ateraagent | b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5.msi
Size

2.9MB
MD5

b03c2dc066f3726de8e77d626be0b08e
SHA1

94c9a919f59ea07c160dec604e7a3b80455df6df
SHA256

b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5
SHA512

e118086e2368872e019717cc1c92ac929425de22d8eda1866c7b910427c6e1655c8e6df9fb9d6203f0da6b9365506d08d69f08c09da463881dbd600369f55ec9
SSDEEP

49152:T+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:T+lUlz9FKbsodq0YaH7ZPxMb8tT

Score

10^/10

ateraagent discovery persistence privilege_escalation rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x0031000000017021-424.dat	family_ateraagent

Blocklisted process makes network request 7 IoCs

Processes:

msiexec.exerundll32.exerundll32.exe

flow	pid	Process
3	2340	msiexec.exe
5	2340	msiexec.exe
7	2340	msiexec.exe
11	2056	rundll32.exe
13	2056	rundll32.exe
21	1496	rundll32.exe
24	1496	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in System32 directory 13 IoCs

Processes:

AteraAgent.exeAteraAgent.exe

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	AteraAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

Processes:

msiexec.exeAteraAgent.exeAteraAgent.exe

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe

Drops file in Windows directory 37 IoCs

Processes:

DrvInst.exerundll32.exerundll32.exemsiexec.exerundll32.exerundll32.exe

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIADE4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f768c67.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD45.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAD55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f768c68.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\f768c68.ipi	msiexec.exe
File created	C:\Windows\Installer\f768c67.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\f768c6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8D05.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIABBE.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB7B6.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8F48.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIAE52.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

Processes:

AteraAgent.exeAteraAgent.exe

pid	Process
2704	AteraAgent.exe
2476	AteraAgent.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
1640	sc.exe

Loads dropped DLL 35 IoCs

Processes:

MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exe

pid	Process
2780	MsiExec.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
1512	rundll32.exe
2780	MsiExec.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2056	rundll32.exe
2780	MsiExec.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2780	MsiExec.exe
1992	MsiExec.exe
1992	MsiExec.exe
2780	MsiExec.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe
1496	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
2340	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

NET.exenet1.exeMsiExec.exerundll32.exeMsiExec.exerundll32.exerundll32.exerundll32.exeTaskKill.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe

Kills process with taskkill 1 IoCs

evasion

Processes:

TaskKill.exe

pid	Process
2572	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AteraAgent.exeAteraAgent.exeDrvInst.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

AteraAgent.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

msiexec.exeAteraAgent.exe

pid	Process
2500	msiexec.exe
2500	msiexec.exe
2476	AteraAgent.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exerundll32.exe

description	pid	Process
Token: SeShutdownPrivilege	2340	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeSecurityPrivilege	2500	msiexec.exe
Token: SeCreateTokenPrivilege	2340	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2340	msiexec.exe
Token: SeLockMemoryPrivilege	2340	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2340	msiexec.exe
Token: SeMachineAccountPrivilege	2340	msiexec.exe
Token: SeTcbPrivilege	2340	msiexec.exe
Token: SeSecurityPrivilege	2340	msiexec.exe
Token: SeTakeOwnershipPrivilege	2340	msiexec.exe
Token: SeLoadDriverPrivilege	2340	msiexec.exe
Token: SeSystemProfilePrivilege	2340	msiexec.exe
Token: SeSystemtimePrivilege	2340	msiexec.exe
Token: SeProfSingleProcessPrivilege	2340	msiexec.exe
Token: SeIncBasePriorityPrivilege	2340	msiexec.exe
Token: SeCreatePagefilePrivilege	2340	msiexec.exe
Token: SeCreatePermanentPrivilege	2340	msiexec.exe
Token: SeBackupPrivilege	2340	msiexec.exe
Token: SeRestorePrivilege	2340	msiexec.exe
Token: SeShutdownPrivilege	2340	msiexec.exe
Token: SeDebugPrivilege	2340	msiexec.exe
Token: SeAuditPrivilege	2340	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2340	msiexec.exe
Token: SeChangeNotifyPrivilege	2340	msiexec.exe
Token: SeRemoteShutdownPrivilege	2340	msiexec.exe
Token: SeUndockPrivilege	2340	msiexec.exe
Token: SeSyncAgentPrivilege	2340	msiexec.exe
Token: SeEnableDelegationPrivilege	2340	msiexec.exe
Token: SeManageVolumePrivilege	2340	msiexec.exe
Token: SeImpersonatePrivilege	2340	msiexec.exe
Token: SeCreateGlobalPrivilege	2340	msiexec.exe
Token: SeBackupPrivilege	480	vssvc.exe
Token: SeRestorePrivilege	480	vssvc.exe
Token: SeAuditPrivilege	480	vssvc.exe
Token: SeBackupPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2120	DrvInst.exe
Token: SeLoadDriverPrivilege	2120	DrvInst.exe
Token: SeLoadDriverPrivilege	2120	DrvInst.exe
Token: SeLoadDriverPrivilege	2120	DrvInst.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeDebugPrivilege	2056	rundll32.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe
Token: SeRestorePrivilege	2500	msiexec.exe
Token: SeTakeOwnershipPrivilege	2500	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2340	msiexec.exe
2340	msiexec.exe

Suspicious use of WriteProcessMemory 60 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exe

description	pid	Process	procid_target
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2500 wrote to memory of 2780	2500	msiexec.exe	34
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 1512	2780	MsiExec.exe	35
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2056	2780	MsiExec.exe	36
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2780 wrote to memory of 2628	2780	MsiExec.exe	37
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 2500 wrote to memory of 1992	2500	msiexec.exe	39
PID 1992 wrote to memory of 1632	1992	MsiExec.exe	40
PID 1992 wrote to memory of 1632	1992	MsiExec.exe	40
PID 1992 wrote to memory of 1632	1992	MsiExec.exe	40
PID 1992 wrote to memory of 1632	1992	MsiExec.exe	40
PID 1632 wrote to memory of 1372	1632	NET.exe	42
PID 1632 wrote to memory of 1372	1632	NET.exe	42
PID 1632 wrote to memory of 1372	1632	NET.exe	42
PID 1632 wrote to memory of 1372	1632	NET.exe	42
PID 1992 wrote to memory of 2572	1992	MsiExec.exe	43
PID 1992 wrote to memory of 2572	1992	MsiExec.exe	43
PID 1992 wrote to memory of 2572	1992	MsiExec.exe	43
PID 1992 wrote to memory of 2572	1992	MsiExec.exe	43
PID 2500 wrote to memory of 2704	2500	msiexec.exe	45
PID 2500 wrote to memory of 2704	2500	msiexec.exe	45
PID 2500 wrote to memory of 2704	2500	msiexec.exe	45
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2780 wrote to memory of 1496	2780	MsiExec.exe	47
PID 2476 wrote to memory of 1640	2476	AteraAgent.exe	48
PID 2476 wrote to memory of 1640	2476	AteraAgent.exe	48
PID 2476 wrote to memory of 1640	2476	AteraAgent.exe	48

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86F1C7A5F3D9A399276E9634A1FCB1B6
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI8D05.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259427681 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1512
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI8F48.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259428180 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2056
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIABBE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259435465 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2628
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIB7B6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259438507 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1496
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91A18621A418D9B22EE189C2C2B6A432 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1992
- - C:\Windows\syswow64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1632
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372
- - C:\Windows\syswow64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2572
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Kc2ZxIAJ" /AgentId="18217d4d-02c7-49b1-bb3c-03870b44f1af"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2704

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:480

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C4" "0000000000000580"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f768c69.rbs

Filesize
8KB

MD5
e5d34c0ce62eb2c2f015e51bf59d3b86

SHA1
da6f4fb0e450b4d4941ce1cc31ce949e1fabd88b

SHA256
0fc98eff75276d7989e99691c63c166550ca8ceec0ec49edb279d468393e20cc

SHA512
5f686df4db8d14fcf2bc807ab7805745d2824ac442fe6beceb8ea9a85ad8dcfda655e64650e29913b8e1fbf57a3391ca19a7264fcbfc823b93a622ed6d1b014f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
2c4d25b7fbd1adfd4471052fa482af72

SHA1
fd6cd773d241b581e3c856f9e6cd06cb31a01407

SHA256
2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

SHA512
f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
208B

MD5
49876123d454b16405cd69a6764d2e28

SHA1
7557c497049ffc7f3da1125de81d627c17da36e7

SHA256
a7544b78e664a71540427aab8ab46e57b2562e357c9b5eb9d5afa52f000f0251

SHA512
07068a1719c6880bb4b336a070c5dc798b5a5a39c2991f6cd571adb21d36b67b1f5b052e410c52d4164579a6224874dd7fbcc53a176193fe3e8617a66ba6b466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
441a4996e2ee86c4b588d8c0d407e7c2

SHA1
0987d79eaecf4afad0e5c6f7bd9bd0a90ceabbd4

SHA256
300cfa12d5560f2b04e870fe42e15b6a2007e8f53e4ce1329bd506382075e657

SHA512
8d6d5bd1ea7baafeb8ca750ce112ed7fad1477e1deef34994a145893eed217d1a9990a52d76790f8c00484378778504626e5c6a5f5193b8da661afdbd62600b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
34699602d75b10dbce241a132696577b

SHA1
25fceec0af670956baf529a601c7763b9aef5255

SHA256
27322120c7f1a140b6351735b767a9af123735c6b16b6deb09cf6845d7e4ca91

SHA512
bd768818e61a4d19f5ea3522e1868f3e3f02f2d615d597010f761d435b98c5a7411ff5a659acd4f52be79e31a5bd8a34ebe958f273913789c59d13b9e545baf0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
77dc165607ca29cc17a6cb8886ddee1d

SHA1
b3d53dc9f033a30f4ab5dbe1aceabf5bd1bae9ff

SHA256
180c329dcd3274d56c35604379c04599ac94a373aec5dcd1525f21cdc178f757

SHA512
ebfeea3c9f349769fc6aedcdaa0951901470b162b07581d0e48ccef7d76c576ac6bb1ae2fc915469102650edb745f3e7fbe64a07498a169462cf0000fd9b54bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
5831501c0eaf4598a4d6a09cdcf4feb8

SHA1
8ec16846e4dc1e35f700d7cb38eec8591458ac65

SHA256
8b2c47caf0a6d8bea7fe24ba0daabadf11361eeaf56a0e081aed439eb387270b

SHA512
ff1cf143131580443c8165afc2136a4041263bdd9409e5f8c6187c2edabceffef81fe8bc582d8f63421421c9737d3438f69ad987d243ebb3e821a74e91c84c84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
c65e8e244c79d884509db0e2b64df64b

SHA1
61cd10fe6481cf988dc145021f971c84cac1abe7

SHA256
77bd87b1bfd78faa5dd402b90d06457fe742c8fa163c717ac264ed1189562f53

SHA512
695285cc012e551539728c01a70024c5219c41b376d5a0bf8ec99b23492992349aa16225b73135016d3272e8e51aa026d1b3ae5bbc65bb635b44e6547f1e8fb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0d36377f77017c41c200ec9eeb55467

SHA1
be5a20da5c426f1d1f05476667733b161676bebb

SHA256
0874a0a7b7e63cc1638b7c56f8b90441897d9cbdf0bd6486fef970efde589397

SHA512
726f3f41eefa78a9bbc0c49111c3a26e28408f68ef7115b7024e62b056dd3422a0dc521142063030be096d485ecbfc29da0e3424e035e2b593c4a6746fab539e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
b1016e471df88b6365d91b8b193e4b00

SHA1
e423840ac3e7e0c5391ed2115e5b5885a36158e0

SHA256
4f77e281fd56adaeaaf2eff136ddc3afe53c7b8dc725f429d59b0fc111a41927

SHA512
db2ea7464dad58da822bfae6780638017decd6e493712d7945437cb76a37d83a271004f6e4dc3c34d029392cadc4770e8ad80de24942c9bd78c41309be16396b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6F68.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar70D2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSI8F48.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\f768c67.msi

Filesize
2.9MB

MD5
b03c2dc066f3726de8e77d626be0b08e

SHA1
94c9a919f59ea07c160dec604e7a3b80455df6df

SHA256
b285c120bd2b619c4326334f48a3b02696c4b9b54ed44027f9b8b99ef52bbef5

SHA512
e118086e2368872e019717cc1c92ac929425de22d8eda1866c7b910427c6e1655c8e6df9fb9d6203f0da6b9365506d08d69f08c09da463881dbd600369f55ec9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
0ee9ea3b86990d03836caf4bf59be622

SHA1
edb58e963f196f36e72c67eaf1cf20b35c9b0645

SHA256
f1e32cd3072c498ff3a9af0573246076a445fc070a6f1fba002dabadc7886130

SHA512
211e3769a8685fe77b187b606d0c1df74576a24c19a3b43c7d64a8e27cddea5a68cc73d92f25edd7fcdca20102f3d5565bcc42dcfb86a0d4a0e8c44941ec2f25

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd4614cc29e7adca3f6778ece9884d73

SHA1
830860f0a21d01a3520ede03d3342b664ebceda1

SHA256
647cd95e78332dabb0b776ccebade02cfa35af2acd4368df8e65427bc16a0006

SHA512
a69c4334e71c0cd009b7c4400dc19f378734b097a7b795c441a69456564fe393b93f5f84dfee345bb649e9f4db1d12db1d8b4339f25eb64546a8df120a34e709

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d57530ab536c822ee51097df47537fb8

SHA1
928e7bc1f769e923b5ed67a1d9cfbaddb6cf59b4

SHA256
b03a01bad70e6cc9a9dfa60c72a964cd2f1e4ec1cae8f6804b34fcc3edb412a0

SHA512
90fca6484cdcba63d083100e0fa9af2b6e89814bbc563537f8a1c4511946ab19a5e4d97263e047f748dfa97d4f4caacf0f6ee23bf4ca883fd7df9801145bd8bd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19e089cc46db93871b827c8f4b6a06ea

SHA1
1b8536712a9be512ea3745ff7cd2697907dda83b

SHA256
02cd8c9879f9f3e5b1c440beb7726c09988ec7baf5c5b7e0971ccf329eff4eec

SHA512
6238cf4eddd573c004d81a254ab0a95a966f32fd4c41299dc110ef130c9e3b24092365de1b0e81976f2a47332fc3b9cdaaa5486bfed6b48741b13abbd847cc1a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07ebf66cb2a09d07bcb31dc36eca3472

SHA1
f964d27a661654353353caea837a3eb149f9fc88

SHA256
5f45672780c9532f33a8644a2555bd64d05be45cd8528bb240a88040da05017a

SHA512
18da2ec1c481d72a2f984a8049f412b6bdbdd79de2c94ff105811a8355ccb3a82900483431848cb467c11b9c133ac0b18826ad7b6cbbce8ad49e20a7fa834d0e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a444b613f41150a161f1259958473f09

SHA1
855cd586d90e777d5ffd70160919cee3b913af58

SHA256
32332810b3ec3ea708b5b0fff92392153d543f5ca250af368bdc60001ebdc53d

SHA512
46b0a313cab45d43db22119e8677e815b5c459c5e71c43b6876d43e190fd6c31e203adc5943650bbf7ede55383910b49ae36b2db5cf5c23f59f025805369f44b

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0c49f67cf1465179e81ec35e0620d3b7

SHA1
060bbe91ff5351120a9ce7d1f9df7a2f96bbbd31

SHA256
efbe1b57d80633a5edde2a88a1dac708d3abd7fc60cda563f8437743f6d67755

SHA512
160f3d41a0aa0e91bd9f13e575edbb841c9a44210e7edb3092f77ea347e5e96c1059759cef400c1f2ef92ab4951dfd6ef623d8f158c4b331904c4ba9d0e67a01

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
851aecd13554246600022e15a4552d13

SHA1
1bd05365fc70f6e3bca1891ff812fce6d9d0813a

SHA256
d020eac1697c11b82fcbc83204a23292c08dca3975090bd710610d40e39bfdf9

SHA512
37426facde4695f936dab93593803c0541893e61a235849faea81fdb43ef312dbf033f983ab6c0f75a3ba947eeb01b8bb502af59d957c4b6300c0b76111be3ff

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d856a044fdcb58b7eadb4ce7c24960af

SHA1
e8dad6de87a5a1bc625dc0d052a9f220159d1c1d

SHA256
4f9539b8a3f5887ceb4c082c07b542a654d74698b6022b94c86ad42d9f2cacb3

SHA512
0a96e3b92b4ee7af3a7a69db568b97de427ecbc09731e02c055639397cd8a9549c64752e6bae0fbe7f581e34b0c3c51b00c368983b41305995f5e95f21178656

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a7a3b4849965211bc0fac299adec56f

SHA1
1054ebadbff8737faa8baea3c31ca03bc9489c0b

SHA256
203ffe5d687181a708c93233ce43eb48b1d135582b646a2607030b2027fa370e

SHA512
2f2eab318ed701f4c279abeed2876da91d53582becf1cc5a72b4d0f2477155a017bda8e6f87438567459d3524df99c602e2e2f72c0f942d71666a46a3411ad30

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d267085f062bfcf8a282453e5af082b

SHA1
736e365fa7f169ecd82d35671323518c8bb6fc21

SHA256
3861614dbd153d55945de774ec7b279d8af823886a757dfa74b50ba50be868fd

SHA512
2dc24582348ec65146df4dc26db43b82dcc4b0cc4f029c95289cb9dcbdaa2bf4bb18fcfbddeea9d39c19be64eacca946d31174a87327d3e4baca4d4945c3d552

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
4fe3fd44ef2306d182930bb02204937c

SHA1
548b32c67e448171ab0c31666803f4a5ebb045e3

SHA256
31966f1788bbd7889300b8c73ee2e5fa9a7c69bf078c0fcd93d2f3429b97e997

SHA512
77fe527070fccfbeb1a15ad8a0e39df07662208233f363958de7c4249afafff92384d9d5522a2713230bfdaf347b1f3f8508e6d92e1aeb0c068e3bc9b3c34a87

Download Submit
C:\Windows\Temp\CabC68A.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\TarC69C.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Windows\Installer\MSI8D05.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
\Windows\Installer\MSI8D05.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
\Windows\Installer\MSI8D05.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
\Windows\Installer\MSI8F48.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
\Windows\Installer\MSIAD55.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/1496-281-0x0000000004990000-0x0000000004A42000-memory.dmp

Filesize
712KB

Download
memory/1496-277-0x0000000002100000-0x000000000210C000-memory.dmp

Filesize
48KB

Download
memory/1496-273-0x0000000001F90000-0x0000000001FBE000-memory.dmp

Filesize
184KB

Download
memory/1512-76-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1512-72-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/2056-104-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2056-108-0x0000000004CC0000-0x0000000004D72000-memory.dmp

Filesize
712KB

Download
memory/2056-100-0x0000000000510000-0x000000000053E000-memory.dmp

Filesize
184KB

Download
memory/2476-268-0x000000001AE60000-0x000000001AF12000-memory.dmp

Filesize
712KB

Download
memory/2704-213-0x00000000004C0000-0x0000000000558000-memory.dmp

Filesize
608KB

Download
memory/2704-201-0x0000000000D90000-0x0000000000DB8000-memory.dmp

Filesize
160KB

Download