ateraagent | 9219d0815a0320d65356c84003ea6d80935ebf855d2b7fbda79c4f38057a1e78

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

z65NF-E.msi
Size

2.9MB
MD5

7c2346e58afd0cc0337fc935cd41d9c4
SHA1

32189bee035e465d2df8bb15c5d168f8eff6f187
SHA256

9219d0815a0320d65356c84003ea6d80935ebf855d2b7fbda79c4f38057a1e78
SHA512

b7267d28ec63ce3b3a2bd247094bf1a4cc8891549a4d43f8875ba1e37f97f3a1a6bddcbc8f9be009fc12a3836dd9d759394ec5a38ef87c8425990d42ce3cb9e2
SSDEEP

49152:M+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:M+lUlz9FKbsodq0YaH7ZPxMb8tT

Score

10^/10

ateraagent discovery persistence privilege_escalation rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

resource	yara_rule
behavioral2/files/0x000b000000023bb3-236.dat	family_ateraagent

Blocklisted process makes network request 4 IoCs

flow	pid	Process
4	4768	msiexec.exe
6	4768	msiexec.exe
27	1792	rundll32.exe
32	4032	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe

Drops file in Windows directory 35 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSICCF5.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\e57cc68.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCF5.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID853.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID93F.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCF5.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8A2.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cc6a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCF5.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICCF5.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSICFC4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSID6CA.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID852.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cc68.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCF5.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3384	AteraAgent.exe
3188	AteraAgent.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1708	sc.exe

Loads dropped DLL 31 IoCs

pid	Process
540	MsiExec.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
884	rundll32.exe
540	MsiExec.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
1792	rundll32.exe
540	MsiExec.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
664	rundll32.exe
540	MsiExec.exe
948	MsiExec.exe
948	MsiExec.exe
540	MsiExec.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe
4032	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4768	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c4d65e62b69e8e0b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c4d65e620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c4d65e62000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc4d65e62000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c4d65e6200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
3144	TaskKill.exe

Modifies data under HKEY_USERS 55 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "z65NF-E.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3472	msiexec.exe
3472	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4768	msiexec.exe
Token: SeSecurityPrivilege	3472	msiexec.exe
Token: SeCreateTokenPrivilege	4768	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4768	msiexec.exe
Token: SeLockMemoryPrivilege	4768	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4768	msiexec.exe
Token: SeMachineAccountPrivilege	4768	msiexec.exe
Token: SeTcbPrivilege	4768	msiexec.exe
Token: SeSecurityPrivilege	4768	msiexec.exe
Token: SeTakeOwnershipPrivilege	4768	msiexec.exe
Token: SeLoadDriverPrivilege	4768	msiexec.exe
Token: SeSystemProfilePrivilege	4768	msiexec.exe
Token: SeSystemtimePrivilege	4768	msiexec.exe
Token: SeProfSingleProcessPrivilege	4768	msiexec.exe
Token: SeIncBasePriorityPrivilege	4768	msiexec.exe
Token: SeCreatePagefilePrivilege	4768	msiexec.exe
Token: SeCreatePermanentPrivilege	4768	msiexec.exe
Token: SeBackupPrivilege	4768	msiexec.exe
Token: SeRestorePrivilege	4768	msiexec.exe
Token: SeShutdownPrivilege	4768	msiexec.exe
Token: SeDebugPrivilege	4768	msiexec.exe
Token: SeAuditPrivilege	4768	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4768	msiexec.exe
Token: SeChangeNotifyPrivilege	4768	msiexec.exe
Token: SeRemoteShutdownPrivilege	4768	msiexec.exe
Token: SeUndockPrivilege	4768	msiexec.exe
Token: SeSyncAgentPrivilege	4768	msiexec.exe
Token: SeEnableDelegationPrivilege	4768	msiexec.exe
Token: SeManageVolumePrivilege	4768	msiexec.exe
Token: SeImpersonatePrivilege	4768	msiexec.exe
Token: SeCreateGlobalPrivilege	4768	msiexec.exe
Token: SeBackupPrivilege	1892	vssvc.exe
Token: SeRestorePrivilege	1892	vssvc.exe
Token: SeAuditPrivilege	1892	vssvc.exe
Token: SeBackupPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeDebugPrivilege	1792	rundll32.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeDebugPrivilege	3144	TaskKill.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe
Token: SeTakeOwnershipPrivilege	3472	msiexec.exe
Token: SeRestorePrivilege	3472	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4768	msiexec.exe
4768	msiexec.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 3472 wrote to memory of 2204	3472	msiexec.exe	92
PID 3472 wrote to memory of 2204	3472	msiexec.exe	92
PID 3472 wrote to memory of 540	3472	msiexec.exe	94
PID 3472 wrote to memory of 540	3472	msiexec.exe	94
PID 3472 wrote to memory of 540	3472	msiexec.exe	94
PID 540 wrote to memory of 884	540	MsiExec.exe	97
PID 540 wrote to memory of 884	540	MsiExec.exe	97
PID 540 wrote to memory of 884	540	MsiExec.exe	97
PID 540 wrote to memory of 1792	540	MsiExec.exe	99
PID 540 wrote to memory of 1792	540	MsiExec.exe	99
PID 540 wrote to memory of 1792	540	MsiExec.exe	99
PID 540 wrote to memory of 664	540	MsiExec.exe	101
PID 540 wrote to memory of 664	540	MsiExec.exe	101
PID 540 wrote to memory of 664	540	MsiExec.exe	101
PID 3472 wrote to memory of 948	3472	msiexec.exe	102
PID 3472 wrote to memory of 948	3472	msiexec.exe	102
PID 3472 wrote to memory of 948	3472	msiexec.exe	102
PID 948 wrote to memory of 2040	948	MsiExec.exe	103
PID 948 wrote to memory of 2040	948	MsiExec.exe	103
PID 948 wrote to memory of 2040	948	MsiExec.exe	103
PID 2040 wrote to memory of 4516	2040	NET.exe	105
PID 2040 wrote to memory of 4516	2040	NET.exe	105
PID 2040 wrote to memory of 4516	2040	NET.exe	105
PID 948 wrote to memory of 3144	948	MsiExec.exe	106
PID 948 wrote to memory of 3144	948	MsiExec.exe	106
PID 948 wrote to memory of 3144	948	MsiExec.exe	106
PID 3472 wrote to memory of 3384	3472	msiexec.exe	108
PID 3472 wrote to memory of 3384	3472	msiexec.exe	108
PID 540 wrote to memory of 4032	540	MsiExec.exe	112
PID 540 wrote to memory of 4032	540	MsiExec.exe	112
PID 540 wrote to memory of 4032	540	MsiExec.exe	112
PID 3188 wrote to memory of 1708	3188	AteraAgent.exe	113
PID 3188 wrote to memory of 1708	3188	AteraAgent.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\z65NF-E.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4768

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5E83639058C35AB65BE0D06D9DB88403
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSICCF5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:884
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSICFC4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240635906 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSID6CA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240637687 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:664
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIE2D5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240640765 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 586C87237C26263D455C31228C977712 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:4516
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3144
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Pps1uIAB" /AgentId="35384851-2ba0-4179-ac90-48d58455fd36"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:3384

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1892

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3188
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cc69.rbs

Filesize
8KB

MD5
3e216220ee940a8bf4086521d14c96f1

SHA1
7c0af0522655adac471ed56160cb38857aa423c9

SHA256
b43d0074f658b95c3f1e66371c2dd8f6a1baa1054d931302aeccfa0a0a8c3b4f

SHA512
6ff9415055e19a263aac79ca431b4293fccdce1b79f125968c4f25913fd4f49654f3795f0206223c3db69653b4edd479d300be0673f1659e0ccec601680c4213

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
2c4d25b7fbd1adfd4471052fa482af72

SHA1
fd6cd773d241b581e3c856f9e6cd06cb31a01407

SHA256
2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

SHA512
f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
225B

MD5
68210dc87ce0f1ee37ed566b205c4908

SHA1
7603ca17f88d80c754ebe68060e21587e5db5aa0

SHA256
916e5fc8f3e0aca5f5bcf53f9efd8f2cc0d4901d4a0a7b57c4932d74586f70e5

SHA512
0e57c3b302478c6fa8d4e1bcef654de026575d492582c9d8787e2b774d753106f2d34e67d70bc43d44cd47c436c2166ed99b6125ab57aed060d2f128894ec1c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
b37eee2552522d51b5d8045e6397c56a

SHA1
df7cede952d9088326533e0675f9af3a0412cb2e

SHA256
2f47246e72e3f6cc3e5172cc555fbf2bf4a018653a8b0f7ef36a437a149c2c88

SHA512
189c7961e872c9001c5decf65113076adb7b3b76a43d047d34308b61082e0b59aa90182c3f53e87432233e731259bb590a0ef18f3ab173da7212d9b5ba701a97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
e10202b6ab0b7420d6e690fb0b5f855d

SHA1
3a9f90af05c5e932c67aef0beb35464e99713991

SHA256
1063967df0b5d68609eb4da57043fce6fcde597f420e401ac009ee5378db88f6

SHA512
23bb38b05986566e73d59db162a4d8b1f9aa0396aa996f0f675f9dd29ec0835e930b1346d1315119a82903aa8db7318c5da164cd5cb26c847991c1c1ea05eee7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
b56ef82c98008d1730d873e5b1216f0d

SHA1
7932ff198c39e5ca5d46d513e22c7907e8282fd4

SHA256
b7a65caf0de8c757ba1d28eae861fcbd0e5bdf53fea7af1d25260edcd523eaf5

SHA512
aebf1a3c7d6b4a5b18aca73b073a15d00b0a3ae1de756e827e85833a6d96ca78e13778577869be4cb0f6d10cfb6a1409205920030fb4ed0fe45c14446d4e9a60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
966212314c534fd4960072ed9a691858

SHA1
7d9d207fa9cf23944926bdb80e60a18bac0d2bb7

SHA256
c02dfc426e4d36c4179077c7ba452569784118d7d5755ef52072e5cfde151425

SHA512
ec667db0d127f9c6e1592ae2b6ee74e13501d5aa88157615b565f4d6ba9eb61aa38355c0d57d84742d66132e896a5594e1317cffd1bd1b1b8fb058400f60177a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
9feb33475d255984da4dda6741c04f94

SHA1
2884b62d2bae6eb46e0ba463362666a8e584e541

SHA256
dbca93c5604eb5f364527686ef9dc4be983bb85291a60b4377b4080a4ae2c9b3

SHA512
3c85768da7ba0f0ac763e32bc9ab6db1213a3a8d915abc4d1c0ebbf488812468f97cc7bf1518c94c541a483dacc8b9d6d0befccd2fd09b16e4877aa6825d4d1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
e07cbb53ae51e72d5c12c4a56312dfa6

SHA1
76990c65179ce81b2a11d684982ee7652cfa6055

SHA256
c3073dab3566e3a4ee51abb998493c426321eafe20cf8aaccd79cbfe7b2a1b03

SHA512
a62b04704e3b407d4424d2e8adb9921bae4dc2ea346055c89c0b407c25a0a7c049a0d5093ee9e61a6a21823b95c59d9122932dfbcc7b647e9f4a14acbf393bf4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
9bbfe11735bac43a2ed1be18d0655fe2

SHA1
61141928bb248fd6e9cd5084a9db05a9b980fb3a

SHA256
549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

SHA512
a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

Download Submit
C:\Windows\Installer\MSICCF5.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSICCF5.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
C:\Windows\Installer\MSICCF5.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSICFC4.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSICFC4.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Windows\Installer\MSID853.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e57cc68.msi

Filesize
2.9MB

MD5
7c2346e58afd0cc0337fc935cd41d9c4

SHA1
32189bee035e465d2df8bb15c5d168f8eff6f187

SHA256
9219d0815a0320d65356c84003ea6d80935ebf855d2b7fbda79c4f38057a1e78

SHA512
b7267d28ec63ce3b3a2bd247094bf1a4cc8891549a4d43f8875ba1e37f97f3a1a6bddcbc8f9be009fc12a3836dd9d759394ec5a38ef87c8425990d42ce3cb9e2

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2db83dfef187b3ab2f1ace6129a9835d

SHA1
6081447645df91169c01c7a8a3a5e60946d6dbe0

SHA256
98067291d42bbde413925930707850e6cf5e835922719e83bf58bf5101fa7481

SHA512
6c176bdfd6397968f92d5cb01f94c3dace0412b6b47e42726ba93f45d368ca5524ca82f16fb2a4570d56bb747da1425fe2d6192c6e9378a4a9b3040238a4c8dd

Download Submit
\??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5226a823-cc19-4ab2-bf14-e14eebc60754}_OnDiskSnapshotProp

Filesize
6KB

MD5
4a26f5576c46c7980751f0fc5d38014a

SHA1
6edd0550cd6b2ef86a8850505c0f81d6a0e64fda

SHA256
46893df1b3de8c592fb8e3b85f409951c18983fc57d6712a9e87fb0ac61ce573

SHA512
ac47ccb67e2fed02dffe99e15405cbde06ab198a4b30a07848b1857f906e24374b469814d69994bd30732ea60e80ff4e164be36ad6a18d8b0d0c25b3fc12a867

Download Submit
memory/664-110-0x00000000048E0000-0x0000000004946000-memory.dmp

Filesize
408KB

Download
memory/884-43-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/884-39-0x0000000002D00000-0x0000000002D2E000-memory.dmp

Filesize
184KB

Download
memory/1792-80-0x0000000005770000-0x0000000005AC4000-memory.dmp

Filesize
3.3MB

Download
memory/1792-79-0x0000000005640000-0x0000000005662000-memory.dmp

Filesize
136KB

Download
memory/1792-76-0x00000000056B0000-0x0000000005762000-memory.dmp

Filesize
712KB

Download
memory/3188-195-0x000001F62EBE0000-0x000001F62EC92000-memory.dmp

Filesize
712KB

Download
memory/3188-198-0x000001F6161A0000-0x000001F6161C2000-memory.dmp

Filesize
136KB

Download
memory/3384-165-0x0000020A7F720000-0x0000020A7F75C000-memory.dmp

Filesize
240KB

Download
memory/3384-164-0x0000020A7DDC0000-0x0000020A7DDD2000-memory.dmp

Filesize
72KB

Download
memory/3384-160-0x0000020A7FFF0000-0x0000020A80088000-memory.dmp

Filesize
608KB

Download
memory/3384-148-0x0000020A7D9B0000-0x0000020A7D9D8000-memory.dmp

Filesize
160KB

Download