ateraagent | hxxps://ws[.]onehub[.]com/files/uuz4u9iq

Analysis

max time kernel
570s
max time network
555s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-11-2024 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://ws.onehub.com/files/uuz4u9iq

Score

10^/10

ateraagent discovery rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000c000000023bb3-408.dat	family_ateraagent

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exerundll32.exerundll32.exe

flow	pid	Process
102	1272	msiexec.exe
112	3620	rundll32.exe
116	916	rundll32.exe

Executes dropped EXE 4 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exe

pid	Process
2856	AteraAgent.exe
3044	AteraAgent.exe
5540	AgentPackageAgentInformation.exe
5664	AgentPackageAgentInformation.exe

Loads dropped DLL 31 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exe

pid	Process
1656	MsiExec.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
1532	rundll32.exe
1656	MsiExec.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
3620	rundll32.exe
1656	MsiExec.exe
4564	rundll32.exe
4564	rundll32.exe
4564	rundll32.exe
4564	rundll32.exe
4564	rundll32.exe
1656	MsiExec.exe
2276	MsiExec.exe
2276	MsiExec.exe
1656	MsiExec.exe
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe
916	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 12 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe

Drops file in Program Files directory 17 IoCs

Processes:

msiexec.exeAteraAgent.exeAteraAgent.exe

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe

Drops file in Windows directory 35 IoCs

Processes:

rundll32.exerundll32.exerundll32.exemsiexec.exerundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI60DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI614A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6216.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI60DB.tmp	msiexec.exe
File created	C:\Windows\Installer\e5855dd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI6C2A.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\e5855db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EE6.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5855db.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5687.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI5A70.tmp	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
4836	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

rundll32.exeNET.exeMsiExec.exerundll32.exenet1.exeTaskKill.exerundll32.exerundll32.exeMsiExec.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exevssvc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

TaskKill.exe

pid	Process
224	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exemsiexec.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c1400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e42040000000100000010000000d91299e84355cd8d5a86795a0118b6e90f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64190000000100000010000000a344f71a7a52a76ee49b74b1d8816b155c000000010000000400000000100000180000000100000010000000ffac207997bb2cfe865570179ee037b94b0000000100000044000000430038004500350033003400450045003100320039004600320037004400350035003400360030004300450031003700460044003600320038003200310036005f0000002000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe

Modifies registry class 23 IoCs

Processes:

msiexec.exechrome.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "יישום הזמנה מקוונת.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_יישום הזמנה מקוונת.zip\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\Temp1_יישום הזמנה מקוונת.zip\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AteraAgent.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exemsiexec.exeAteraAgent.exetaskmgr.exechrome.exe

pid	Process
1516	chrome.exe
1516	chrome.exe
3608	msiexec.exe
3608	msiexec.exe
3044	AteraAgent.exe
3044	AteraAgent.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5220	chrome.exe
5220	chrome.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5220	chrome.exe
5220	chrome.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
5996	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	Process
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe
Token: SeShutdownPrivilege	1516	chrome.exe
Token: SeCreatePagefilePrivilege	1516	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exemsiexec.exetaskmgr.exe

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1272	msiexec.exe
1272	msiexec.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	Process
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
1516	chrome.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe
5996	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 1516 wrote to memory of 1964	1516	chrome.exe	84
PID 1516 wrote to memory of 1964	1516	chrome.exe	84
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 1940	1516	chrome.exe	85
PID 1516 wrote to memory of 5048	1516	chrome.exe	86
PID 1516 wrote to memory of 5048	1516	chrome.exe	86
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87
PID 1516 wrote to memory of 4012	1516	chrome.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://ws.onehub.com/files/uuz4u9iq
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xc0,0x104,0x7ffc1e00cc40,0x7ffc1e00cc4c,0x7ffc1e00cc58
  2⤵
  PID:1964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:1940
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  PID:5048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4656,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=5000,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4672 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4688,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4716,i,3164543698032022427,11195829073171991199,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5220

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3432

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2256

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4788

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_יישום הזמנה מקוונת.zip\יישום הזמנה מקוונת.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:1272

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3608
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4552
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AB1B1F1616519A19A3665D54A432CADA
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1656
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5687.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:1532
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5A70.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240671375 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI5EE6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672484 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI6C2A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675921 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:916
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86C7D38F1DFD50927D983FF5C326732D E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2276
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3036
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:4464
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:224
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="e6807f16-2a3b-4478-972e-d4a17a0281e7"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:2856

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4212

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:3044
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:4836
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" e6807f16-2a3b-4478-972e-d4a17a0281e7 "cf24e2e3-89c0-4401-b7c4-56e23b34c27d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5540
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" e6807f16-2a3b-4478-972e-d4a17a0281e7 "a40b0ac1-1ca4-4cf6-83d5-4e2308841ef4" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:5664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5996

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:4384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5855dc.rbs

Filesize
9KB

MD5
c4953a435edc83ba0e9cdb6ea028f2cb

SHA1
f0b56cb1c45050a2624a3348d14c0d63f323e9b2

SHA256
9e62147f1d90420ab407c662ef55434f0d3a845fb6651ee0a6eb3ebfee433314

SHA512
c7f9dd0704c3bd04ed4e13e3861bb5cebb3602819dfdf0b544925312fac653e6a7ca0f7cbbfe902812bdbd80c240f4a06081740486eb0e18f5bb972ca8349076

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
210KB

MD5
c106df1b5b43af3b937ace19d92b42f3

SHA1
7670fc4b6369e3fb705200050618acaa5213637f

SHA256
2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

SHA512
616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
2c4d25b7fbd1adfd4471052fa482af72

SHA1
fd6cd773d241b581e3c856f9e6cd06cb31a01407

SHA256
2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

SHA512
f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
173KB

MD5
fd9df72620bca7c4d48bc105c89dffd2

SHA1
2e537e504704670b52ce775943f14bfbaf175c1b

SHA256
847d0cd49cce4975bafdeb67295ed7d2a3b059661560ca5e222544e9dfc5e760

SHA512
47228cbdba54cd4e747dba152feb76a42bfc6cd781054998a249b62dd0426c5e26854ce87b6373f213b4e538a62c08a89a488e719e2e763b7b968e77fbf4fc02

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
217B

MD5
75f1ffb60d18213edfbbd3833e13713e

SHA1
0401e6fa2993442fe9bf272a259f166db5bc09e8

SHA256
13468bdac003ee2f9488a8525c7718a71cf9ae50fdf4cde09d4a69e69bb744f8

SHA512
0905d5afff0dabcfa74533281d8210275580278375059fcd21e77a2cc01f0b9db1bdca4f3869f4c17cba9d3aff9398f6a7a4bfe1059ad4244965ae699dfc29e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
719182e07998ae9226d45680aa1fe178

SHA1
8f8b03c110c129cb3a35841ed959de7a7266ffec

SHA256
8f1d64c2c4dbb6ca892083e4b4a8bdb4585597e1269c218340c6b12517bb3dbe

SHA512
2df474f0ac4d1ef93b14deda32c5476da130bc41f37c0a5cd0c271c990914613c3c788116a4b87d44876695f71e5a131847fdf96d609364c06cb2f5ed6ce76a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
d36fd63217ceaf34cd032b350ba95869

SHA1
a98b697e1e5be39fa1870a4bb8b301bddaa773a0

SHA256
4d629f4cd5b8b8ae9711c8c48b33cf6e599babb98a6eb2f11c9bbede867926fa

SHA512
ec05ba3b5a714686dbe9c10921cce68f19f3bae860f1209c693c6a9992d270b87d5495798e5e720707d97d04c4c387ced7c7a18c2ea23bca5a316da075cc98f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
4f2f44acff5c280ecd26b5e7144aff24

SHA1
d542052f27cf058cd2bd7d74e75deb8a009bb334

SHA256
c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030

SHA512
33d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
17ff98cc082ac65255241f9e1c208377

SHA1
d0cc3a3c338a9b2455135e15c8ee14aa57d648ea

SHA256
33f9d4913ed7aeca47ef77d06bac371bb3ed6157294bf5fd13aff69402a23a40

SHA512
124f0d36485d077459554a601268bbffef501990bb933043b2e090b8f9ade4fde71789c6b4e66cec59136d9b0263ab9a05260b02b1920b97ad3181b9adc32c2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
7a1e2afeaa4782929fa67dade3230fe6

SHA1
728142becaec2a8281c42b6c2b6a9ac2b3af6a05

SHA256
72c301fa48c1ea705b9c31e343883b0f42d7265592e02fcd49c6df71be21b452

SHA512
89ec28dd28bba51f3bdb4940226cc2beb47d0e81c57a32122db00bedb09c88edbdf9cba5b293835f5b2328ee2b03a0e9779999db0504bc52fb0e915ccb8baed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
3c3eb09feb9ac24dd1e59c962e843097

SHA1
5d8185c39ad9a8e435ce228ac37f6af5b0b6b731

SHA256
09ec04ad2afea77f35da9c5b8da7983405a6ebc9b708107c91c78422c80a9dc7

SHA512
5f5b75588a185a622bffe6f0b5398b8ce011d374aba8dfdf18eb0e3e3f12156ea0bda283d737247f9f45c2556ed831a49a91ecfc39ab302b8f6abf7a6d32999a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\55d9e03e-e9f0-457a-b591-a500ab557607.tmp

Filesize
9KB

MD5
e06a2b7207753aa58eeb498b9ae36f48

SHA1
c3f75f79f7001fa1b6f7f62a56f78fd9f08f24ed

SHA256
abe92980f626390d69b4ff40f0ae07ab3b7665c55800e10592f193f1961b9d47

SHA512
39887d5d407302511a3c23c73d555e73b87d000b37fa073858a02ec111795271e485b6e8872fa3b18a62dbf216c38c193df4e570b945cca4cd0dfe3d29c9b9ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\59a4a7ca-42df-4e5c-88e8-02b1bb06fefb.tmp

Filesize
9KB

MD5
2e294fa230c40fa5f5fc8e5ec07994e7

SHA1
f4965d4865f760f99520562ee6586101f2bbbd40

SHA256
24c799d4f6a234da2e3cb9814adb519485e3715a6e2d90d0d2b53052bf779d4f

SHA512
8ae36e60795fab0569109333d09b898af4befe39c51c98035198ba156889d2b13b9090f549a70988d877c32e7ff2f0eff5bfb8c1dc7f38822914b07a56306112

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\802871c2-67d8-4e3b-b45d-de2b6b04e706.tmp

Filesize
9KB

MD5
ff8c2b4cfe41e10f0b8551614942be40

SHA1
9c716f022866fd4a9ac91e21f1526829fde0bfe8

SHA256
6da2c817f4aead983879af8fab966147da76304e300e14beeed81d4ac7b3176c

SHA512
10ffdc728665bbda2f2256ccfcc4a69ae48bab078e12e04e1dc8373ed80fea1aec1e5daf2343b9e18a5a68c6997f757d5181ba2d826832d32599c22a943365cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
9cbabcb2fbf1d0a0c558b598ce07e8bc

SHA1
9d7ed96883f1e720f5c74c6430db1009341f98ff

SHA256
29845d19edbee149c5d3bfd467f69f1b6738ca8e3072bb2c3b38fa67f7ed89b8

SHA512
fadaefc211afc3ab936ace3cb218a9504c191e704f7f7deda99c05d3291af3cfb48a4ce1dedcaf69023c78b4dbdd8974179dc1dd1ca0c6f01d669d79ac38aa0d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
f45479f689b5608115c14e58320f5d87

SHA1
ce48236236f045d8f3b32e347da54fa63be7dbc1

SHA256
8e163c6076d325fbb826a9d26a4b2d8d9331b6b8485b8125430de3596d1fe518

SHA512
b50bbcaf311947667981d9dcd82b870bffa3bdedb52547b4157d7f946db8c3431945e6de57493e1e88b2de67f0a5e03b1dd900a0d1fb2d6d9b47f7bca962094d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
20227f072199da7129e80e7d6f98e1f2

SHA1
6cf9df8b2025c86cb588b05eebce3f311f034d04

SHA256
c0952f3e5258ac299a8c8911df336c9c63c2781601401df2db467fd1df3ccbe6

SHA512
7d6f09d7404f6c408b5440803065575ff11b0fa11c4788bdb93601a3cbfc6443399af74be013551116435482690fcc49f05718df69ce3795de965d999e71a45b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\0747dbfc-4cf3-431d-a109-a8a1dbf7f8c7.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
0d490f74d327bf6609c19c14c07e8412

SHA1
392d532515315ba860cec74217ca73722554dada

SHA256
d2bdc12ad275289529f823bdd88980c5d5deb5bc1952929f4cdc7903b7e43d02

SHA512
370020cdb25d45ce6da51ff465fb7ba80ebdaec3a5b4e9b5ac6098910f135c451114aa869c76c732c127bf4f4fc2850a31a40bbcc64aefb903d1d65eac86b49a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1518f92c09866d1b1db423e68ff97f38

SHA1
1fd0fbf3ca947da1bd826990908f7cc87e3435ad

SHA256
ca53731279693ad8a43c755a9afdf3cfed16c64f9a27bb0a4cf5c95e8ece74f4

SHA512
565fc6fc42bb5191486a5df41993858336d66421dd77be3f9a8db518a0e75a4c773631a7bd9abbdfda0d57c11c174a909a79d35cc6fe8cf92b90556d972353fb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
b18c0866701134d1bb917cff99d106d6

SHA1
1631b0c5b36f7426cc8ae49b486da97812f3091d

SHA256
f7dc2480fad1564533f01369bfd4a2e441ae1edeaa6e414808d3eef7c9eaa423

SHA512
66e42fe125d9dd088144a1d70a6dcbce99db699bae97b8ad7fabaad2bd5d51db404e5e38a2ffe85b7958530225171091215cd6ada18dca78dff3ad4e7d4d117b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e4bcda10f21e40ef6f01fe933d979e26

SHA1
6b8b003afadc3d321d4378a6299bad0b83f255a9

SHA256
514855a32d5f21b53752754902ca8d338596993e2b2e84b34e370e76d390357d

SHA512
0c9c8bf2818e5f8b0b1ff85029a9e513aed0d074106404c79ac5c85529aa14f5d32772a6b21c84874731a0a67b1fe7c4f372cd11419daf88e0b639bd3f4d6286

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3ce6897b2d91b62909d66fd1a5de900e

SHA1
a0ce3403d0d9089c15e3684318823f19b5586c52

SHA256
3ce2e6e20c0b9fe6e28c78e65f270394e35989eac14d4b5e956ab2f5e3289c6b

SHA512
67578f5d2227a9e0a466a553601a32384d98df418b6468e4e84b192ceb2e0e83edbb1da8de8977e1d826e8d19f598e5fa47996111fc6753691d0bc110af93312

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4f6af2057d39b8ff7fb734c6c60d2d5c

SHA1
9c686708a8e304aaa816314769c2568b3b3f0cf7

SHA256
07dde5503c39b707005373c23725b29a029e912d3bcc5f4e75a615d6a1c84688

SHA512
89a109bc5d902cd2c609697da05c3e422a51504a622c5af7a729d6338ff99ee553303ad67140d2545326fa221a7261b38e493d2d374b582ea27e636825da877f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48b0a6a19ded9583bf7020c56a86531e

SHA1
e805ad3ee11a067419a48aa8e9aeb9b1ebbf6080

SHA256
05a4f9b22b9826e969f1638fd705123cf59b2f2c3fadb9d006d4b6a0d275cf71

SHA512
db9defe9088fc4813cad6bfe72a2b7b543fa2c0486f24f42b741f23b9e2bd6569e9d20026431f08113cc3c482d46e8166d4c897f1705d709cf4e963971ec84a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
42176c840171e082bc692198cd141332

SHA1
91e37b39abfdf15fb09bd8ce784f0f49a2b3db37

SHA256
21aaf5cd07d2e6c83473bbb2a028308e3185092b60e8d7e47d2a068ad20ee832

SHA512
ebfdd1208aa1358483f301ba7f02ea17a588bedf87ba2d625d29b010c63f0c82f3f58cf17b247d6c978970377b52acb39500ecf6b3060fedd81e54ca750b4466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
44b78479db23398fffc8be123d52b97e

SHA1
d8d9179dd81d17f39782258f0ac1807898a57bd4

SHA256
f9b7339b1a5b3b2cf7db456bc3542e5ef6e19037b418373bcdd06793acea8c6d

SHA512
00f9217708c837bd895846b72e068b2ce20fddca543f2bf048946b582c6cac5294c3afb91ddf1b5a9286f7c5bfa6b87edfd6bb3f33957e6034a92e8a64c0b724

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
61e4aa2efddfd53b9193a8b0b59211ae

SHA1
43e53c7de657d77879de2a271b221ed584ffb094

SHA256
80ce84760636ca81200add6f9d1bdbfae212e06ae8c1e347b9c4fc7233582638

SHA512
c95e9265d8e6ee8d6f220c8c8a9f6664f4377a83af7534cf4307271aa675000cf527dc6319f4d4e2e79a1a27698c78e89d024eba357bbb9247e6134577f49f9e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c2c19675c72d0b5a338551a50bba1a5

SHA1
6f54393ffe4584667f6605ada93c7ba149b9b87b

SHA256
6b27f992d97729c9b73482b74c09e3a30a116a43d387c6d4623b3b691e142edb

SHA512
379b2add0e76109064ab3ceb1a6cf269bfc449b307b4fc172b5d8cf27b2ba9154a75391cdb8046cbc73e4f6e070538c7d68da2f6ffe39549e5bf0f565d058523

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94236112bbbe5bd007ca6ab1bc3f55c0

SHA1
4b0fa7fdd816a4705492b55c0e72b708e56aad28

SHA256
805bbf24de0e3f6cb82e474f4a27158c4473e603f60ad5dd5b9546d1d3164463

SHA512
053531a809d973869a62c08d8458d283dc661a289000b4dad36aa31e27567a1bea1ee78b5f5a194d447e105c68fcaba13677b290b7892e314846cc58413c4f3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
889af4c237b2151f962085a62794b3f1

SHA1
dfe962d83dd7125597f10d1f33654d6b9427435f

SHA256
6960766e8e8b7e7c145d6266ad7f70a8b2a00156bea5868ca6d25b0618c11e72

SHA512
202f8e48ea658ebf131a7871ad69c731f57493c2126fb6e6d1c513a05006d369db32daa44219ad90fb45a718c3a3e62085ada97d916fc6a0b9df1d544c05f63e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d9f83ef1e7c3099cf180f159097eb83f

SHA1
60b1cef6b680efb904bcc849c3336b9d3fc75ddb

SHA256
390b33f9704cc7450e4eb6d8cb722f1255f67a4e08d885a537101e2b974b5829

SHA512
72d78337079dcd0a640f036974c5f316309caf3e03fdf721751d21c63bf709866e1a9937897ca529138de319c58ca5dc66eb913ae14f8d6df013bd200ae6c860

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c7bfef14203ede697e6f09d1c779b2c7

SHA1
bdca709a8e75b8838d430435386e817d78648c89

SHA256
0a29575469d9d749cdb8194a3b0da76a15abcdabda56c1624e103f15484d99ba

SHA512
e62770f611be95cf9c6136ce66586c437d68da08fc209433a4ae9e9ae59466b605b4065fbdc5585b8f9f778b13397ffef6a54e63f58ab8ce3e7e93dbe4898f87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9362c06206fabe931b66bf767a95240a

SHA1
83c3a07aee4bf4f80e7e6dc9769c42b461ada42b

SHA256
ee51214dc33a0ad862bc0a12213817b4c473b2557ed5803f12fec7e439e081d7

SHA512
2c19fc6a436d01f11c1e061fb53a04f0e8ae63291976fcb5962a7e764179adb9af30e83088f757c4f85ff171c569f5264e2fc145735142ba1b0cb4f2a83dae77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
745fe3fcbf64ac8743eef174f25fc5df

SHA1
45c8a329f01f029c53fa4a4874dd307349e73695

SHA256
22878bdd678f2ca8d22101beab150061e0e784dd817d17dee4b4144956085774

SHA512
90c855d9866f53d95d4afc25771658fc847cf8333ca791534827319820b84f03bdc1ab62317feef666586317e8f13f4306a8d30333693d50fb5574146ecbb252

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
5d777426a803d9315aa493374f09091e

SHA1
63dac4ebb636d698e64447afb21923542b896b16

SHA256
8ab1fe138e002ba36b6e1235cf006863eaa99ddff4fdc2b1a42654da167ae8bd

SHA512
6d03a56258435f923df2df4a322749d7ff1eebd400fbf25cd93bf5c48180e59408af9052236d6fd66a3efc68adf7598e11abdf7bb1244f48c31d85fc61c0126f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08ecaeae63fa1ed93f0f4c5167d4b22d

SHA1
5b922fd80fe0630ead155528115e294cb48cc747

SHA256
12723579a51c6cd37f212851b23681842b1d9e968876d5ec724a414f99ebc868

SHA512
350a619a5fff37fe2561fe7d1cbd2833eea558ae242a20184124307034a47454c7a7b45307759b6e500a4eec4e363a6c061a6bce66063562f8c764a65a107344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
043c7424cbec509687f0e831c6f70826

SHA1
e5ccf78eaa41c4254173861912752e958ff4d455

SHA256
36d40cd503a44bc48bcc3624b0482580e55774e97ed3960c8ecd0558d26c0ffe

SHA512
caedecc4bc7a7cb793b178bb85eb6499cd79d72206c673f2614e82efe78e86600f6a71c42ab4dbdc3809181aa91fd617381db6913e0b01ee5e063062ea1e7849

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a94241ab329465e8b2e680e29a4a117d

SHA1
1abb2ebaa3514d81a1d8af50e762d6b1d81561c6

SHA256
8a547cd9c54af83505c8f65adaec7374e9592e85bbbaf4fc3d5e12cac48ce7c0

SHA512
51cafd175e7a8fcd437cb52c299c2154225a3350f2a2e34320519f5ffc04ae037e577e2b06760e044c7f64fd512805f0d44495a9ab07c084abca3268bdd915da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56135bac3066db0716a8c028b4bde3a8

SHA1
7ee7cf36dc65e03971d5efaa8470ff874cf9dbae

SHA256
36e1a72fe05f435a2e18d57198d3122f2fd04321467504692e44de41452e1dd1

SHA512
330a0417981c89eca1489c4cdf6d168e476f3b022db865810bc8719a55af2176e9cd13bf916d5f011c8b167dfc1da514a4b5d18fb0a96b8db75079154b285d65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86031d8c58ecbfb0335b14a3d1fe251a

SHA1
36fb0918a9e0fc716f7d4fa6b1486e01801ba3e7

SHA256
7b352e32dd5ac7370628ee01d2ec3f5732dcdb620bac7ad800e78b8a8716508f

SHA512
d16549a2785ce286ad1c340d60630b4d1b8190be50646d1a918d3f1451f8d65ccdd2799d88dbb39f33778a49e9b9b631167a56c2daee27a8dc3007621cd311d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
99d5d7337ec2fba935451a281cfe5398

SHA1
5c6be40f6a7f1d483887661a0c50dc7b2255e6c6

SHA256
3b1f7c7ac99557b0625489bc7e7b5b19006ddd3181da15f8c563ef4c010fc9ea

SHA512
6049c818b1d8107adf69b42a9c36427f97e2ec91a7e553d0e8da7b2d44d975202b7c22a1005c13b9e7a4565821098d9ea45e544c7fdfab528c50a688b6f1cf1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7ff5188092ddbe76c6ad111a0d18673b

SHA1
b4dc7f8418c33c694782afef0948588b9a3b6202

SHA256
6121a442f00d39594f8c50bce55fbd37e38b6e2e02dd433878b168a83b1372e3

SHA512
cbf156dfabc3cfc4f3d445375e0cc596d3c4813cde37d7ff6d65800f1f624602fea9b6b14fc9742668cef4496db17f6c77456d7676b6a35f77d858bbbf2f6109

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2ffe3da9e79c8f27317adfbe91d78cef

SHA1
69ec20fb72e4f4d0cd5295373edde3cadd8ba841

SHA256
237f257a7ced9998771bf4c14a570eab356cd440e4520389c51c1e5590a33e04

SHA512
4445bc87284fbba7fb69e42d7a4b6f1431468b2e7ae6990e5cced4491de9131d7a7a3c360d2905da62b930c676e8df754e0787bcd90122debf6f743e8f7cbc98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb0ff8260a36916c7061f1f1bcc5f5e1

SHA1
a0059b35ded3c1bcbf90923c64d4e0e301b2122e

SHA256
b9e266ec69d4ddd7fe584d727efc2d9f36834c60c50e9fcecaa7edb062f4dc2d

SHA512
dcc4731ed6d08b8522b092d36c592d622656fd93cadb673dfacaf1d61807dd25e516b6ddf902c7f469be543215f17cc803889618045e36e1fe73be5c28c58372

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9e4db1515fcd5296be56f7902d940da8

SHA1
084a2c4713c5f39ef913b6e36f14458b65b820e6

SHA256
05b05e60b560b4b66c4e1f99433b6441cf2ffb6630d18ee3b998db67ee1ef731

SHA512
3f9fdd641660aa2eb8d3cd61ea8728e9d1ff92ae9cbb6f7692ed16460427a4cca290b59315609250f8fbfcf7a1af87ee73fd7b2414dbaafecd2e3dee29591cc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
da25da217989595c46b715f86aeac1e7

SHA1
9125047a5bf755341be9e32308539e130a03e733

SHA256
22dd9a6c280b41efc5bc0c6df4bdcbb655cba4ee7b8e85a5917bfc9b3038b4f1

SHA512
afbd4e01e7204f1e7de7314bc9dc7895cd51c0822b31e8ae8a5d06c2bb7378b2be282409f4ab5294c622b06a4183f5e3a26b249a85be75b9e46b7575990b2b5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\b42ab3aa-5f9c-4f15-b217-a247ba03ad1d.tmp

Filesize
9KB

MD5
6c80738f49297c8cc4a9bc19e9eabbeb

SHA1
5731e6d5078e131316ffd19e087fd9d395cd10f0

SHA256
9a0e3de6efeabd37dc35f329e4f550b11106ba1408e574eb38680153eb18d8d7

SHA512
6c3cde572faca97ae9038441c0a71351c88c1f32658d53aca2796f131e28680e245c9eb562219f64549e8c030f1e3e0ee647faf273c3af8e78f8718cbff32909

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ca07cdf6-73dd-434a-9e68-c665b77659b1.tmp

Filesize
9KB

MD5
d1c605d53ce723bcf26904c3cd625cbb

SHA1
2e872b07953d6a3c7af78533d88ae4521f977e3d

SHA256
88b823639cf083bbf88ffe171d5c128ab0536a66e3cab19b3bca384a2a5207fe

SHA512
98ad7da35374f08d8ef288271fad7f92b06602ad22d065f2549733dd5aebe31c1309b9051440b1e9159e9421369335c8cfbf5d5d3e2f8b31981a72eae59fb2bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
d681c3a34a4927dfbd12fe5f64a3676f

SHA1
0c9409cc69bbf5b47a25ead2d00717ee77187591

SHA256
98f5b0b1d9453ba3166a51d1cbc7027bc4b245f506234389d3059c530b1f1dae

SHA512
07e132173f7ebebe64d1e773ccb348eb0a3c1cac9aff52ea9bbbb5012e70bb2171231835523f9b382283a269e35c78e4f8c7bf13ebb5ea951f6af3052b4c17a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
35ddb0503b1324059af395edf7c6120d

SHA1
a64498c56a357ef9956378f4636192e1879d40d7

SHA256
cb48c16c913ab79d5144ff6c6accb054624e3c7fceb8a8560522c33778c31fe9

SHA512
b3e378751029258627b18f7cd998524b6497e89dad09d0dc852dad28738734156600988af0120c9be42b5a027924436a3ced7209bc926e679aebfecfc95d7ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
9bbfe11735bac43a2ed1be18d0655fe2

SHA1
61141928bb248fd6e9cd5084a9db05a9b980fb3a

SHA256
549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

SHA512
a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

Download Submit
C:\Users\Admin\Downloads\יישום הזמנה מקוונת.zip.crdownload

Filesize
2.6MB

MD5
d6547a4a2112d04db9ad2036e82b4505

SHA1
a5f2b967b8175f9eed0a27a0cc746218a5fa2637

SHA256
090de75b51dc027660710e168c516fa0507e30fcf98d4ea2790395e9ab5110ab

SHA512
27659fea5fe9841e7338d41fc05fe640419b6ade274f4442ba24952bd96555b94c488f4d80806106401c2b8a06760bf562833e122fbb587d95e2c95e95ea7099

Download Submit
C:\Windows\Installer\MSI5687.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSI5687.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
C:\Windows\Installer\MSI5687.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSI5A70.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSI5A70.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Windows\Installer\MSI60DC.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e5855db.msi

Filesize
2.9MB

MD5
37d7404f46d43eac22991c947cc7b1f0

SHA1
abcc8525564e8264b539d685e826f957c12ef70d

SHA256
06ffaabe4a1829177f078d1e6ad6bbc6af79d16729abcc8a21e4ec854448bb3d

SHA512
17ba13c5306b76f41bf3467dd59d0de54c052789750efcf23f7e674f027fb53ccd1a1e5749be035f9a2c77dc8945ccc24444d20a838055daad611c578828263c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
8780381bd5b63ca95427224d92cbe9e6

SHA1
b898841650c2db29bf4c9abdede9210307e3d775

SHA256
cdb15125375f9c72c884b9c1ff1b66eecbdce6d287ad4a8ee0d2dabef638f28d

SHA512
4f9988fdfc60decccb2013accb582bbbae411e3b8f16d8f07ae29f1d525ab073cf7c93c0d6e754da02710c6652cc130f515213986bb2834a6b027aa4911e7291

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
86b103853eaf88a6d4e978bd81d1c2cb

SHA1
fb7629b88ee88313245ae2078c818cfe34036f9a

SHA256
38ea1a04bc3851c3f5d0b70e37e4c52c3511951b7d03b6ac00ab38ad455c946d

SHA512
e21d16bdf7e926a6794812ca97fc033b6bde83a271fcbf757ea85f0ecb394bf3013e2f9a910f13388afb5f5d951a91dab973230cd4e2825b5917ef5d48459c80

Download Submit
\??\pipe\crashpad_1516_ETPQCEKKILRUJABP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1532-212-0x00000000055A0000-0x00000000055AC000-memory.dmp

Filesize
48KB

Download
memory/1532-208-0x00000000055B0000-0x00000000055DE000-memory.dmp

Filesize
184KB

Download
memory/2856-318-0x00000215FC720000-0x00000215FC748000-memory.dmp

Filesize
160KB

Download
memory/2856-330-0x00000215FEDD0000-0x00000215FEE68000-memory.dmp

Filesize
608KB

Download
memory/2856-334-0x00000215FE2E0000-0x00000215FE2F2000-memory.dmp

Filesize
72KB

Download
memory/2856-335-0x00000215FE370000-0x00000215FE3AC000-memory.dmp

Filesize
240KB

Download
memory/3044-363-0x0000020BC9940000-0x0000020BC99F2000-memory.dmp

Filesize
712KB

Download
memory/3044-367-0x0000020BC98B0000-0x0000020BC98D2000-memory.dmp

Filesize
136KB

Download
memory/3044-413-0x0000020BC9E80000-0x0000020BC9EB8000-memory.dmp

Filesize
224KB

Download
memory/3620-245-0x0000000004CA0000-0x0000000004D52000-memory.dmp

Filesize
712KB

Download
memory/3620-248-0x0000000002860000-0x0000000002882000-memory.dmp

Filesize
136KB

Download
memory/3620-249-0x0000000004D60000-0x00000000050B4000-memory.dmp

Filesize
3.3MB

Download
memory/4564-280-0x0000000002EF0000-0x0000000002F56000-memory.dmp

Filesize
408KB

Download
memory/5540-441-0x0000026A80B90000-0x0000026A80BAC000-memory.dmp

Filesize
112KB

Download
memory/5540-439-0x0000026A80300000-0x0000026A80330000-memory.dmp

Filesize
192KB

Download
memory/5540-440-0x0000026A99430000-0x0000026A994E0000-memory.dmp

Filesize
704KB

Download
memory/5996-487-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-480-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-478-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-479-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-485-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-486-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-484-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-534-0x000001D04B160000-0x000001D04B170000-memory.dmp

Filesize
64KB

Download
memory/5996-488-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-489-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-490-0x000001D0497F0000-0x000001D0497F1000-memory.dmp

Filesize
4KB

Download
memory/5996-528-0x000001D04B100000-0x000001D04B110000-memory.dmp

Filesize
64KB

Download