Analysis
-
max time kernel
73s -
max time network
74s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
27/01/2025, 20:32
Behavioral task
behavioral1
Sample
acrobat.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
acrobat.msi
Resource
win10v2004-20241007-en
General
-
Target
acrobat.msi
-
Size
2.9MB
-
MD5
c23d2701fc5830505ea5396018b22cd7
-
SHA1
d1a34893e880cc7553a2d46473f713620ea40455
-
SHA256
95f69504eecf1d05ec672e8fe8c0f83ab276c98f2a6af700be2351c0d32b63f3
-
SHA512
96c3f53c867b62013539ce2420e88aab48024621c82a2003aa558eb3ab115f0950e6b8efa35d1af291ad1a4054706663bc3b52c037c06407ed2e22199a32a92b
-
SSDEEP
49152:k+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:k+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral1/files/0x000a000000017420-397.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
flow pid Process 3 1892 msiexec.exe 5 1892 msiexec.exe 7 1892 msiexec.exe 11 2148 rundll32.exe 13 2148 rundll32.exe 18 808 rundll32.exe 20 808 rundll32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in System32 directory 20 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AgentPackageAgentInformation.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 18 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config AteraAgent.exe -
Drops file in Windows directory 37 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIDE97.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDE97.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp-\System.Management.dll rundll32.exe File created C:\Windows\Installer\f76bc1f.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSID37B.tmp msiexec.exe File opened for modification C:\Windows\Installer\f76bc1f.ipi msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDE97.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDE97.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC111.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC111.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC111.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\f76bc21.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIDE97.tmp msiexec.exe File created C:\Windows\Installer\f76bc1e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\Installer\f76bc1e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC111.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID1D4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID439.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDE97.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC111.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC111.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSID36A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID3BB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBC8D.tmp-\Newtonsoft.Json.dll rundll32.exe -
Executes dropped EXE 3 IoCs
pid Process 1312 AteraAgent.exe 2140 AteraAgent.exe 2700 AgentPackageAgentInformation.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1980 sc.exe -
Loads dropped DLL 35 IoCs
pid Process 1880 MsiExec.exe 1284 rundll32.exe 1284 rundll32.exe 1284 rundll32.exe 1284 rundll32.exe 1284 rundll32.exe 1880 MsiExec.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 2148 rundll32.exe 1880 MsiExec.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1452 rundll32.exe 1880 MsiExec.exe 2808 MsiExec.exe 2808 MsiExec.exe 1880 MsiExec.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe 808 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1892 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe -
Kills process with taskkill 1 IoCs
pid Process 2640 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280\Blob = 0300000001000000140000009e99a48a9960b14926bb7f3b02e22da2b0ab72801400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183040000000100000010000000c6150925cfea5941ddc7ff2a0a5066920f00000001000000200000008408d5e5010ab8da67eb33a7d79ace944dd0ac103ae6ead3ff30dec571066b0319000000010000001000000014d4b19434670e6dc091d154abb20edc180000000100000010000000fd960962ac6938e0d4b0769aa1a64e26200000000100000079040000308204753082035da003020102020900a70e4a4c3482b77f300d06092a864886f70d01010b05003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3039303930323030303030305a170d3334303632383137333931365a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a381f03081ed300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183301f0603551d23041830168014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7304f06082b0601050507010104433041301c06082b060105050730018610687474703a2f2f6f2e7373322e75732f302106082b060105050730028615687474703a2f2f782e7373322e75732f782e63657230260603551d1f041f301d301ba019a0178615687474703a2f2f732e7373322e75732f722e63726c30110603551d20040a300830060604551d2000300d06092a864886f70d01010b05000382010100231de38a57ca7de917794cf11e55fdcc536e3e470fdfc655f2b20436ed801f53c45d34286bbec755fc67eacb3f7f90b233cd1b58108202f8f82ff51360d405cef18108c1dda775974f18b96ddef7939108ba7e402cedc1eabb769e3306771d0d087f53dd1b64ab8227f169d54d5eaef4a1c375a758442df23c7098acba69b695777f0f315e2cfca0873a4769f0795ff41454a4955e1178126027ce9fc277ff2353775dbaffea59e7dbcfaf9296ef249a35107a9c91c60e7d99f63f19dff57254e115a907597b83bf522e468cb20064761c48d3d879e86e56ccae2c0390d7193899e4ca09195bff0796b0a87f3449df56a9f7b05fed33ed8c47b730035df4038c AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Peer to Peer Trust" AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "acrobat.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe -
Modifies system certificate store 2 TTPs 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794 AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6 AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2560 msiexec.exe 2560 msiexec.exe 2140 AteraAgent.exe 2700 AgentPackageAgentInformation.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1892 msiexec.exe Token: SeIncreaseQuotaPrivilege 1892 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeSecurityPrivilege 2560 msiexec.exe Token: SeCreateTokenPrivilege 1892 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1892 msiexec.exe Token: SeLockMemoryPrivilege 1892 msiexec.exe Token: SeIncreaseQuotaPrivilege 1892 msiexec.exe Token: SeMachineAccountPrivilege 1892 msiexec.exe Token: SeTcbPrivilege 1892 msiexec.exe Token: SeSecurityPrivilege 1892 msiexec.exe Token: SeTakeOwnershipPrivilege 1892 msiexec.exe Token: SeLoadDriverPrivilege 1892 msiexec.exe Token: SeSystemProfilePrivilege 1892 msiexec.exe Token: SeSystemtimePrivilege 1892 msiexec.exe Token: SeProfSingleProcessPrivilege 1892 msiexec.exe Token: SeIncBasePriorityPrivilege 1892 msiexec.exe Token: SeCreatePagefilePrivilege 1892 msiexec.exe Token: SeCreatePermanentPrivilege 1892 msiexec.exe Token: SeBackupPrivilege 1892 msiexec.exe Token: SeRestorePrivilege 1892 msiexec.exe Token: SeShutdownPrivilege 1892 msiexec.exe Token: SeDebugPrivilege 1892 msiexec.exe Token: SeAuditPrivilege 1892 msiexec.exe Token: SeSystemEnvironmentPrivilege 1892 msiexec.exe Token: SeChangeNotifyPrivilege 1892 msiexec.exe Token: SeRemoteShutdownPrivilege 1892 msiexec.exe Token: SeUndockPrivilege 1892 msiexec.exe Token: SeSyncAgentPrivilege 1892 msiexec.exe Token: SeEnableDelegationPrivilege 1892 msiexec.exe Token: SeManageVolumePrivilege 1892 msiexec.exe Token: SeImpersonatePrivilege 1892 msiexec.exe Token: SeCreateGlobalPrivilege 1892 msiexec.exe Token: SeBackupPrivilege 2580 vssvc.exe Token: SeRestorePrivilege 2580 vssvc.exe Token: SeAuditPrivilege 2580 vssvc.exe Token: SeBackupPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2220 DrvInst.exe Token: SeLoadDriverPrivilege 2220 DrvInst.exe Token: SeLoadDriverPrivilege 2220 DrvInst.exe Token: SeLoadDriverPrivilege 2220 DrvInst.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeDebugPrivilege 2148 rundll32.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe Token: SeRestorePrivilege 2560 msiexec.exe Token: SeTakeOwnershipPrivilege 2560 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1892 msiexec.exe 1892 msiexec.exe -
Suspicious use of WriteProcessMemory 63 IoCs
description pid Process procid_target PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 2560 wrote to memory of 1880 2560 msiexec.exe 34 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 1284 1880 MsiExec.exe 35 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 2148 1880 MsiExec.exe 36 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 1880 wrote to memory of 1452 1880 MsiExec.exe 37 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2560 wrote to memory of 2808 2560 msiexec.exe 39 PID 2808 wrote to memory of 2620 2808 MsiExec.exe 40 PID 2808 wrote to memory of 2620 2808 MsiExec.exe 40 PID 2808 wrote to memory of 2620 2808 MsiExec.exe 40 PID 2808 wrote to memory of 2620 2808 MsiExec.exe 40 PID 2620 wrote to memory of 2884 2620 NET.exe 42 PID 2620 wrote to memory of 2884 2620 NET.exe 42 PID 2620 wrote to memory of 2884 2620 NET.exe 42 PID 2620 wrote to memory of 2884 2620 NET.exe 42 PID 2808 wrote to memory of 2640 2808 MsiExec.exe 43 PID 2808 wrote to memory of 2640 2808 MsiExec.exe 43 PID 2808 wrote to memory of 2640 2808 MsiExec.exe 43 PID 2808 wrote to memory of 2640 2808 MsiExec.exe 43 PID 2560 wrote to memory of 1312 2560 msiexec.exe 45 PID 2560 wrote to memory of 1312 2560 msiexec.exe 45 PID 2560 wrote to memory of 1312 2560 msiexec.exe 45 PID 2140 wrote to memory of 1980 2140 AteraAgent.exe 48 PID 2140 wrote to memory of 1980 2140 AteraAgent.exe 48 PID 2140 wrote to memory of 1980 2140 AteraAgent.exe 48 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 1880 wrote to memory of 808 1880 MsiExec.exe 50 PID 2140 wrote to memory of 2700 2140 AteraAgent.exe 51 PID 2140 wrote to memory of 2700 2140 AteraAgent.exe 51 PID 2140 wrote to memory of 2700 2140 AteraAgent.exe 51 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\acrobat.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1892
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2560 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91FC810E292717DCC4590EF3D08C4D5C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBC8D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259439911 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1284
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC111.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259440972 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2148
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID1D4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259445262 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1452
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDE97.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259448476 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:808
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2E693C9FB22946C20F8E42DBAD684785 M Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2620 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2640
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000PryxLIAR" /AgentId="716ac99b-a987-4df1-a855-87dcedee4a1f"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1312
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C4" "0000000000000570"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2220
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2140 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1980
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 716ac99b-a987-4df1-a855-87dcedee4a1f "e83e0088-8d13-4a56-8090-b43e3c32ba65" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000PryxLIAR2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2700
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5ad7cb602acd9ebf0529d7ebcba7b16bd
SHA18d0da234b23e34892a0cab7e7a9fc5447b4a7042
SHA256b5e65948016db4e3d377cd92b5a5a387b2df4bf0d077e134f27ad14bcf26d580
SHA51292521105729d1048a512b3543a091de5d2265975d6d398f58cbc0f631df93e0fb212de8c877ff9c1c9ed81c1955e126ad1eb9b42037e657cc99516d3856ccd02
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD51e065e191e89cc811ff49c96fa8fa5e6
SHA1bc50ff2a20a8b83683583684fcac640a91689ed4
SHA256d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e
SHA5125a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize247KB
MD5aa5cf64d575b7544eefd77f256c4dc57
SHA1bd23989db4f9af0aae34d032e817d802c06ca5a9
SHA25679c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920
SHA512774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5111e2e63bccead95bb5ffc53c9282070
SHA1eaae7df21e291aa089bc101b1e265ca202be1225
SHA2569615fe5fe63c48b13ffd8c9bc76170a9ed1cfea6a3d0901e857a1c6c6edaea76
SHA512ffc818615fb30e24633c90b8f5a55c100b5f307414ec54e5a2914bb4ea36d3fb3aa6ed0e5815976a2f6d1b7f056e7da1f108a8eed81b458decebe721ad30b920
-
Filesize
23KB
MD5ba8d2cfc3668f320f418e50d84ef67d6
SHA141f996b316733fdf980ae4ef8f682efe16bc2441
SHA2566f5c93695e7938af383c97c71daa8efce88050c38f59b0a36a7921278e5e2c43
SHA51229aee046af0ce16b6f64d4c9a1b052165ab067f7abbfa2ba961fb1db96bf1c7dfaa819026859f4c429bd0e7ed1c48683345d6de427f42580bd8efc76e051f10d
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
228B
MD531c865d7c9fc0db90ab4598e7f0de052
SHA1c39f3e241811ef91ba808a712242b8c44383a2d4
SHA25629d9a19a8c856f57dc54b6845a04cb65463668950dc6401a3f6e871e257aabf5
SHA5128ba8a65cf1effb24fc9c10e0271417ce861a3213648b758548b61b5609da98cfdc13685755dac5f35ebe13375ccb1345eb675d13abe86adbeffaf9750cd50e38
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD54baa10270f5eda4deb77ac3d8b18ca9a
SHA191d2402461106264ff2cb5ac878fc51b60f4bf64
SHA25668f34dc20586badb0bdaac09507657905d1bf58e4f43c9a04cbea8e5c3f7f4e5
SHA51295e3a98da670be2cdaa6df9545457e3b21b4e1c58168b7f982f9b476eb44b04ec9fc527c2611b3ec519816053c18468bda26330a7eca96f42478d03173253d3a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5bd1debba88d033375f8d7585cddd2792
SHA1bfd496b8d60a98d2359cbc901ad9734bcd11fd3f
SHA256cd988405416924e82347dfd8b0fb4ec293ac591fcefd5059054f673442623963
SHA5129ef20e15b183d3ba30a20a7bdae65a2f3a425b83f1579ef0edb2e45e8cccc3159a1ee517f45bff1abc622ef9edfae045562daca8e27c00d7634ea7c1db67c0d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD589daee5ebc3c014d0f256a3f30c582b9
SHA1d4d6e0c11f56f6ffe44969d64083ebd76615e6e5
SHA256ebc7f30c2c3ae32be08ec25566dd989a1d6f346b0562b2ad14ddc7eacbf69b18
SHA512ac0e04ffeed3182e0b30cac0f271751373ad26dbc41a8bdfbcd630de30466736d8a6234014e0af181c91e0d71c67be5ac2522cb623b763b0624183d80035efce
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD592bb8bb0a2fb3ee7db609fe17ed1e7d5
SHA160e86f262826ad765d1317b129b418aeb1ff31a7
SHA256cc94889bf99867be1979ce110bc6bf573420f2cde81aedff2eb2c470aa167cff
SHA512a29e535a763d90257f7e16424cefeaa06bf92a9173ea65ea45f0349846b11a957e398777293676d73829e85eead18fcd13c0fc25a224ed78f5ab4a8693f4e3c0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD53ac16608bf447b35033c66d819a5d81f
SHA1d0900202b703f03c1d21d8cb7dc2cbc407761038
SHA25601620df6943b8c965b17c034046f0c72b4aa4921fa6c05452fa6ea75d9977f4e
SHA51297836de9b947482e397bd5c4ba7b7e2ffb74ef2ac52a06999a8f301899745933f7037b45b6cfd14a4ee4bcc6ed1c84628843ab4fa4661d3f1f0435890f9fa1eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5373d4b5727f4ea5289fe751f46500b28
SHA1c4312bb4864c8d447c30ebd88734c7f85f7cef6a
SHA2563fe927787dcf7738d0ab6609c39c9f41d220a8e8f92944e39b3b38f897aebf29
SHA512db7cbca4d4f38c30c171a57490ae06780bd785ee3d077e014e96b04efe77cce628243edd2b20f9d71a1d7bf8af2a09dfee744b064a20286da9da7694d51b4cb4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD537445d0e69b5293276efca74d8c286dc
SHA1c59b7a46fb5db623106af4d552ac9f6e0ab64c85
SHA25608fd214fac34cf91ef7421475fd362ec1eaf1d918d05b6f2b61544e5dfcc0dd2
SHA5129216e6e13ef8f3628937d0a1193242770f179ca29aef1b13f91111d8c5c43bd4ce8f5b902bda80a7fdfc92a6729d3a9de76efccc9615149318c8627c958476d4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD52fdfc568e1cc5a14d9360a2a736477a4
SHA137f6a36d10a0c394663071107c2067e64f5423af
SHA2562fbefade676c0cc177dd96b215e2a5d90353cf5c63a695528eac753617970c11
SHA51221ec18f05ab499b9dcd8b491fe59eefbe1775afc8078cd95a1d01f633f27c36f3709dbf67a28516311b84e6e23229a2874fee13e535d1d527b0351c6100ac9c3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD5c23d2701fc5830505ea5396018b22cd7
SHA1d1a34893e880cc7553a2d46473f713620ea40455
SHA25695f69504eecf1d05ec672e8fe8c0f83ab276c98f2a6af700be2351c0d32b63f3
SHA51296c3f53c867b62013539ce2420e88aab48024621c82a2003aa558eb3ab115f0950e6b8efa35d1af291ad1a4054706663bc3b52c037c06407ed2e22199a32a92b
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416
Filesize1KB
MD555540a230bdab55187a841cfe1aa1545
SHA1363e4734f757bdeb89868efe94907774a327695e
SHA256d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb
SHA512c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54b8b7d833883e6f156e351ecbba17b7f
SHA1f5afcdd5b810c6bf529b34c1bb8280e5ef732a99
SHA25669e565ba7a45cf83c9f4a735282254a0b9aa529041d022b7e3a9d71564ef8116
SHA512802be066aadfa93093d488ad88c1af63fce96476be8beb05616c88ee76344b8d8b3e823026b134fa1295bed6288b136e9b63ba4333c24c0eb23c6e07a3bdb284
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD51a28ce9d4368ee32dfef7190ea6af5cd
SHA187ff52ff0419b76d74fe976b84d2ae0ab57cd525
SHA256058bbc124d70b22f42ca12a7570a5a108811dedc25c127dddbf2b172ab382ebc
SHA5125a701fecbf5d4a621870105fb2b24a9b5991f047dd82e87ccafa0e26b76e6bed065c2254a585355c5f16b33dc19153452ebad92e82d34917e68a693d6be4dbb8
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5814f0b2699af8f5028e1b0a5ea45bbd1
SHA1d57b7007fa61bace4c02c3700d681114b57b9cd8
SHA25683b392ff2a38c8e0c71cc8f8d67aeb6cb360811dfebeb1707fe6208ba3778480
SHA512563ca10840bca4987fc83e6846ecda38f2d1dbf0fd091b518b340a1889a5d4378c602ede86986bdec468b598f1d816094dafd13b244e98206a81d30b81c88483
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD50fb490853cdd57a920890038ae9732eb
SHA10a7aea16696f76dae4a97ca62c9f699e8630c824
SHA2562d520558cd3aa42e180fad1bae3eacca644787436ff5de0dbeadcb218f8d56af
SHA512370eb267a526fac32402614d4bf7a627f2e150d6bf1622e3fc191740a2bec577b4b223a056dc9066d4d640451efc06a2c5e3de850577651a22acb19f8054246b
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD550731efb57d9a4cd441cfd950aadc8a0
SHA16a6876c1dac9c7c4e8cd5953b36d6e2ebd652c4b
SHA256c8bc779db7ee901ec111034382f7a68c7f17a43879a510812bc7f3752f9709a8
SHA512ccdffe6ef630d5ffd4101a71af487585d68e382490dc9ea45f5669d1617ea826c4cc0475eae757f961d0779743b7ea380ebce453a956f064e650580c08895526
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD502ca1d224c2229b51995b31b74ec870f
SHA1e87178b05677122a99f8cdb860cb4e4e488743a7
SHA256101131dba2c02bc09d404b5ef84300788c869673147c45487f2845b6bc38a4fc
SHA5123364d4a20fefd196468aff2c1ab1a88cfb881fe5499acb9314f8a9d8125443626d41ab16679be35790ffba451f6faca1fa08d02b583d1cb68f719519c6a0a66e
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5efb71a1ebe95c9658e349e665024c4d6
SHA140a0bd05571a7dc5e29df9e069e255929879dac4
SHA256b6ea213c06cbbeda91068f9df9910c9eb1a7d4fa5d3e00bd43a201abd6743218
SHA51243bde0e8eda9d19b325c43f5b6bcbe4a8d8673deaf7dc2cd6d50a2687a76c48e943939e4a8e6f59ca17044145d9e14ec17ac0ce027e3f00d3dcf8213961d7fc0
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD535a5a9f277adad9b5f905872ba3f2200
SHA158906418682e6fe688daef8379ef871bc85a1acd
SHA256672c22e3d620032f429c697043d40429e03d8def88afafa0a10bc8077ed23362
SHA5124e4c3e872ade83e8e05c86358b33c3b693d771555cf59f47b514bf36a341700508210a9b27bc8667e76b855f2ceb2e8b4fb6c7193e3ebc90c6385088ad2a74bb
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD570ed5aac97c05bfb3beb2b26636e147d
SHA1cd79041b707071044705da0fe771ba7f27c60f2f
SHA25665ded99700cc2b41e2deac37d82a6ce533ff88d8dd2d6d60555b2941df1c8b4d
SHA5120de947ac87a1f2d426162b0fd9e538f1db9919c4f14a5c9cec252167e2d8b1da925087ae23d7ae022625d09bf3f944854a5c74a13ed694e18273a4d32dda3079
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD55438277fe22d9341d613c1e204cd33aa
SHA1297448c3456c1f0cf6149e6c5be5f7c4cd94e221
SHA256ce9bb8b52b7c2cbc214b2c1b82144a390b0806e47336c2e6317ca5fb607490f2
SHA512af7d339173eb2875d7210a51635affd21c652162b5d9e81dd966862684bedeea27725169346aaa946b53a4340827c5c9739f3e27ad4d2b4a1f037307009372bb
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5df6fafa25e197b657315d6c9c1fa03f6
SHA146c8e921ed618c6587e3febc9f5cab750e3b10e0
SHA256c7d82aeb50344eae6c2386c211b1c9f10f0e86517ee9c466c89fec97f0a7d275
SHA512e0a5d108483d8d66a5d85c8665e0ed3dde100c6b5739d22c105941832e6d3a5b38dc6bf861568ab343e2392a8b5b9b0c42bc65970260bfa9af67def42d6f0e76
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5c458636455a006d0c3b584e07b981495
SHA1075ddbacf1f6cf5d46ca48f88faffec4cfe43ef3
SHA256cd01e7296661752c47e3c21c7f6eb7fd5b124458f2ec7b6536c7e4b676799ee7
SHA512f5aa566ab281b0f82f40d0e7dac3df3f93c9e11c2d20d34defe1999b7bef17efd4b6bfdad07de848e720aa36ed7efb23f141c13e90919a1ddf8e355d788e4ab6
-
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
Filesize242B
MD5226ef2061d51d484b33bd9e475ca427a
SHA1119c040e65f2d63f89c8fb69137f8ffab8fd57a6
SHA256b6bb61d4ff81a1d64ba35def0cb59c66d0f67005c7794edb0c1ee28d5a775092
SHA51251d67d267c922165d85faf88371683eb7d0c8ea8fd7eaf980f2a2694929e34d75106e42c5a8db5a2ac7537a92fda46ce767d63cb1a720a55b4df8d3f9de21a62
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad