Overview

overview

10

Static

static

10

LaudoBombeiro.msi

windows7-x64

10

LaudoBombeiro.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/02/2025, 18:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LaudoBombeiro.msi

  • Size

    2.9MB

  • MD5

    be718005b76304765320e6ecc1cfa44b

  • SHA1

    c23cf852232284dfdf3f988d289c1cd13e4bc5b0

  • SHA256

    c5a9d17efdc7297d5d874e7765073258ffa919829da456101bb6076f5476ac26

  • SHA512

    1355fae59e627f91bb534a7e990e3914650e033eb92b8da79489b185db212a4f9808e019142118bb282ee6ea53fc1d5c9de108b09850d613b45b37f411e0019f

  • SSDEEP

    49152:Z+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:Z+lUlz9FKbsodq0YaH7ZPxMb8tT

Score
10/10
ateraagentdiscoveryexecutionpersistenceprivilege_escalationrat

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

    ratateraagent
  • Ateraagent family
    ateraagent
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 4 IoCs
  • Downloads MZ/PE file 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 35 IoCs
  • Executes dropped EXE 17 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 32 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 31 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    defense_evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\LaudoBombeiro.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2996
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:116
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4520
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding D2EF220CC40DD550DA3AA5298C96D670
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2760
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIBD45.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631187 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4256
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIBF1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631578 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2056
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSICA37.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240634421 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:5008
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSID837.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638062 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2840
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 579360937AF0CB90D264C92847C2FABF E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4832
        • C:\Windows\SysWOW64\NET.exe
          "NET" STOP AteraAgent
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1556
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP AteraAgent
            4⤵
            • System Location Discovery: System Language Discovery
            PID:2004
        • C:\Windows\SysWOW64\TaskKill.exe
          "TaskKill.exe" /f /im AteraAgent.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:3192
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000QKxOLIA1" /AgentId="6cb65ce2-b4fe-42b0-835f-7b23919d3e1c"
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:4072
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4756
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
      1⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4260
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
        2⤵
        • Launches sc.exe
        PID:2516
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "b84720d2-b455-49fc-8e06-486d51fbcbf5" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QKxOLIA1
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:1140
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "efd4cfe5-2f95-4f8c-b42b-35b18044ed14" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000QKxOLIA1
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3804
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"
          3⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:560
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:728
          • C:\Windows\system32\cscript.exe
            cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
            4⤵
            • Modifies data under HKEY_USERS
            PID:540
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "260cd8fd-f690-4948-8cc8-4ba63ed304ef" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        PID:2136
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "8f45afdd-c645-4914-9f07-d5711b58cb60" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000QKxOLIA1
        2⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2232
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "a7aeec44-92b4-4d64-bfe7-23359002ea2e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOjMsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000QKxOLIA1
        2⤵
        • Downloads MZ/PE file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2940
    • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7Mzg1M0I4NzctQUFDOS00MEExLTk5NTctQjYxQ0E5M0ZGNDE4fSIgdXNlcmlkPSJ7QjI2N0M5RTQtQjJBOS00QUIyLUEwMEYtQTFFMEVDN0VFQUE1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QTcyRjc5RDMtN0ZGQS00Nzk4LUFCMDktQzhCREJGNUMyRDFDfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIzIiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4MzAiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTE0Njg3NjAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjI2NzM0MzU3Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
      1⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      PID:3352
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
      1⤵
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5040
      • C:\Windows\System32\sc.exe
        "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
        2⤵
        • Launches sc.exe
        PID:760
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "90bedded-6c3b-4568-a4dd-b95cd10d8a09" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:3244
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "d24b90fc-173f-4c11-b80c-67bf2fdd10d3" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"
          3⤵
          • Drops file in System32 directory
          • Command and Scripting Interpreter: PowerShell
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          PID:1764
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1032
          • C:\Windows\system32\cscript.exe
            cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
            4⤵
            • Modifies data under HKEY_USERS
            PID:2304
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "474099b7-1e65-4edb-90a1-ccb678020094" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        PID:5116
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "90b46048-522f-4fca-9b88-930efa020589" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QKxOLIA1
        2⤵
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2128
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "9b7c526c-2cce-4ea7-9e0c-09500d44db8c" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QKxOLIA1
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:916
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "6cccee38-a633-4fec-a28d-e124f7112e59" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QKxOLIA1
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        PID:2024
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "5b94710f-e907-4252-8574-7177c881a31d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        PID:3148
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "21601ff1-70be-4330-9d45-53de74a96c9b" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QKxOLIA1
        2⤵
        • Drops file in Program Files directory
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        PID:2852
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe" 6cb65ce2-b4fe-42b0-835f-7b23919d3e1c "7cb88560-f169-4338-849f-2f20dda9428e" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIyZ2V0LWluc3RhbGxlZC1zb2Z0d2FyZVx1MDAyMn0ifQ==" 001Q300000QKxOLIA1
        2⤵
        • Executes dropped EXE
        PID:1292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bcb9.rbs
      Filesize

      8KB

      MD5

      cb4619b8ab358d0bb754a4b7a67b5434

      SHA1

      e74d1aa851bfeb323ffbb4fc0f88e21b39b88a8c

      SHA256

      97629c90dbca092c8c15ebe199865a5da21d2802da27bfd18a8d50606364cf7a

      SHA512

      d9aa00fe2fa31d87a308990595467832195c43c3530e70aee2b9126a7b0ff98ff378d9c984a469cb745c309d58c1d186001541d6b2eda5cc5ca358bd3f7879c7

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      Filesize

      142KB

      MD5

      477293f80461713d51a98a24023d45e8

      SHA1

      e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

      SHA256

      a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

      SHA512

      23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
      Filesize

      1KB

      MD5

      b3bb71f9bb4de4236c26578a8fae2dcd

      SHA1

      1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

      SHA256

      e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

      SHA512

      fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
      Filesize

      210KB

      MD5

      c106df1b5b43af3b937ace19d92b42f3

      SHA1

      7670fc4b6369e3fb705200050618acaa5213637f

      SHA256

      2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

      SHA512

      616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
      Filesize

      693KB

      MD5

      2c4d25b7fbd1adfd4471052fa482af72

      SHA1

      fd6cd773d241b581e3c856f9e6cd06cb31a01407

      SHA256

      2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

      SHA512

      f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
      Filesize

      146KB

      MD5

      8d477b63bc5a56ae15314bda8dea7a3a

      SHA1

      3ca390584cd3e11172a014784e4c968e7cbb18f5

      SHA256

      9eec91cdd39cbb560ad5b1d063df67088f412da4b851ae41e71304fb8a444293

      SHA512

      44e3d91ad96b4cb919c06ccb91d3c3e31165b2412e1d78bfbaca0bee6f0c1a3253b3e3ddf19009cebf12c261a0392f6a0b7091cf8aba1d0cc4c1ed61c1b6dc42

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe
      Filesize

      145KB

      MD5

      34fb1cc6c04a783aaa6ec8e9786e54f7

      SHA1

      6c573b0c0f4e0eb1fb0a2628fd199c08b642cbfe

      SHA256

      f314b3f018b4969637757a885dc9c86fb244946cd3dc079378fdcceb92131d2f

      SHA512

      d89764f540bb3230b6ea65a042a901a17f0586346c7c96c844f624b16766f30ea4e4bc961b473d3a4d00e32f6d1d582d64e18e19de2db35c38722f5fd422deb9

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
      Filesize

      145KB

      MD5

      2b9beb2fdbc41afc48d68d32ef41dd08

      SHA1

      4a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c

      SHA256

      977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1

      SHA512

      3e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
      Filesize

      12B

      MD5

      1e065e191e89cc811ff49c96fa8fa5e6

      SHA1

      bc50ff2a20a8b83683583684fcac640a91689ed4

      SHA256

      d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e

      SHA512

      5a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      Filesize

      247KB

      MD5

      aa5cf64d575b7544eefd77f256c4dc57

      SHA1

      bd23989db4f9af0aae34d032e817d802c06ca5a9

      SHA256

      79c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920

      SHA512

      774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
      Filesize

      546B

      MD5

      158fb7d9323c6ce69d4fce11486a40a1

      SHA1

      29ab26f5728f6ba6f0e5636bf47149bd9851f532

      SHA256

      5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

      SHA512

      7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
      Filesize

      94KB

      MD5

      c69c7690482c75a8fc70df2990d7afc6

      SHA1

      79d72d32a03151823bbf0953d5c2ce6bc2bde4b1

      SHA256

      580415595e5936d5f3945e9eeee63f6f4dbacd327aa46e2b7625b638715c27f5

      SHA512

      ed80ade3519345552ca74958efc9c122de840d2844baa08c94400f15168b6fc25377628a55ed12488ea790aaa40bc5bb77b6586de4f1ecd296902bbe36fba4f4

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
      Filesize

      688KB

      MD5

      111e2e63bccead95bb5ffc53c9282070

      SHA1

      eaae7df21e291aa089bc101b1e265ca202be1225

      SHA256

      9615fe5fe63c48b13ffd8c9bc76170a9ed1cfea6a3d0901e857a1c6c6edaea76

      SHA512

      ffc818615fb30e24633c90b8f5a55c100b5f307414ec54e5a2914bb4ea36d3fb3aa6ed0e5815976a2f6d1b7f056e7da1f108a8eed81b458decebe721ad30b920

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
      Filesize

      27KB

      MD5

      797c9554ec56fd72ebb3f6f6bef67fb5

      SHA1

      40af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb

      SHA256

      7138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49

      SHA512

      4f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
      Filesize

      214KB

      MD5

      01807774f043028ec29982a62fa75941

      SHA1

      afc25cf6a7a90f908c0a77f2519744f75b3140d4

      SHA256

      9d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e

      SHA512

      33bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
      Filesize

      37KB

      MD5

      efb4712c8713cb05eb7fe7d87a83a55a

      SHA1

      c94d106bba77aecf88540807da89349b50ea5ae7

      SHA256

      30271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75

      SHA512

      3594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
      Filesize

      397KB

      MD5

      99f67d47a8dbdee98407885a1ac58e7c

      SHA1

      3cb9d10a8e6ed1acfa802045aca6e931ba7a8759

      SHA256

      0aa983060464d62b3da159e533769e8440612e3ec23fb8eff4fc52a0d79cc00e

      SHA512

      1a0779480bc3e268882d99206f621ea0feb9548df362f1920b793804fbbbf3fc530e263f0307f3cacbc8af54fd503f3f15b967a1464facd273c16bbbb56a27ab

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
      Filesize

      70KB

      MD5

      e9b3a59f67febdd7f8fbe68d71c5d0ab

      SHA1

      22bd3ec3f8e0be2f317ade9d553acdb3ea11f52e

      SHA256

      bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf

      SHA512

      00e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
      Filesize

      32KB

      MD5

      80eb4e033338fa114a4d010e9ce0b195

      SHA1

      f907ba4231bd21ac056375f23a36be648f5b2ba7

      SHA256

      b82e5dfecd3118dca11c86bf7829205fe3e5fcf0eeb57e1999e2fd2f9bd63d52

      SHA512

      26d4096f8c9652ea4e3920dc67144a082e069e22b85504f64f15b47f5106ef1df0601bdd7e0c34f4f534d920a520872847e6d57bc985f6e20636a26e0f7acb20

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll
      Filesize

      588KB

      MD5

      17d74c03b6bcbcd88b46fcc58fc79a0d

      SHA1

      bc0316e11c119806907c058d62513eb8ce32288c

      SHA256

      13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

      SHA512

      f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

      Download Submit

    • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt
      Filesize

      217B

      MD5

      d163c56201ae70e5dc49bc53a03c2103

      SHA1

      010b4727aa04e6288cf2950517a93a1309dfd1ab

      SHA256

      423e1190385db82d7a7001e2b67c3203bfe0facb6a1673fb9bc12ca9c6f55980

      SHA512

      9103324dc23234304b3bdd6120f05e94857fcceb822c72baf7308ae26eee947680faf67eda0a5c0e80771f0a4227e038d6fcca3b1a26e2a0cfb19b358ac60b84

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
      Filesize

      727B

      MD5

      03a77a9890bd7185289d5d73a9f98f6e

      SHA1

      81b7840f5d20d96a8dc5353cdede82dffee080e2

      SHA256

      65e203755653a53a894dc3c953d8a807745d4f0b3b6d1531971f0b08522df0d4

      SHA512

      056c25fc9a828a5e548a84946aa196b85a34a6f546f466d718c11a53afd63981da70314a4c761eddef1c6f1bd2d7e9f909a794022c92fcf272c499e76407deef

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
      Filesize

      412B

      MD5

      f9cf079a7feb83f6717677b509e97b73

      SHA1

      59fc218f655e2f6a30fe4ada33b9ded85521e183

      SHA256

      e0a9c75119490fa0a6c04fea16e3307e77d19215bd6831218e7d04fc212bf5ce

      SHA512

      fc8435c70f28770722225f927d1a02d985c71210fb739840561035fc5fd1c5a58e2b3905b501fc771042f55dc80106022a7172929d20fdfac9593ff26a56c824

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
      Filesize

      651B

      MD5

      9bbfe11735bac43a2ed1be18d0655fe2

      SHA1

      61141928bb248fd6e9cd5084a9db05a9b980fb3a

      SHA256

      549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

      SHA512

      a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

      Download Submit

    • C:\Windows\Installer\MSIBD45.tmp
      Filesize

      509KB

      MD5

      88d29734f37bdcffd202eafcdd082f9d

      SHA1

      823b40d05a1cab06b857ed87451bf683fdd56a5e

      SHA256

      87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

      SHA512

      1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

      Download Submit

    • C:\Windows\Installer\MSIBD45.tmp-\AlphaControlAgentInstallation.dll
      Filesize

      25KB

      MD5

      aa1b9c5c685173fad2dabebeb3171f01

      SHA1

      ed756b1760e563ce888276ff248c734b7dd851fb

      SHA256

      e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

      SHA512

      d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

      Download Submit

    • C:\Windows\Installer\MSIBD45.tmp-\Microsoft.Deployment.WindowsInstaller.dll
      Filesize

      179KB

      MD5

      1a5caea6734fdd07caa514c3f3fb75da

      SHA1

      f070ac0d91bd337d7952abd1ddf19a737b94510c

      SHA256

      cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

      SHA512

      a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

      Download Submit

    • C:\Windows\Installer\MSIBF1B.tmp-\CustomAction.config
      Filesize

      1KB

      MD5

      bc17e956cde8dd5425f2b2a68ed919f8

      SHA1

      5e3736331e9e2f6bf851e3355f31006ccd8caa99

      SHA256

      e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

      SHA512

      02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

      Download Submit

    • C:\Windows\Installer\MSIBF1B.tmp-\Newtonsoft.Json.dll
      Filesize

      695KB

      MD5

      715a1fbee4665e99e859eda667fe8034

      SHA1

      e13c6e4210043c4976dcdc447ea2b32854f70cc6

      SHA256

      c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

      SHA512

      bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

      Download Submit

    • C:\Windows\Installer\MSICB62.tmp
      Filesize

      211KB

      MD5

      a3ae5d86ecf38db9427359ea37a5f646

      SHA1

      eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

      SHA256

      c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

      SHA512

      96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

      Download Submit

    • C:\Windows\Installer\e57bcb8.msi
      Filesize

      2.9MB

      MD5

      be718005b76304765320e6ecc1cfa44b

      SHA1

      c23cf852232284dfdf3f988d289c1cd13e4bc5b0

      SHA256

      c5a9d17efdc7297d5d874e7765073258ffa919829da456101bb6076f5476ac26

      SHA512

      1355fae59e627f91bb534a7e990e3914650e033eb92b8da79489b185db212a4f9808e019142118bb282ee6ea53fc1d5c9de108b09850d613b45b37f411e0019f

      Download Submit

    • C:\Windows\Temp\__PSScriptPolicyTest_vrub0lwz.b5w.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
      Filesize

      727B

      MD5

      17c3144b951201b5c7ba287c302e30db

      SHA1

      aae8469d67066d1def775b7e2a24de2ff312c642

      SHA256

      347c70bbd5ac08ce5107a28597033c075b518d1404703dfdc2043cc36ab56c00

      SHA512

      088550c13e80ebf16b4bb542a0a3ba1df2c9d3a98008b293accd1a1aa4019c0917bb970d8b349afd9fb365c892107251d5aea5f16d27bb18c582545ebd64a6c6

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      727B

      MD5

      d7909c7cd997af5e26a89920cd8b320a

      SHA1

      058e556bd3abd9b117a6a159f1f9baef60ba9bc5

      SHA256

      45c8301f0b9cd3c3a363ce79b38d3b1488eab1ab81782ec375a16101ed7e740b

      SHA512

      03c41ce3220fd87e22911ee5a4571bc374eb4f93871c39fd4419b91b4ed110cdcedb6138e652ba7d5937573bee5fa7d18346692c4be779210d31d0d50d3f0256

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
      Filesize

      404B

      MD5

      3a5079ddea616bea09f0eaecf062cb8c

      SHA1

      e39e9e3d609205e2a163cf2fcd1739594b089f26

      SHA256

      d8232111e4d760a6b18f1bfcd17994d3ce8a802e7149997d5b4300d914c67d41

      SHA512

      cdd9d17c2007b1612341cd3cd4b0e500c5dfcf82de13b7f44ca5c8d56ed81a72f14bc7d96df5ea8e3c7e958be44f2378dd06ce93969d75f46bd14c40f8fc547b

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
      Filesize

      412B

      MD5

      b0f79c989acf35e2385e185b7dd6cb1c

      SHA1

      822485203a4de0030521a419f2fe5c171842d329

      SHA256

      680aaee6f44481ce945aa5086f2edf5239a3ce0af4b63f1af5e91a74cf48fba8

      SHA512

      61041ea07e373ac88b8b1f00cf6922acc8111f908399eaaea51a1d23c96a068a7f164a9d820a545babb3f51b1fec01ee4f3d2d5f21d1ba986f781f368a68ee3a

      Download Submit

    • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
      Filesize

      1KB

      MD5

      9cad061ddf5ad182cfe7879190aeed71

      SHA1

      cfd292d16d937f95b642527464403b7e5ef6af96

      SHA256

      b2d273fa926ebf6946e69e8808ad332db42bc65f449748082e088aa732e408ca

      SHA512

      df517d66358f441a7c4c690cd90e214f18d490e3de767dd76164effaa179b1dd865a0056d68ce3ab6aee55917465c7f39146e7694b1ac475fcc95c280fb29e92

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      a732a548d4368ea8f403cc3164578782

      SHA1

      d50ca0ae365870fe7d3fff4169a0e8166c1b2989

      SHA256

      4d33d864abe654a8f77bd5636b30f5bed3d6891b35d6cd801f9a8b26a73c1819

      SHA512

      b0517489bda8cda993d64fd9eba6ddd5d0f8dea87fdd970f6e8ad3f93c5d62d09380fd555c8a2dac9204e60409ba2404911d1d1192b7b989fd3b17cf64153741

      Download Submit

    • \??\Volume{dd488ace-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{87749309-5d40-49ed-a7bc-0339636b98a2}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      3c462a30800e49743541b0268955fcd9

      SHA1

      d3236c1f8973c966a05afcfc3b925795664e715f

      SHA256

      f2acbf3b0d74827534e6f4cdabfc54a597af5e43c1b1a59bb72b3eb3034a7ea8

      SHA512

      7c6e37189d7e941a0fa2d81e01b1ad9849fa40c5114e2f48ba3123e71dc5fe899e8c9f9feb1e2302f1b9fbac40d49a59fa4381327fdfb520da593555abe9c98a

      Download Submit

    • memory/916-535-0x0000020C526C0000-0x0000020C52BE8000-memory.dmp

      Filesize

      5.2MB

      Download

    • memory/916-525-0x0000020C51F70000-0x0000020C52022000-memory.dmp

      Filesize

      712KB

      Download

    • memory/916-523-0x0000020C38D90000-0x0000020C38D9A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/916-524-0x0000020C395D0000-0x0000020C395EA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/1140-267-0x00000287E43D0000-0x00000287E43EC000-memory.dmp

      Filesize

      112KB

      Download

    • memory/1140-265-0x00000287FCC70000-0x00000287FCD20000-memory.dmp

      Filesize

      704KB

      Download

    • memory/1140-262-0x00000287E3B30000-0x00000287E3B72000-memory.dmp

      Filesize

      264KB

      Download

    • memory/2024-559-0x000001A7B0040000-0x000001A7B008A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2024-561-0x000001A7B02A0000-0x000001A7B0350000-memory.dmp

      Filesize

      704KB

      Download

    • memory/2024-560-0x000001A7978F0000-0x000001A79790C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2024-558-0x000001A796F80000-0x000001A796F8C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2024-562-0x000001A7B0430000-0x000001A7B050C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/2024-563-0x000001A7B01F0000-0x000001A7B020C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2056-66-0x0000000004700000-0x00000000047B2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2056-70-0x00000000047C0000-0x0000000004B14000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2056-69-0x0000000004690000-0x00000000046B2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2128-496-0x0000028C1CE20000-0x0000028C1CE5A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2128-756-0x0000028C35F80000-0x0000028C35F90000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2128-759-0x0000028C36370000-0x0000028C36398000-memory.dmp

      Filesize

      160KB

      Download

    • memory/2128-503-0x0000028C35FD0000-0x0000028C36018000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2128-500-0x0000028C1D710000-0x0000028C1D72C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2128-499-0x0000028C36070000-0x0000028C36122000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2232-332-0x000002429A540000-0x000002429A58A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/2232-338-0x00000242B3090000-0x00000242B316C000-memory.dmp

      Filesize

      880KB

      Download

    • memory/2232-333-0x000002429A510000-0x000002429A52C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2232-334-0x00000242B2E10000-0x00000242B2E5C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2232-335-0x00000242B2E60000-0x00000242B2EA8000-memory.dmp

      Filesize

      288KB

      Download

    • memory/2232-336-0x000002429A530000-0x000002429A538000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2232-337-0x000002429A6B0000-0x000002429A6BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2232-347-0x00000242B3320000-0x00000242B335A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2232-339-0x00000242B3170000-0x00000242B3222000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2232-341-0x00000242B2FE0000-0x00000242B2FE8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2232-340-0x00000242B2FD0000-0x00000242B2FD8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2232-331-0x0000024299C70000-0x0000024299CD8000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2232-348-0x00000242B3000000-0x00000242B3026000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2232-346-0x00000242B3030000-0x00000242B305A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2232-344-0x00000242B3230000-0x00000242B3298000-memory.dmp

      Filesize

      416KB

      Download

    • memory/2232-343-0x00000242B2FF0000-0x00000242B2FF8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2940-404-0x000002BA420F0000-0x000002BA4210C000-memory.dmp

      Filesize

      112KB

      Download

    • memory/2940-403-0x000002BA5AA70000-0x000002BA5AB22000-memory.dmp

      Filesize

      712KB

      Download

    • memory/2940-402-0x000002BA41890000-0x000002BA418A6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/4072-154-0x000002A293240000-0x000002A293252000-memory.dmp

      Filesize

      72KB

      Download

    • memory/4072-155-0x000002A2932C0000-0x000002A2932FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/4072-138-0x000002A291690000-0x000002A2916B8000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4072-150-0x000002A2ABD90000-0x000002A2ABE28000-memory.dmp

      Filesize

      608KB

      Download

    • memory/4256-33-0x0000000002CD0000-0x0000000002CDC000-memory.dmp

      Filesize

      48KB

      Download

    • memory/4256-29-0x0000000002C80000-0x0000000002CAE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/4260-233-0x000002574B280000-0x000002574B2B8000-memory.dmp

      Filesize

      224KB

      Download

    • memory/4260-187-0x000002574AC90000-0x000002574AD42000-memory.dmp

      Filesize

      712KB

      Download

    • memory/4260-191-0x000002574AD80000-0x000002574ADA2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/5008-100-0x0000000004990000-0x00000000049F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/5116-470-0x000002597E540000-0x000002597E560000-memory.dmp

      Filesize

      128KB

      Download

    • memory/5116-469-0x000002597EF00000-0x000002597EFB2000-memory.dmp

      Filesize

      712KB

      Download

    • memory/5116-468-0x000002597E520000-0x000002597E538000-memory.dmp

      Filesize

      96KB

      Download

    • memory/5116-467-0x000002597DCD0000-0x000002597DCDC000-memory.dmp

      Filesize

      48KB

      Download