token: SeTcbPrivilege 2104 msiexec.exe Token: SeSecurityPrivilege 2104 msiexec.exe Token: SeTakeOwnershipPrivilege 2104 msiexec.exe Token: SeLoadDriverPrivilege 2104 msiexec.exe Token: SeSystemProfilePrivilege 2104 msiexec.exe Token: SeSystemtimePrivilege 2104 msiexec.exe Token: SeProfSingleProcessPrivilege 2104 msiexec.exe Token: SeIncBasePriorityPrivilege 2104 msiexec.exe Token: SeCreatePagefilePrivilege 2104 msiexec.exe Token: SeCreatePermanentPrivilege 2104 msiexec.exe Token: SeBackupPrivilege 2104 msiexec.exe Token: SeRestorePrivilege 2104 msiexec.exe Token: SeShutdownPrivilege 2104 msiexec.exe Token: SeDebugPrivilege 2104 msiexec.exe Token: SeAuditPrivilege 2104 msiexec.exe Token: SeSystemEnvironmentPrivilege 2104 msiexec.exe Token: SeChangeNotifyPrivilege 2104 msiexec.exe Token: SeRemoteShutdownPrivilege 2104 msiexec.exe Token: SeUndockPrivilege 2104 msiexec.exe Token: SeSyncAgentPrivilege 2104 msiexec.exe Token: SeEnableDelegationPrivilege 2104 msiexec.exe Token: SeManageVolumePrivilege 2104 msiexec.exe Token: SeImpersonatePrivilege 2104 msiexec.exe Token: SeCreateGlobalPrivilege 2104 msiexec.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeBackupPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2100 DrvInst.exe Token: SeLoadDriverPrivilege 2100 DrvInst.exe Token: SeLoadDriverPrivilege 2100 DrvInst.exe Token: SeLoadDriverPrivilege 2100 DrvInst.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeDebugPrivilege 2952 rundll32.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe Token: SeRestorePrivilege 2888 msiexec.exe Token: SeTakeOwnershipPrivilege 2888 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 2104 msiexec.exe 2104 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exedescription pid Process procid_target PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 2888 wrote to memory of 1948 2888 msiexec.exe 35 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 1568 1948 MsiExec.exe 36 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2952 1948 MsiExec.exe 37 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 1948 wrote to memory of 2260 1948 MsiExec.exe 38 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 2888 wrote to memory of 1864 2888 msiexec.exe 40 PID 1864 wrote to memory of 2324 1864 MsiExec.exe 41 PID 1864 wrote to memory of 2324 1864 MsiExec.exe 41 PID 1864 wrote to memory of 2324 1864 MsiExec.exe 41 PID 1864 wrote to memory of 2324 1864 MsiExec.exe 41 PID 2324 wrote to memory of 2220 2324 NET.exe 43 PID 2324 wrote to memory of 2220 2324 NET.exe 43 PID 2324 wrote to memory of 2220 2324 NET.exe 43 PID 2324 wrote to memory of 2220 2324 NET.exe 43 PID 1864 wrote to memory of 1668 1864 MsiExec.exe 44 PID 1864 wrote to memory of 1668 1864 MsiExec.exe 44 PID 1864 wrote to memory of 1668 1864 MsiExec.exe 44 PID 1864 wrote to memory of 1668 1864 MsiExec.exe 44 PID 2888 wrote to memory of 1652 2888 msiexec.exe 46 PID 2888 wrote to memory of 1652 2888 msiexec.exe 46 PID 2888 wrote to memory of 1652 2888 msiexec.exe 46 PID 596 wrote to memory of 2844 596 AteraAgent.exe 48 PID 596 wrote to memory of 2844 596 AteraAgent.exe 48 PID 596 wrote to memory of 2844 596 AteraAgent.exe 48 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 1948 wrote to memory of 2196 1948 MsiExec.exe 50 PID 596 wrote to memory of 1344 596 AteraAgent.exe 51 PID 596 wrote to memory of 1344 596 AteraAgent.exe 51 PID 596 wrote to memory of 1344 596 AteraAgent.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2104
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5CD72771D08C49E17DB647A717853C032⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE552.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259450348 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1568
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE811.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259450941 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF700.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259454763 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2260
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI1C1.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259457477 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2196
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding ED39A78AAAFA8920BB6ACE09C0AD22A0 M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2220
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1668
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000ND5FxIAL" /AgentId="51ac33d3-e48b-47e8-ba10-8dc10f38f9fa"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1652
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "0000000000000494"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2100
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:596 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:2844
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 51ac33d3-e48b-47e8-ba10-8dc10f38f9fa "dd9b44de-b360-4724-ab81-f3944ecc3f62" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000ND5FxIAL2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1344
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5a03897bfb1d3978b932c6c2d7d45e96a
SHA1ff74c5ceeafe4a334fc46bc73cb41e46d444c803
SHA256705ef5bdba3deaa88aa9bed0ca266397057d6d1c21c47578c6e17c10d6e8b2eb
SHA5125c3c035bcbb63fb7424f477ce1d50c89349375c60a5ec62c355dc51c652194809cbaae6ac9050e172b02b7425a0b60c63f7d42ac67dc43c999b2d681c760ad11
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD59d8b5941ea5b905e8197a175ef2b15a9
SHA186a078e94b5578ec4125f50f78c8518a8ce1d086
SHA256c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d
SHA512fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5ba66874c510645c1fb5fe74f85b32e98
SHA1e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c
SHA25612d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9
SHA51244e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568
-
Filesize
23KB
MD5231937c9315532a439ebf2623b73020f
SHA18e20fe89edc62c2ad8131bbe92d8e69ae3602c5c
SHA2565261789fb4ff74e17f5c3db81d994e1ec2597915cd8caf165af62c2011568c08
SHA51243e6cae783bdccecf1fb8a464b722e7cdf29e1ec7cc16731f36af507ba9d4deaeac2afeb076af3ec7bbc2c925f8e443684ab7756a9d8418605a10f6e2cebf111
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
224B
MD5ac874e8ddedbe4fc5a293da72a2c42b9
SHA125c1fcf2f01c9ab6a2747f74bcceb1c0e6fa0c0e
SHA25681c033cc9d7fb0ed6b11964a79d77a0f9b3d3dc33b807407795052b34326043d
SHA5127e60b2ecd601c03513314423a9de91dcfd2883634432b62a996055110a05cb360b5ec4761c52ced6dd7fe3941d683778a8251088e801f4efb2b1aa4d810cfa44
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD57795df33fc7dd3aa62e0bc052f9dfbad
SHA1ea227ec994561b5bce01c5228f9c337286fbec9c
SHA2566ad47d714f3dd55b2fe9072e829542851d2ecf60cb88254002c60449e8aca736
SHA512de11027f0ca32119ebbb17976ecbe6582ab6af8caa7ce522d75c4185da722550f1f981064db9be6074eb1c6c096c933c2de7ee42b1f31b4fedc9982f87157f9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD529dd7378778c44788bac45d70ea7b440
SHA17a3c5e30c0c9a9be505b18fd2c24422d5e3dbe56
SHA25669354ff510301b85c14cc1ecd0e5b3c98308b820cfbce483389a7b9a437f67d5
SHA5129e67bee1ae05b0f2408210a6662926cc9da6ee2864820a4704adffae9dd78b80e79ee32e83f5a5e35bed9603e82795a38570d56cc93384b82dc6254940079fe7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5eb9a1d98cc4b6ac3d674a6621df5a758
SHA15e9bc182d48b8e86a61d8a3f4b5add9c88da6800
SHA25620d856d68dba3e2246ebb62a5eaedcefda221accfa1b9362b33afad33b6e48c7
SHA5121054d82e5e1b2f2c1416d31f01ff2c172aca8dcc31a622cdd959f918b78a474bd9b40a9b7316122a8262fac24d6236860e2eadd665030a61d56c5c0a153f81c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD50afe1fa658d36d32f0609b5abd71b570
SHA126e59eff7b66e62897c831bf6f81ad47eab606fa
SHA2560e951bed3583d952906f852614f414a3c31fb02f27f995a4287d7e4cce433273
SHA5126ea5b8b6d6daa036dd2ea20806030273e9a902b075e280d6e44ba912149cbb9be85f2a82129aca26d0a1bd3583eefc722e6b162f2f8339df6268846ba6f270f0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD55edd5a946a134bfeacdea3f53b0c63e4
SHA17fea3bc75a7ad0aa3ad5de9d25609cfad10a1f90
SHA25610bd9a94a59e3c59a98c3ad656731c9624ea1d8ce8561d072eedab987bc90339
SHA512c1ebff8d901d72bced81f6532972bb2a8754f31ca268a1c96b166f6ebadb9d42d6d137ff26a09f6194389ef84355afe90c883d11f57a703a4bfe9c088e9ba553
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e0d4ca5f84cb82d9936fc0076f5fd263
SHA184c645c9e2f72dc644b63e4da522c07075747389
SHA256471aeb69f3c937890a54fe7b1bb168891b3b3cb8ec41c1ab0d12b192a0449430
SHA512b968e724b819b524b667f980ea15f98dc0d2eb2e457d35123445f2e378bdc7fd03e38e4dd3476421878ca431c16b3349e3f744167ecc4c3a884692680f45c513
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5857ecf491168db8ac96a5e2d7ff80272
SHA108a92137bbe8dd2f5430c8c0163676453aa2fc11
SHA256b1cca8edd0d3fab6d965f91857f15745dd95440827d3c6784313136573fa82d6
SHA512b93cf13e24b4b497c9ee522dabcc2409a82f45d90430bb6802bab93ab6efdf96b5bc6d303cc78507d6125876fdd3117e622739be577fde874942d508e5050556
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5d6ec7b14f15028d128414ee97100e251
SHA1589c2c293666d28afa31b3c2d3eb808dd281751b
SHA25688fc4a98a325c5722f34d3bdc666f3e02130a24b7604f9e8b3b5ff47edfd260f
SHA5123881690675dfd9669cfadc970ce99b453d833981f4edf4f1ae861d34d717a39bcac348a80f89316051500b90acdc34fafd9e79586c83a852251dc7815931e01e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD5ca547b71f62c449c8e365701212469d9
SHA143d9688cb60427723cf098896d762b010487bbee
SHA256c9cecdd28f5fe29825d83e1c3f022462926de9af99d388662d8c62b16d78e621
SHA5126ebe3885cc2ddad0c8579ece4344d6c3b75929e389270aabd409ecdea3772f7baa1b866e0f4a37e706441c8a17d1e243cb9cd81b659fec42db69fcfff1fa6f2e
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5a3111eeef4be94208dd9cf6578f97e4f
SHA19e0e20f13886342b60529088049c11332523e96f
SHA256f1a617df1b8c338d4c0d5e6fca66b0540e139aefddc7a3a20603bc2bf9a7c25c
SHA5125c01e141f4b3ec2dbf2aa19fca7e40085d925cc5c65bf40849f9e4b780d7b3af78ecffd39d36e4a7b75fbbedba4d8f01631e283bf8d5b9e7f23f39517ce912f4
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD562597aa457410ba847228c3f4397b8ca
SHA1ba38af3992ac85b807780b8d5ce9aae74857730f
SHA256adcd5c9dd2f45f987dc53bf997f04da410ec2ac767b29d90d707720464e784c6
SHA512ba3ff43d40f6008f975006df7199da1ad3dcc8880e6e2b78d8b9b4bed11c49048158d86322892cdee52c519bbda913be154bbed7f90fb9992554868748f07017
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a84d01f4a04af103dab721c5020256d0
SHA1f2d4c9af543c5f615bd71127c3c382c24c9812fe
SHA256db82e2f76bad9f94825445896a9ca0673b6e263ab1b5bd9ddf460a7cc2985ff8
SHA51231b4cc73800bc5438974b7f6326248859413eaba0f1975f3747d0e8d294f147129ee83b8b7e69e0dd0c58eafdc6b4389dae97603e75a2dee59a47b766695b881
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52d5c767a19871bdfde20d0c0341e35fa
SHA1366280b894317439e4778dd47665915589bb8059
SHA256ea8a2019408714a941911a249abab3968e1b2f61a79426d23439ee0d559ab341
SHA512a47f56aacf1d484e0c60bd1265fadb46aca39a5401726515ee1f196adee60c54da1184815f78083fcecdc445365c981d0363d0e83b86d6cc686ba86eb962fa8e
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55d039f0fb01df208fc8e41bde17b4757
SHA1b1192f10ae715c5bbc4a24e84d681a1c4bc76b3e
SHA2566af402963f6b780f006c2cc250d00e1a03f2d35597b2cf942c1b35abce1c1746
SHA512d17207e950264f1f4ced4992496376ed0bf7e6ee040a49f362aea51584f6ac83498d3d8043ee7809aef4a7e18c6214498ebf23ee4343eca29c84e988776d6dac
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b08c96c6e2ba9b717d16aba8bf46307d
SHA1a9f1d5c75cd308277fcb4527dbdfac22e9ead07e
SHA25687abd3e4a33f7c862ae3850dc8eea9c62a31a8c418309a7f52a6e366d5e84c9b
SHA5123eeda6077ab960051238d16ab420f59c0cc2fbd3d4d11ca92ad8c8e4ae3d2b4a01cca0cf7764c7e705081d299620fa24ec4a8072186f8457166445a6e6b20210
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f7beef891787680589e3218a1956ba22
SHA135148c313f71b317a2e6c6ff070538d8b0653a81
SHA256b53766567a279f1bae57a78c8118c88e9691eea7b6c3ee30e759487fc5c4dc87
SHA512b86c09387bd7c28b84ce62212904f84bb6799c25083c09f7fe469f053a923a05324ba0491a1841ad12a551025d80745bddf30d7ec87a4ee675c263b40d7a4676
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD511cb21ca7781243546fff8aba9585056
SHA1cfcff684d7e8b3a92e86ca1765aafb9c2fb57318
SHA2560f564e8534b1fedf681d2dea9c0c326a5c8278bd91f5ed12406113a7f6ed2538
SHA512cfb59f15e4a0957e3668dd3755fbf044aa8316b2a15a58abfe0929746f93b88e150eb4b4b847a89da2c482e535348bfe2b668a07d40221f560b646739bcdb0b8
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f9e54ce84a0c8a04e8bc1ab69fc154f9
SHA1787e57e52630eb0ec06dfd18f3837132ca045ba6
SHA256e0b69835e0034ef6de96c0e647aa981c7005883e2c61be08361591c0a89a8d17
SHA5120a1861cc39524e1991c6e6acce542d8afaa25f93f5dad5c489550acc6c9f2ff75c01d34a92c7958b71ada308f024700269c1256fe73005aa82c06efbfb8fde71
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD59a4f687829f67d7eade9526530bfac42
SHA196625629242570fed24acc385d4f89d9fda76c2e
SHA2567274c1fa8881105626f63d57659975cce0897bdfb0362f5ae9241aa09da4c958
SHA51251d67479218257d8ca056a542fa6680a2dd5a0a080fd63df8795339304c80e682e91285b337f477f1c937faa3e08b9bf7136736fff8a8c60e6f1d961face41f5
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c28d9a370ce906ccafe7509c3d7f98ef
SHA13529ae320cf6be2c684ee4f246a06e7536e7ca49
SHA25633dc79657c0384e14ce2a5599450410c6d10077e7926b4391d5dfc1f5fccddc4
SHA5124a598aed2880ccbe50b3ff9f4e980d2bd8ef146d4f32bc1260000ac50b430322f9f8dd4659478d62bd1d9d14fafd3b038834db1b9e1ad4bc178e1bba092dd400
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b47c580efce1726a8281a02908df45da
SHA1fa16ca3069d40593ea27251eb9c553a3b29551ad
SHA256cd4de30e0e8f89d8f79759801c973f52a37135dca3e1e955c193d09b275c97f1
SHA51280869dfb99c32b56caca8890eab66434776bd565be418f30caf92fa3b017652a8f6c32e2b3d7a042f8741442608fee2c2592e4d990cdfd9b9239c2854853fccb
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5b42bf4aee833fddd58cf50ea3165eec8
SHA19eef1eef9f0a361b596c260363e3f9d6091cbb1d
SHA256d3174100190127ee3746ad79cc3d7f483dcfdcb87f44e519d67d1fa09e7ab2fc
SHA5127dda3239c15593836b02d5a85300e31a3559e2543861abe8f1dadfbf7511637db66f93167ac260373ded6f1dcc76acda54aa8cfce5c3c43677c2a92a5f3449b1
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD55c1bb61fbab27cb590b24aefb25a1c31
SHA19fe5cf1d0bdfb321bdbe2ac3d78ea3f65f39c6a6
SHA25645b0948e31b544389381a8598890af050a9e9ca806abf193bc343b187d50473d
SHA512202c26dc7ddf2a1c906b28da583d7c352bb9cca426f27e2aa29d7535053f34a880305e403dccb7aa8095f2bcab7c5c8d58df0117af89b2378c36e8ec0be41bcd
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad