Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
20/01/2025, 18:01
Behavioral task
behavioral1
Sample
z1eCAC2025.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
z1eCAC2025.msi
Resource
win10v2004-20241007-en
General
-
Target
z1eCAC2025.msi
-
Size
2.9MB
-
MD5
30c87bf81a6b9da8c2d2196d4471f056
-
SHA1
a8c45bd3cb66256a07ba8c4047aa88db5c72c50b
-
SHA256
40c90476979303f54df8bf6ac6ba10a252623cf18519b492b77d8988cb6bd216
-
SHA512
066c4c9922994259cdb62d9cbc21fa6e63b1c765a18a1c4e94b1741e60b580ddb132134f13d6ad0f86285c618243ca6849dc5aac92fb8b8be014610a6159bf06
-
SSDEEP
49152:N+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:N+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral1/files/0x003200000001939b-407.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
flow pid Process 3 2528 msiexec.exe 5 2528 msiexec.exe 7 2528 msiexec.exe 12 2372 rundll32.exe 13 2372 rundll32.exe 19 1108 rundll32.exe 21 1108 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AgentPackageAgentInformation.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe -
Drops file in Windows directory 37 IoCs
description ioc Process File opened for modification C:\Windows\Installer\f789f4b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA306.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBAFB.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp-\System.Management.dll rundll32.exe File created C:\Windows\Installer\f789f4c.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA018.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA018.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA018.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB983.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB983.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIB983.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB983.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBAFC.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\MSIA306.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA306.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA306.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIBB9B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA306.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIBB3C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE05C.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\f789f4b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA018.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB983.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB983.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA018.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA306.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA018.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\f789f4e.msi msiexec.exe File opened for modification C:\Windows\Installer\f789f4c.ipi msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 1072 AteraAgent.exe 1244 AteraAgent.exe 1436 AgentPackageAgentInformation.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1540 sc.exe -
Loads dropped DLL 35 IoCs
pid Process 2928 MsiExec.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2264 rundll32.exe 2928 MsiExec.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2372 rundll32.exe 2928 MsiExec.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2140 rundll32.exe 2928 MsiExec.exe 2860 MsiExec.exe 2860 MsiExec.exe 2928 MsiExec.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe 1108 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2528 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Kills process with taskkill 1 IoCs
pid Process 2652 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AgentPackageAgentInformation.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280 AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AgentPackageAgentInformation.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AgentPackageAgentInformation.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "z1eCAC2025.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2676 msiexec.exe 2676 msiexec.exe 1244 AteraAgent.exe 1436 AgentPackageAgentInformation.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2528 msiexec.exe Token: SeIncreaseQuotaPrivilege 2528 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeSecurityPrivilege 2676 msiexec.exe Token: SeCreateTokenPrivilege 2528 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2528 msiexec.exe Token: SeLockMemoryPrivilege 2528 msiexec.exe Token: SeIncreaseQuotaPrivilege 2528 msiexec.exe Token: SeMachineAccountPrivilege 2528 msiexec.exe Token: SeTcbPrivilege 2528 msiexec.exe Token: SeSecurityPrivilege 2528 msiexec.exe Token: SeTakeOwnershipPrivilege 2528 msiexec.exe Token: SeLoadDriverPrivilege 2528 msiexec.exe Token: SeSystemProfilePrivilege 2528 msiexec.exe Token: SeSystemtimePrivilege 2528 msiexec.exe Token: SeProfSingleProcessPrivilege 2528 msiexec.exe Token: SeIncBasePriorityPrivilege 2528 msiexec.exe Token: SeCreatePagefilePrivilege 2528 msiexec.exe Token: SeCreatePermanentPrivilege 2528 msiexec.exe Token: SeBackupPrivilege 2528 msiexec.exe Token: SeRestorePrivilege 2528 msiexec.exe Token: SeShutdownPrivilege 2528 msiexec.exe Token: SeDebugPrivilege 2528 msiexec.exe Token: SeAuditPrivilege 2528 msiexec.exe Token: SeSystemEnvironmentPrivilege 2528 msiexec.exe Token: SeChangeNotifyPrivilege 2528 msiexec.exe Token: SeRemoteShutdownPrivilege 2528 msiexec.exe Token: SeUndockPrivilege 2528 msiexec.exe Token: SeSyncAgentPrivilege 2528 msiexec.exe Token: SeEnableDelegationPrivilege 2528 msiexec.exe Token: SeManageVolumePrivilege 2528 msiexec.exe Token: SeImpersonatePrivilege 2528 msiexec.exe Token: SeCreateGlobalPrivilege 2528 msiexec.exe Token: SeBackupPrivilege 2752 vssvc.exe Token: SeRestorePrivilege 2752 vssvc.exe Token: SeAuditPrivilege 2752 vssvc.exe Token: SeBackupPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe Token: SeLoadDriverPrivilege 2536 DrvInst.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeDebugPrivilege 2372 rundll32.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe Token: SeRestorePrivilege 2676 msiexec.exe Token: SeTakeOwnershipPrivilege 2676 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2528 msiexec.exe 2528 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2676 wrote to memory of 2928 2676 msiexec.exe 33 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2264 2928 MsiExec.exe 34 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2372 2928 MsiExec.exe 35 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2928 wrote to memory of 2140 2928 MsiExec.exe 36 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2676 wrote to memory of 2860 2676 msiexec.exe 38 PID 2860 wrote to memory of 1504 2860 MsiExec.exe 39 PID 2860 wrote to memory of 1504 2860 MsiExec.exe 39 PID 2860 wrote to memory of 1504 2860 MsiExec.exe 39 PID 2860 wrote to memory of 1504 2860 MsiExec.exe 39 PID 1504 wrote to memory of 2748 1504 NET.exe 41 PID 1504 wrote to memory of 2748 1504 NET.exe 41 PID 1504 wrote to memory of 2748 1504 NET.exe 41 PID 1504 wrote to memory of 2748 1504 NET.exe 41 PID 2860 wrote to memory of 2652 2860 MsiExec.exe 42 PID 2860 wrote to memory of 2652 2860 MsiExec.exe 42 PID 2860 wrote to memory of 2652 2860 MsiExec.exe 42 PID 2860 wrote to memory of 2652 2860 MsiExec.exe 42 PID 2676 wrote to memory of 1072 2676 msiexec.exe 44 PID 2676 wrote to memory of 1072 2676 msiexec.exe 44 PID 2676 wrote to memory of 1072 2676 msiexec.exe 44 PID 1244 wrote to memory of 1540 1244 AteraAgent.exe 47 PID 1244 wrote to memory of 1540 1244 AteraAgent.exe 47 PID 1244 wrote to memory of 1540 1244 AteraAgent.exe 47 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 2928 wrote to memory of 1108 2928 MsiExec.exe 46 PID 1244 wrote to memory of 1436 1244 AteraAgent.exe 49 PID 1244 wrote to memory of 1436 1244 AteraAgent.exe 49 PID 1244 wrote to memory of 1436 1244 AteraAgent.exe 49 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z1eCAC2025.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2528
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24CF5FF1C432B1A056B2B622468574F82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIA018.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259563651 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2264
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIA306.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259564353 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2372
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIB983.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259570110 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2140
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE05C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259579985 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1108
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3838718CA41CBBA727D9474251E1B371 M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2748
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2652
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000PPiXTIA1" /AgentId="b38def94-6858-4c0f-8b58-64da2d62ad69"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1072
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000494" "000000000000054C"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2536
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1244 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1540
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" b38def94-6858-4c0f-8b58-64da2d62ad69 "333fab9e-a5f3-4de1-919f-25e1b0f95502" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000PPiXTIA12⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1436
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5f43f51d0d27beea6c761574214284887
SHA15fa7c22f97516cea337373f97c0f74457383057e
SHA2563acfdeb72ae4c6f7316862a4353431a8f44fb62ceb73bd0995728562cad76b6b
SHA512c811dc2747a54fe49b82e5a4af124e32711b296278a17d892cbd37969956c874ea2ce20d792169434be2bcaa09b08b9b9ecfaa7b36669161c77839f352b5ea2c
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5e7d76972b7bcee4b8e7ff558c4b5332f
SHA16925ef528563be830aa054df66fb5359aa5e1442
SHA25639d7fb8d9cdf74d5b1fec800b082936486ce182fffc619f1bb7176611b1a1336
SHA512f3eff8f7e02374f100db3148952c4d145b56686057af20aa989311958ed03db2c12da038db12be02aca6430812eb4474c704cb65a39b5566c972c33d0a6b6251
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize248KB
MD502c5e1d68418152679c58cd3c8130aeb
SHA1ba1e87324cd9ce568584ded884be8967311495d6
SHA2568d21a793b93af34f0de79094be326e543e7a2a18aed77e4e12f0fe5969b9868d
SHA5120aee6baf3a77341b0c111137f81215b481bd7a0e9f6ba871941bf3cf547e9f66adf61cf781d46c04a773eee5762f73221d3094f64d3470d49e7eabf1f774ce08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5c63e1d81d747a07f62c914fe92e7e62b
SHA1793dce4607d78d95df754f57c6857e80adb4d1fe
SHA256a7b3fc2f4aac37f80052515b92e514210920adf05c096a7bd85af51b0c3ebe66
SHA512d3cb63dc5699e8c775fcd82de6d19cdeabf7aae39f040ad477995945a3e4cee5c34a07d5f1b0b884de6180e84a576366b1a9af7deb6aaec929ea5ee2e810f1a0
-
Filesize
23KB
MD51c6f4f0b50f6b2d4fb5ad6edd8aaeef3
SHA1a9667fafb5043daa8708775f0fead0df13c518da
SHA256a1eff7a0c37c54eb643b060526f2c52d1fdad898a8739c93abdd3cc150a7d0da
SHA51214a126371cb52b5c46be2bee75f054d965c7b177d9e6fe67a101d5e09e4a7c182c7763e49259309869dcdbb3e3b5859f83e4eafe0118968dddc19143f6519067
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
229B
MD5a0d57999d1d53ca9e29df6a556a32f43
SHA1990fcef20ab0706ed1a1a131602373b15ca6293e
SHA256b01c31689dd615c3113e4cfe209c0f5f27ecbcb90b222159ffde6bc5c53d2d59
SHA5122ac8295cf371e836683fc7b81baf840631fab9e95ca039917df5cfd651fb660f54c8ef198073a1cb2a93b65e058d5e301a9496de4d6bf8b17f91144ef281d2aa
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD571bd195d7c58500ba8a871cf9308a385
SHA14ccbbd6d61a80f21a86adb44adbe9018fcc0d09a
SHA256adea38b7c56668aaf6e0536f8aa40de32e398d248a975b573becfdbf880499ae
SHA5129b230b2a5073903847e17c5835f7ffba35647925e742a4e82dbac36e22fe6d74ebe3c686e38c1c8762db82c034480be83202f58424515603c572551e3b93ef02
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD556e77f27ce4a9d1138cf5be406879ce9
SHA19b747d0ed77969273462ebff0d2c8ff3da74fe49
SHA256e053f29d0a4a9ec9504a28363b9d6bdd5a28287cbe98f5f02b7e8ad0bc4c5c40
SHA51257478aa6ad295eb6cd6986a4d748d55b1bb5d1bf28f022e5a2cd105fe3718abda82a39d0d8111cffb8bef066e6271905daaa8a7d83e9e006944020bc7f39bdf4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5a0cb20d98fd71cf57d7da90834608d35
SHA1806211b77bd71026a6f3c6cdb10f5f7724563aa0
SHA2564d246aba43cc43ee629a9879f6bd3502b3d3656dfe11f0c9a29c7a7a89ad722c
SHA512fa7543436d91734abc480114024f041989d8b780d0e01d63224ea41be0e1c4e9901dc04111db6e499c479ea0d52d6e78f630ae8a8fa46e0a22d315f47ff01358
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD53c5f7ebc14c1542fbe99ef8c1d99bbfc
SHA1b0437787413830f3305cdf39d761a550fb42463f
SHA2566cd17a6559a76433638d1d74628d63b21befd3c8170f5777c4dbeec4e6bb7289
SHA5126b56d404c8992b8544351bb54b38d02be3d2391ce1b4969d68ac588c4a89de301c5660503f4e2292c03f7f9dbc77aa2181345c48cfc7f3056ef1ece613baa1ee
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD53f222d79b9fbc6443bba51bfb3022739
SHA1b2526ea86cf380890b7315eba0162fe82928d0b1
SHA25670ac7017029b7f36d2a4f6bd4a4633cb80f32d746a7282860cbeabf35283c7b7
SHA5125edf9f0a2b39db88cd696cf503ac289520b02ca854ac70c3655d5e89dbc971ee3a32fa1347bb143999472e61ca222bb7d4b5ebdaa7a3d8179398ee3757a828f1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e6499fb57fc37e59012e38c4699cf3e5
SHA12b2c7becc55a6e0db3bdb700291446bb322ffa90
SHA256b89df9704d11fd994fb0682a8c20bfa2b198468af4aa27228705f87a393273dc
SHA5120c54174f98bfabbf51056555b24b37344ad413d18f290e6b24b6dbe16d3983d903a69d80c6a5eaa2b010d3ce874fb08246ba150de773cbc2a590c9ebe05f4cf9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54291e6a988a8550ceeaee60b58cd32f7
SHA1ed374af107fee6c2029d698a333504af095ac81a
SHA256ecf1b7c40f734dfb9f88dcb79ef8afca850cca3a51897a01622ac39f13816b77
SHA512c61b770d668d51cfd708cda9cc8ddd3ca73f4b63a069b10ecdb1c33852e10719195d15ab579357554615ede8fdbdae132c8142e1d2bcc19959f93878a7fde8c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD568b62465f6ec1670dc94cb306519d5e3
SHA1d26cb5a8f08611fb23b0310abf7592bc3c6a352b
SHA25694753c10ede44b533230297d0068ea8a59c47f265d30cb9586b779b342eff1d5
SHA5128d7ddf9f4501257fc0f1445ce87c1b8bcd135911c32f04066e59535bb6d22bc5ee1d91fba1759e562e80ff1a3b1c326d501c8c9db2490c00a5942117f0b72b2e
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD530c87bf81a6b9da8c2d2196d4471f056
SHA1a8c45bd3cb66256a07ba8c4047aa88db5c72c50b
SHA25640c90476979303f54df8bf6ac6ba10a252623cf18519b492b77d8988cb6bd216
SHA512066c4c9922994259cdb62d9cbc21fa6e63b1c765a18a1c4e94b1741e60b580ddb132134f13d6ad0f86285c618243ca6849dc5aac92fb8b8be014610a6159bf06
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416
Filesize230B
MD5f8a73215385f133f9af788dffd5c730b
SHA1b94c1818b03b4ece7cba4246f3c41fe8620bdb87
SHA256c6593cfb5c481fce987878d6ccc51300a7099a868b80faa2a9f423cd848fc09d
SHA512b3303928c271524cf5d386b548ca0871fd7165b906cff3435f19566fccb9d473f2cb7d5f10390beab36a2e288421a64e60b049e536f065c797015a086dcf7ac2
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD590a1bb1981faa27205992d231dcc9ae1
SHA17048f638531be299080e1867efc5255ef2c22986
SHA256d9f22b23eca126213e789aa39767d017687116542a62029ecddb34a654244b90
SHA5123c199e5d06da18f5b05062bad2925a983f46d3e45e4164fecf2fe949d8bd0a3290392e274cbe9b0b379dd5171a9eb357724161c94d18bdcd26d32d81084f2d80
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c3b3fefa3666e15700eed6bd515b5605
SHA1c4b9d6e46e9298b8814bd9f0599ffe92e1983ef9
SHA256022f8ed99c1e991a42a285c9833443ba860bcf523aea6093db2dcf5bf3f826d1
SHA512b401da9c4934cc28426fd7a8d42d42361515484fc17cd8543fdcd535065c559ae98e58fb85ad44f5733fa55630f60f1b148886479e8603ec50ffaa2fa9413560
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD521bdc1c49ad9400f4ad410b0188f1ad3
SHA161818e35f0896cf5c1eecef5b80bbb7e9514282e
SHA2564df4059d3ec50174dee383c96da210a3887bcb0d90b94f86574fed63cdfa2dd7
SHA5124549b5fe1d551e75fdd58f98afd385f3598339d403d9cab8242319d5abd401007208bf7a986ec5545c3795539e4e2c143c5ac92da802c384778b63bf1f003542
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD586420bcb2947b1c5ab1dece998f3de5a
SHA105b35a840016308e7525f3fbf9659f86b120ab40
SHA2567e21bebb76981e3aeb704425e195f8863ce8acbe5dcc90efeadde46e95fec14c
SHA5123dcc66ba4dd26a1755f8edfa7d77dd8936e811cb327fd3c8db5db470d6a5ed2ed7a55cab5e3bb192e64726b626f110167df876079c3fb9900c864543d0dbd0f2
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e7e0c3a832c439e97c2179ed8df98b6a
SHA10cf58da87bb5a4cfdce63f9e69e5d2141a9baa40
SHA256b27580f33ab6c4ae26315a54db203ae68071553c8f3f263867679a41aac0707b
SHA5123157c0b537ae93abe0b529aea8c318c665dccdd487d550dbd5786cf6d643ea6768390fc0252be595f79c3a88144e736271b052947bc5320b56c785ae831e5865
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD52edf5999a32b850439095b08b7129152
SHA19de20c0bd2a7c34f4773a59c0ee02759b8289be6
SHA2561d4edde0a4a617dc70e58a946d042b4eb73015c08cdd978ea8bbbd512326554e
SHA512cf85724c11583651766c4e33e683c2ce0a3e5230a453a39f1e091a686d4bf227e77cc8710e974e851941f0817509d9f08fbb27f95419a0c2edd7bc62f7b18a46
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d75b5ade039d6fec525e9eb97699e152
SHA1e145806ade956d4870e1d661f3f7e086a629655a
SHA256a8c1df120257beac0b656cadfa520e4c97b78ff0c3a9aba0713939fb51e1c65f
SHA5123776aa59c0b053813899e15cf88e52191a3d410c612fb64ef4f947a7aa2dfa7c513f85d091cadcf74b8bb7a8cf62bdac8af16a4254427529ce90b0463b528a9d
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD518aadff1aedbbabcdf4ec711dd537b83
SHA18455a625f66ad3f59741e8998f1b103928d3b3a6
SHA256f26a4e7fbfbf0e6dd0ee383162db7127c74a353e453e2cf3e93a8f5f12041669
SHA512ab2834733728ecb20401025c05baea8df5f7e601c883faba31c4f1ea7819afa26be49e34eb6b5da1caf0901fe5d645373c084c5d9ea720f4bd90d1961ba2c744
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5dbe8cef5092bb43153e83cf6868ce1b2
SHA1d216a53591f34eeb07d1108fae88bdbb135a5ff4
SHA256ba688e229ffb3fb7049ad4f634094cbe9295be4028b26ffd05d1301597508361
SHA512aa10b1309b3fb6ef43f4821925c75b5a3b81d37df478dd1b2fcdd4ceabeb1f92b5056af87edf74ba1ed9eafc1ae31997b3bcb09b9df41e001b9653c5ff8c6546
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1