67158ec3e3edcaff528ce829517c6ab20095b2dda6a3f60a5ebf53025d116040

Analysis

max time kernel
134s
max time network
147s
platform
windows7_x64
resource
win7v20210410
submitted
09-07-2021 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dike_Infocert_upgrade.msi
Size

628KB
MD5

0162581e46cffb64d7c8c90c4134695b
SHA1

5af1b43c0264814e030b0b0116a9cf998d1ce8ca
SHA256

67158ec3e3edcaff528ce829517c6ab20095b2dda6a3f60a5ebf53025d116040
SHA512

13acfccd5022f4cbb6d4e4b9a6d8ca8ef2d919a4b67c5e196f4ed62d387dadd460594cbc42761f8e48a32f1a184df5c5fea6857ea1f61f251ce301877eccdb2c

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

2 1100 msiexec.exe
4 1100 msiexec.exe
6 1100 msiexec.exe
Downloads MZ/PE file

flow	pid	process
2	1100	msiexec.exe
4	1100	msiexec.exe
6	1100	msiexec.exe

Executes dropped EXE 23 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageUpgradeAgent.exeAgentPackageAgentInformation.exeAgentPackageSTRemote.exeAgentPackageTicketing.exeAgentPackageInternalPoller.exeAgentPackageWindowsUpdate.exeAgentPackageHeartbeat.exeAgentPackageUpgradeAgent.exeAgentPackageProgramManagement.exeAgentPackageADRemote.exeAgentPackageNetworkDiscovery.exeAgentPackageMonitoring.exeAgentPackageTaskScheduler.exeSplashtopStreamer3360.exeAgentPackageInternalPoller.exePreVerCheck.exeAteraAgent.exeAteraAgent.exeAteraAgent.exe

pid	process
1348	AteraAgent.exe
1216	AteraAgent.exe
2408	AgentPackageAgentInformation.exe
2636	AgentPackageAgentInformation.exe
3008	AgentPackageUpgradeAgent.exe
3024	AgentPackageAgentInformation.exe
2060	AgentPackageSTRemote.exe
1228	AgentPackageTicketing.exe
1740	AgentPackageInternalPoller.exe
820	AgentPackageWindowsUpdate.exe
2696	AgentPackageHeartbeat.exe
2724	AgentPackageUpgradeAgent.exe
2848	AgentPackageProgramManagement.exe
2492	AgentPackageADRemote.exe
2880	AgentPackageNetworkDiscovery.exe
1620	AgentPackageMonitoring.exe
2604	AgentPackageTaskScheduler.exe
2112	SplashtopStreamer3360.exe
1600	AgentPackageInternalPoller.exe
1580	PreVerCheck.exe
2664	AteraAgent.exe
2740	AteraAgent.exe
1076	AteraAgent.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeSplashtopStreamer3360.exeMsiExec.exe

pid process

768 MsiExec.exe
2112 SplashtopStreamer3360.exe
2860 MsiExec.exe
2860 MsiExec.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
768	MsiExec.exe
2112	SplashtopStreamer3360.exe
2860	MsiExec.exe
2860	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

AgentPackageMonitoring.exe

description ioc process

File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe

Drops file in System32 directory 19 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageTaskScheduler.exeAgentPackageTicketing.exeAgentPackageHeartbeat.exeAteraAgent.exeAteraAgent.exeAgentPackageNetworkDiscovery.exe

description	ioc	process
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\4a162b8d983d320e924d72c821ba56c86a77646dc1e4d854d910900b98964df9\cu2bmik1.tdi	AgentPackageTaskScheduler.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	AgentPackageTicketing.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageHeartbeat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A4D93321211DF6EB063AE7C571FBD27	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A4D93321211DF6EB063AE7C571FBD27	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\4a162b8d983d320e924d72c821ba56c86a77646dc1e4d854d910900b98964df9\5v30bq4u.4b1	AgentPackageTaskScheduler.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	AgentPackageTicketing.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageTicketing.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\cc46fabb156b92451cd150d9a4e4394c7c8661377bbe44785a20f5bc4406f53f\bac2py35.qml	AgentPackageNetworkDiscovery.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\cc46fabb156b92451cd150d9a4e4394c7c8661377bbe44785a20f5bc4406f53f\d1e2iven.dqy	AgentPackageNetworkDiscovery.exe

Drops file in Program Files directory 64 IoCs

Processes:

AgentPackageUpgradeAgent.exeAteraAgent.exeAgentPackageInternalPoller.exeAgentPackageMonitoring.exeAgentPackageProgramManagement.exemsiexec.exeAgentPackageAgentInformation.exeAgentPackageTicketing.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe	AgentPackageUpgradeAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\AgentPackageNetworkDiscovery.ini	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\http.cfg.bak	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\Microsoft.ApplicationInsights.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch	AgentPackageProgramManagement.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\StructureMap.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\generic.cfg.bak	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe	AteraAgent.exe
File created	C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll	AteraAgent.exe
File created	C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\res.cch	AgentPackageAgentInformation.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\log4net.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\ApplicationInsights.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\Microsoft.AI.WindowsServer.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.exe	AgentPackageUpgradeAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebEngine.dll	AgentPackageTicketing.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\Atera.AgentPackages.ModelsV3.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.sys	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\AteraAgent.InstallState	AgentPackageUpgradeAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\generic.cfg	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\Microsoft.AI.DependencyCollector.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\snmp.cfg.bak	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll	AgentPackageTicketing.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\Microsoft.AI.PerfCounterCollector.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\servers.cfg	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	AteraAgent.exe

Drops file in Windows directory 23 IoCs

Processes:

msiexec.exeDrvInst.exeAgentPackageWindowsUpdate.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI2B95.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f742978.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17EE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f742971.msi	msiexec.exe
File created	C:\Windows\Installer\f742975.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f742975.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI17EF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f742972.ipi	msiexec.exe
File created	C:\Windows\Installer\f742974.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF637.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2BA5.tmp	msiexec.exe
File opened for modification	C:\Windows\WindowsUpdate.log	AgentPackageWindowsUpdate.exe
File created	C:\Windows\Installer\f742978.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6F3.tmp	msiexec.exe
File created	C:\Windows\Installer\f74297f.ipi	msiexec.exe
File created	C:\Windows\Installer\f742981.msi	msiexec.exe
File created	C:\Windows\Installer\f742971.msi	msiexec.exe
File created	C:\Windows\Installer\f742972.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\f74297f.ipi	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3008 taskkill.exe

pid	process
3008	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AteraAgent.execscript.exeAgentPackageProgramManagement.exemsiexec.exeAgentPackageAgentInformation.exeAgentPackageMonitoring.exeDrvInst.exeAgentPackageInternalPoller.exeAgentPackageAgentInformation.exeAgentPackageInternalPoller.exeAgentPackageAgentInformation.exeAgentPackageSTRemote.exeAgentPackageUpgradeAgent.exemsiexec.exeAgentPackageADRemote.exeAteraAgent.exeAgentPackageWindowsUpdate.exeAgentPackageTicketing.exeSplashtopStreamer3360.exeAteraAgent.exeAgentPackageHeartbeat.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AgentPackageProgramManagement.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\SessionHash = 022543b1a8e51a3a92ced7b90e5ae836b54b0ec87ced9fb838180114d7f46beb	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AgentPackageInternalPoller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageUpgradeAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AgentPackageMonitoring.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000	msiexec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\RegProcsHash = c687a12e734220f32b20a104cdcda4bdb25e1b361e89bbbd4a5e45b9b9240838	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AgentPackageWindowsUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageTicketing.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AgentPackageTicketing.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SplashtopStreamer3360.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageWindowsUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AgentPackageUpgradeAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AgentPackageProgramManagement.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 740600003014b09bbf74d701	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AgentPackageADRemote.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\qagentrt.dll,-10 = "System Health Authentication"	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	AgentPackageTicketing.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AgentPackageWindowsUpdate.exe

Modifies registry class 49 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75E43F6C44CA62A4B8A085EC5A6E27F5\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\ProductName = "AteraAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\PackageCode = "092986D2763A7454DAE1C5203567BF36"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Version = "17301504"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\PackageName = "Dike_Infocert_upgrade.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Net	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\Net\1 = "C:\\Windows\\TEMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\952F5A04351AD264AB6E4D1D085CBF9D\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\DeploymentFlags = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Clients = 3a0000000000	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\75E43F6C44CA62A4B8A085EC5A6E27F5	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\Version = "17301504"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\PackageCode = "3B6DC62DA6DC30A4A9459C5225CF1DAD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\75E43F6C44CA62A4B8A085EC5A6E27F5	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\75E43F6C44CA62A4B8A085EC5A6E27F5\SourceList\PackageName = "Setupx64.msi"	msiexec.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AteraAgent.exeAgentPackageSTRemote.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AgentPackageSTRemote.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AgentPackageSTRemote.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeAteraAgent.exeAgentPackageInternalPoller.exeAgentPackageUpgradeAgent.exeAgentPackageSTRemote.exeAgentPackageTaskScheduler.exeAgentPackageNetworkDiscovery.exemsiexec.exe

pid	process
1652	msiexec.exe
1652	msiexec.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1216	AteraAgent.exe
1740	AgentPackageInternalPoller.exe
2724	AgentPackageUpgradeAgent.exe
2060	AgentPackageSTRemote.exe
2604	AgentPackageTaskScheduler.exe
2604	AgentPackageTaskScheduler.exe
2880	AgentPackageNetworkDiscovery.exe
2880	AgentPackageNetworkDiscovery.exe
2724	AgentPackageUpgradeAgent.exe
2724	AgentPackageUpgradeAgent.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
1652	msiexec.exe
2880	AgentPackageNetworkDiscovery.exe
2880	AgentPackageNetworkDiscovery.exe
2880	AgentPackageNetworkDiscovery.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe
2188	msiexec.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

460
460

pid	process
460
460

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exe

description	pid	process
Token: SeShutdownPrivilege	1100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1100	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeSecurityPrivilege	1652	msiexec.exe
Token: SeCreateTokenPrivilege	1100	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1100	msiexec.exe
Token: SeLockMemoryPrivilege	1100	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1100	msiexec.exe
Token: SeMachineAccountPrivilege	1100	msiexec.exe
Token: SeTcbPrivilege	1100	msiexec.exe
Token: SeSecurityPrivilege	1100	msiexec.exe
Token: SeTakeOwnershipPrivilege	1100	msiexec.exe
Token: SeLoadDriverPrivilege	1100	msiexec.exe
Token: SeSystemProfilePrivilege	1100	msiexec.exe
Token: SeSystemtimePrivilege	1100	msiexec.exe
Token: SeProfSingleProcessPrivilege	1100	msiexec.exe
Token: SeIncBasePriorityPrivilege	1100	msiexec.exe
Token: SeCreatePagefilePrivilege	1100	msiexec.exe
Token: SeCreatePermanentPrivilege	1100	msiexec.exe
Token: SeBackupPrivilege	1100	msiexec.exe
Token: SeRestorePrivilege	1100	msiexec.exe
Token: SeShutdownPrivilege	1100	msiexec.exe
Token: SeDebugPrivilege	1100	msiexec.exe
Token: SeAuditPrivilege	1100	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1100	msiexec.exe
Token: SeChangeNotifyPrivilege	1100	msiexec.exe
Token: SeRemoteShutdownPrivilege	1100	msiexec.exe
Token: SeUndockPrivilege	1100	msiexec.exe
Token: SeSyncAgentPrivilege	1100	msiexec.exe
Token: SeEnableDelegationPrivilege	1100	msiexec.exe
Token: SeManageVolumePrivilege	1100	msiexec.exe
Token: SeImpersonatePrivilege	1100	msiexec.exe
Token: SeCreateGlobalPrivilege	1100	msiexec.exe
Token: SeBackupPrivilege	420	vssvc.exe
Token: SeRestorePrivilege	420	vssvc.exe
Token: SeAuditPrivilege	420	vssvc.exe
Token: SeBackupPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1888	DrvInst.exe
Token: SeLoadDriverPrivilege	1888	DrvInst.exe
Token: SeLoadDriverPrivilege	1888	DrvInst.exe
Token: SeLoadDriverPrivilege	1888	DrvInst.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe
Token: SeTakeOwnershipPrivilege	1652	msiexec.exe
Token: SeRestorePrivilege	1652	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

1100 msiexec.exe
1100 msiexec.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SplashtopStreamer3360.exe

pid process

2112 SplashtopStreamer3360.exe

pid	process
1100	msiexec.exe
1100	msiexec.exe

pid	process
2112	SplashtopStreamer3360.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeAteraAgent.exeAgentPackageAgentInformation.execmd.exeAgentPackageAgentInformation.execmd.exeAgentPackageUpgradeAgent.exe

description	pid	process	target process
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 768	1652	msiexec.exe	MsiExec.exe
PID 1652 wrote to memory of 1348	1652	msiexec.exe	AteraAgent.exe
PID 1652 wrote to memory of 1348	1652	msiexec.exe	AteraAgent.exe
PID 1652 wrote to memory of 1348	1652	msiexec.exe	AteraAgent.exe
PID 1216 wrote to memory of 2140	1216	AteraAgent.exe	sc.exe
PID 1216 wrote to memory of 2140	1216	AteraAgent.exe	sc.exe
PID 1216 wrote to memory of 2140	1216	AteraAgent.exe	sc.exe
PID 1216 wrote to memory of 2408	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 2408	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 2408	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 2408 wrote to memory of 2520	2408	AgentPackageAgentInformation.exe	cmd.exe
PID 2408 wrote to memory of 2520	2408	AgentPackageAgentInformation.exe	cmd.exe
PID 2408 wrote to memory of 2520	2408	AgentPackageAgentInformation.exe	cmd.exe
PID 2520 wrote to memory of 2556	2520	cmd.exe	cscript.exe
PID 2520 wrote to memory of 2556	2520	cmd.exe	cscript.exe
PID 2520 wrote to memory of 2556	2520	cmd.exe	cscript.exe
PID 1216 wrote to memory of 2636	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 2636	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 2636	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 2636 wrote to memory of 2792	2636	AgentPackageAgentInformation.exe	cmd.exe
PID 2636 wrote to memory of 2792	2636	AgentPackageAgentInformation.exe	cmd.exe
PID 2636 wrote to memory of 2792	2636	AgentPackageAgentInformation.exe	cmd.exe
PID 2792 wrote to memory of 2828	2792	cmd.exe	cscript.exe
PID 2792 wrote to memory of 2828	2792	cmd.exe	cscript.exe
PID 2792 wrote to memory of 2828	2792	cmd.exe	cscript.exe
PID 1216 wrote to memory of 3008	1216	AteraAgent.exe	AgentPackageUpgradeAgent.exe
PID 1216 wrote to memory of 3008	1216	AteraAgent.exe	AgentPackageUpgradeAgent.exe
PID 1216 wrote to memory of 3008	1216	AteraAgent.exe	AgentPackageUpgradeAgent.exe
PID 1216 wrote to memory of 3024	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 3024	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 3024	1216	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 1216 wrote to memory of 2060	1216	AteraAgent.exe	AgentPackageSTRemote.exe
PID 1216 wrote to memory of 2060	1216	AteraAgent.exe	AgentPackageSTRemote.exe
PID 1216 wrote to memory of 2060	1216	AteraAgent.exe	AgentPackageSTRemote.exe
PID 1216 wrote to memory of 1228	1216	AteraAgent.exe	AgentPackageTicketing.exe
PID 1216 wrote to memory of 1228	1216	AteraAgent.exe	AgentPackageTicketing.exe
PID 1216 wrote to memory of 1228	1216	AteraAgent.exe	AgentPackageTicketing.exe
PID 1216 wrote to memory of 820	1216	AteraAgent.exe	AgentPackageWindowsUpdate.exe
PID 1216 wrote to memory of 820	1216	AteraAgent.exe	AgentPackageWindowsUpdate.exe
PID 1216 wrote to memory of 820	1216	AteraAgent.exe	AgentPackageWindowsUpdate.exe
PID 1216 wrote to memory of 1740	1216	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 1216 wrote to memory of 1740	1216	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 1216 wrote to memory of 1740	1216	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 1216 wrote to memory of 2696	1216	AteraAgent.exe	AgentPackageHeartbeat.exe
PID 1216 wrote to memory of 2696	1216	AteraAgent.exe	AgentPackageHeartbeat.exe
PID 1216 wrote to memory of 2696	1216	AteraAgent.exe	AgentPackageHeartbeat.exe
PID 3008 wrote to memory of 2724	3008	AgentPackageUpgradeAgent.exe	AgentPackageUpgradeAgent.exe
PID 3008 wrote to memory of 2724	3008	AgentPackageUpgradeAgent.exe	AgentPackageUpgradeAgent.exe
PID 3008 wrote to memory of 2724	3008	AgentPackageUpgradeAgent.exe	AgentPackageUpgradeAgent.exe
PID 1216 wrote to memory of 2848	1216	AteraAgent.exe	AgentPackageProgramManagement.exe
PID 1216 wrote to memory of 2848	1216	AteraAgent.exe	AgentPackageProgramManagement.exe
PID 1216 wrote to memory of 2848	1216	AteraAgent.exe	AgentPackageProgramManagement.exe
PID 1216 wrote to memory of 2492	1216	AteraAgent.exe	AgentPackageADRemote.exe
PID 1216 wrote to memory of 2492	1216	AteraAgent.exe	AgentPackageADRemote.exe
PID 1216 wrote to memory of 2492	1216	AteraAgent.exe	AgentPackageADRemote.exe
PID 1216 wrote to memory of 2880	1216	AteraAgent.exe	AgentPackageNetworkDiscovery.exe
PID 1216 wrote to memory of 2880	1216	AteraAgent.exe	AgentPackageNetworkDiscovery.exe
PID 1216 wrote to memory of 2880	1216	AteraAgent.exe	AgentPackageNetworkDiscovery.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Dike_Infocert_upgrade.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1100

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 31F403C7DCC94963ADD756FC005152C0
2⤵
- Loads dropped DLL
PID:768

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="amministrazione@universoinvestigazioni.it" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002gg5y2AAA"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1348

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 57D8293C869F24D417DC34331CA0228C M Global\MSI0000
2⤵
- Loads dropped DLL
PID:2860

C:\Windows\system32\NET.exe
NET STOP AteraAgent
2⤵
PID:2712

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 STOP AteraAgent
3⤵
PID:2364

C:\Windows\system32\taskkill.exe
taskkill /f /im AteraAgent.exe
2⤵
- Kills process with taskkill
PID:3008

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2664

C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI=""
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2740

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:420

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot12" "" "" "6d110b0a3" "0000000000000000" "00000000000003A8" "00000000000004A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1888

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
2⤵
PID:2140

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "3d9a2b9e-9f88-43c0-86c1-d29b213ef60a" agent-api.atera.com/Production 443 or8ixLi90Mf "initialIdentification"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\system32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
- Suspicious use of WriteProcessMemory
PID:2520

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
- Modifies data under HKEY_USERS
PID:2556

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "1a69000a-d1ac-45ff-b7d5-3c35d8b52cbb" agent-api.atera.com/Production 443 or8ixLi90Mf "initialIdentification"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2636

C:\Windows\system32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
- Suspicious use of WriteProcessMemory
PID:2792

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
PID:2828

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "9dabfb7d-d1d0-468d-a6ff-df5de79efa28" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "13ae7552-f7ea-441a-8598-e2b865701259" "9dabfb7d-d1d0-468d-a6ff-df5de79efa28" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"
3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2724

C:\Windows\system32\msiexec.exe
"msiexec.exe" /i C:\Windows\TEMP\Setupx64.msi /lv* AteraSetupLog.txt /qn /norestart
4⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2188

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "3e7727ae-3eff-41b6-b3d9-8f6bb26e0384" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:3024

C:\Windows\system32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
PID:2336

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
PID:2692

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "8f1cee9f-3496-4715-9d15-7e9e22f84aad" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Windows\TEMP\SplashtopStreamer3360.exe
"C:\Windows\TEMP\SplashtopStreamer3360.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2112

C:\Windows\Temp\unpack\PreVerCheck.exe
"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
4⤵
- Executes dropped EXE
PID:1580

C:\Windows\SysWOW64\msiexec.exe
msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
5⤵
PID:2832

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "532e9225-9315-4196-b04f-2a10eecb3144" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1228

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "4c893f06-d557-4159-893c-727b0e4de2fb" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"
2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:820

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "f232d31f-dcf9-4866-9fd2-906c9dacff65" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1740

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "fe39715c-a6cf-4448-823e-910a7a5d2679" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2696

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "141ce568-26e0-4dc4-9a44-cb7aa6a643d6" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2848

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "fcd6e8f5-4d82-4847-8b54-a69df528a76a" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2492

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\AgentPackageNetworkDiscovery.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\AgentPackageNetworkDiscovery.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "bdc8f445-38f4-4226-8c7f-5c8ca426baf0" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJQYXJhbXMiOiJ7XCJDb21tYW5kXCI6NixcIkRvbWFpbk5hbWVcIjpcIlwiLFwiVXNlck5hbWVcIjpcIlwiLFwiUGFzc3dvcmRcIjpcIlwiLFwiQ3VzdG9tZXJOYW1lXCI6XCJcIixcIkJhY2tncm91bmRTY2FuSG91cnNcIjpbMTAsMTRdfSIsIktleSI6IiIsIk5ldHdvcmtEaXNjb3ZlcnlDb21tYW5kVHlwZSI6NiwiSXNBZG1pbiI6ZmFsc2V9"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2880

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "7f4a9360-c975-4aab-a1d9-9a789a889f64" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1620

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\AgentPackageTaskScheduler.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\AgentPackageTaskScheduler.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "f257dc80-5bb1-49d3-8324-84fdc8d99e8b" agent-api.atera.com/Production 443 or8ixLi90Mf "Schedule"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2604

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 13ae7552-f7ea-441a-8598-e2b865701259 "e6be9a03-e4bf-4ca7-af80-0b96fdbb2d74" agent-api.atera.com/Production 443 or8ixLi90Mf "syncdevices"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1600

C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1076

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
2⤵
PID:2828

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

T1067

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
MD5
7ff0ac77806aed9588b143cd0fab552b

SHA1
184b62f2956b95ffe3dc98ebb31d7f45dbca83fd

SHA256
730d85d5ef4f0939154278949c126a444ed859e7718bb175ca3153ca6ed9d142

SHA512
1856bda8cc3d4161110cd75a7be4939193ed408a95f9c41e22f4cc9f85b1294584f95796bce207dd65d606ffb57760b3d2e1681efbbb7759a19a9f70fb7edac8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
MD5
04ef8a3c001a0ee28b1787423127271e

SHA1
aa0b319a3b8f04d1ba5704e0d87f9195deaed332

SHA256
4f02c008ea3183f19c0a5d56a71e2b6e07a99a56489d36cf40b5bac910409e18

SHA512
9c0d91eb8c9339a788c78d3850d78aae9a8e251cfc56c9c58e347f5f0fb6ba72fb111bb849c3857b4167f3f312fe3e920bb1826c2254d20954f75c7c19f65f33

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
MD5
7033bdb79f5752cbcafa17b296df24b2

SHA1
1d59a4aa8545f1d8aef1606c4a8a23b1b807ff18

SHA256
7b07559d1b4b17d4aef7e6f305a0d8c2fed13931b85e217bda0ee702af523f74

SHA512
df78b9194a91a2c2ab5814e92ab8585c3aaaef3f1519146592ad345253dea0afe2be8c3d99291f4bdfaf32d3785ad5cb33586e9f4a18a01e370451b69e9fc36d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
MD5
159c9643ddfb511421327ece3bb3133b

SHA1
4c11d1e591bf0d9b89ea5a949ed26a0425b25184

SHA256
a1c9523bdb884cd43b20d3d5173f2c6bf206de17c2e79db25d372ff19cec5fb7

SHA512
c7232aed3013d5d472475c1e4ba2335f57ebb31228545d7e1a7de45bbcb0246af0115a590d608389a32f1614befa67122eb33bd9881bea7ea2ff1b5b56bd2a98

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
MD5
c56f50320ec016d53ccaa5cb824f4573

SHA1
7a3102cd45cf49f12195f9354f0412e0885f8504

SHA256
cbc15a831e6ca49482dc16a50cfd6cd8b70f1865b3ed2be57b831e1e0d8dec6e

SHA512
92720fc806dd79399df2f2f9d2f5f66a7cae2b6debef3da3f018c183a15d9e49691612615b492c573b6665ccbb3da37041a74263d1f20cf1b45c2640d6044ef2

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.INI
MD5
03b8a5a32d56d4fbdf7802d7aec58aa1

SHA1
d340ac69ebbd1883d17915ea3bb856c93ec37a98

SHA256
a42f4dfec2e8385fe457f0604977a4f5cedae391776598b04367addc6d1c8ada

SHA512
1ee29b06c9a8ee1d1f5e200f59e25ce29d4aa4c8fcf1c809e75a28f4d3c9faf3e7ff2077bc351dca81e287a0c57d17f6b1b5f535415f7837667bad29e6559991

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
MD5
e6cf1fac613f61846812b4a30efc3a39

SHA1
060b70d76d5178a6bf33d160fbc7db6a5789fbfe

SHA256
524c7a89c9de151943d41261910f5e3b58abed77a7ff8827f1903e972dd37be2

SHA512
4c03b7603cff7997a9fe53711946440fde14b24bc325b853cc72096d548b89cb992a7ac970bb1ceddb898ea1d7b456038508ad45d2bfeb63553e83b3ffb398e8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
MD5
e6cf1fac613f61846812b4a30efc3a39

SHA1
060b70d76d5178a6bf33d160fbc7db6a5789fbfe

SHA256
524c7a89c9de151943d41261910f5e3b58abed77a7ff8827f1903e972dd37be2

SHA512
4c03b7603cff7997a9fe53711946440fde14b24bc325b853cc72096d548b89cb992a7ac970bb1ceddb898ea1d7b456038508ad45d2bfeb63553e83b3ffb398e8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config
MD5
3f9b7c50015ca8be5ec84127bb37e2cb

SHA1
07fa0b2f00ba82a440bfeacafd8b0b8d1b3e4ee7

SHA256
c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532

SHA512
db5713dda4ecac0a1201add7d5d1a55bdbfc9e373b2277661869f7de9e8ba593f44bdafa6c8dbeba09df158b2dfdd1875c26c047f50597185f1f2f5612fc87b9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll
MD5
01686fb0e3083594677d84d0f46df354

SHA1
0419ea9022e5ad29217344a0962ae99a4473bc0c

SHA256
a1d6a5121135c51c1644c3d1888ae02517b3e5fa71092397485f2ad25aa1e691

SHA512
34c6a1fe79a5b19748247f162b1645a63b71632784bd9b5cd482f81c77dc8aa229d8f8aeba419696b276d34ce0e4258752c6c7f78d5e2d846d355e6bddcce0fe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.INI
MD5
fd927f3ce29ff76dfc6846b9f6782f92

SHA1
d3734ef11e871ff44a49665f3d83da23b547d460

SHA256
be98b9e8c7393dcd9ae795a02dc06f67848fe13b3de199e66d94144b54dbcff6

SHA512
db1b5d3ef2ee77c12d8fce03ccf1fe29cd956d36503d9e78ee2aa51c5f344681e00f3127e7b075d43729fd1371b75c84535075854760d3184681d79d5d9c590d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
MD5
36243dab64849780a7b800e0b3e9419f

SHA1
cb6be598bafea04e25a9a0515141a3a6fe00fa38

SHA256
2f599ae4c76b642d30d2d5dfd0f0c009c3407cc592d3341d368f19da9b4cd29f

SHA512
3d897e9ba1fe0f706c819cc6b0f4a260e437a564ce7c84c68db43003d181b6fcb735ab63a8d2fa5cfbec6b23319e9fadc269aa8331d1f818fd665bb1029fadae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
MD5
36243dab64849780a7b800e0b3e9419f

SHA1
cb6be598bafea04e25a9a0515141a3a6fe00fa38

SHA256
2f599ae4c76b642d30d2d5dfd0f0c009c3407cc592d3341d368f19da9b4cd29f

SHA512
3d897e9ba1fe0f706c819cc6b0f4a260e437a564ce7c84c68db43003d181b6fcb735ab63a8d2fa5cfbec6b23319e9fadc269aa8331d1f818fd665bb1029fadae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config
MD5
9bc8c60dca1db56880a6de6186139bbb

SHA1
215828e6240b6d588e1d3e1a92e9df51ede80062

SHA256
98cbf73681a1b63d4242cb40a2bd0bb6b04a61528a4230e8eb7e10bd83b6e6b0

SHA512
809a8d652869977bcaa702fc7ab4963ef48554e122acd08314c7645dbb878bb32e0c5be0aa08606956fcf1fac5431cc401f5949ef781e52eb9919c72c88f999a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll
MD5
76e38ec3d4272fcc0834d86ec464a15b

SHA1
76dc3b82e571adaa42a3bd614ebe6f70e2887708

SHA256
92fb82687c111be88cb58958dc7e489d87ba952752e2b4a37ce22992ed949748

SHA512
43204925f34acf88a7f90236be068b875271b4d87c0b239b62263eef1c6e70526aa9f8fef9d2a3560324fe455d9a396dc2377942813f7ee6773df72f835b0e6d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
MD5
38d778364fb8c7a930818f975575a6b0

SHA1
f4362ec25898d2feb703f90be49eb42c18a41dcb

SHA256
c66a0a224ec4841562e58602b9b1513cfd689c708dc1949f8e6f8a14b622b295

SHA512
1b71a3b5d5fa11806501088e01f6d2933f7f18307f1511007a1b20d37aacbe25e55f59053893cc44ca692d22f893c04db47716f5787cd57da94b6918bb8eb4ba

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI
MD5
2ee2a757a5865cc7f0d97c67a0b5d8c5

SHA1
4bdfbbfa8a5622a5419160f3395916f615918ac9

SHA256
526d4fb92081239213ed7651bd67d1d6ae80cb69f2e4c64f6305b5f9ae0b3af1

SHA512
dc39fccc5c88a3ab9a50e8d87c93972054934078b42f436a7fb030e64ba513bd3724538613742b6a087724c4cfa469e45574b190a2390a63a748e0c1982851df

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
MD5
538177ef021e529dfe997d255607fe27

SHA1
3c34dc31b559c5cd7b39bfaa462e61dc51fd037b

SHA256
b181ccac37163e346d88cdd4bf1e4dad609f3a45bb5c143f3db7dc152d395a69

SHA512
a6b3af6ef8b3ab699ebfc1192869ef4d2b56b99aaa47ab6b826ddb23c01fc2c73d3b4680e5839c65f64d1b2c89964b2d69512d214fdb58a088408203eac61cec

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
MD5
538177ef021e529dfe997d255607fe27

SHA1
3c34dc31b559c5cd7b39bfaa462e61dc51fd037b

SHA256
b181ccac37163e346d88cdd4bf1e4dad609f3a45bb5c143f3db7dc152d395a69

SHA512
a6b3af6ef8b3ab699ebfc1192869ef4d2b56b99aaa47ab6b826ddb23c01fc2c73d3b4680e5839c65f64d1b2c89964b2d69512d214fdb58a088408203eac61cec

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
MD5
9bc8c60dca1db56880a6de6186139bbb

SHA1
215828e6240b6d588e1d3e1a92e9df51ede80062

SHA256
98cbf73681a1b63d4242cb40a2bd0bb6b04a61528a4230e8eb7e10bd83b6e6b0

SHA512
809a8d652869977bcaa702fc7ab4963ef48554e122acd08314c7645dbb878bb32e0c5be0aa08606956fcf1fac5431cc401f5949ef781e52eb9919c72c88f999a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll
MD5
ced1b0417be18a7c18d13b362b83e1b4

SHA1
ee6688a75ea807aa8d51d69c1f4cec2fd201590c

SHA256
3679e9374b1639b46ead6349245adc836243d42c7237b6a94ef917b1f6ed61be

SHA512
751e24ca287541deb37e501f3bea90cdc699625331c932a31dde4f61ed0d2af1bef839f42c1f53978027285c81a01d1151ff6590040f17ef0be38d50ed50da4a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll
MD5
ddda7e8fffc144e58f39d7e973aeb64b

SHA1
bb7ed32023150cab7740524da6f2870c546d3acd

SHA256
53ba23ec48132705610c6bf3d6c9e8db6d2f3234a629c26f3a974ceb7f2e95f1

SHA512
a57e9b8c0c11ddaea7773ef3550c9a2fd5c29afcab5eea0ca4cc9507880308f130c417f01383dc9b25a02eb32737b4d8a039e7b3f57ae1d85e13da6de0d3b4dc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.INI
MD5
2fc8d65453a9c9c04a37d76b83569a72

SHA1
32d96fc8d7a9eeab00d5bb5384d301d18263d1f8

SHA256
ab306495ecfa337cf3bc9c06480c1fe778f9934b245ec7fc25a030fbe4619b98

SHA512
aa67306ddb9fdb1122d7816ee733d792259aa3bdef7a16211e1751450501fae2243c1556f55ba777dec6b9a868aa15e089e8ad22ef75ac9774623765b78ad01a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
MD5
779a81d6343a98b9b27beeafbb0a05ee

SHA1
507320c64adacae75ec7d58f641befebe348cf0d

SHA256
d88ceae464b731344f2dd7d6402b517571cff6faa6ac12d5b1f5abc5200a6693

SHA512
16048677f1a49b49ad3b9a424a4d2c8560ff3efb71967cefbe4b70c4baa72ed82bd4ef70dd73472182c66c8226102f2364dc9b3233bd246f2188c236d191a70a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
MD5
779a81d6343a98b9b27beeafbb0a05ee

SHA1
507320c64adacae75ec7d58f641befebe348cf0d

SHA256
d88ceae464b731344f2dd7d6402b517571cff6faa6ac12d5b1f5abc5200a6693

SHA512
16048677f1a49b49ad3b9a424a4d2c8560ff3efb71967cefbe4b70c4baa72ed82bd4ef70dd73472182c66c8226102f2364dc9b3233bd246f2188c236d191a70a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config
MD5
9bc8c60dca1db56880a6de6186139bbb

SHA1
215828e6240b6d588e1d3e1a92e9df51ede80062

SHA256
98cbf73681a1b63d4242cb40a2bd0bb6b04a61528a4230e8eb7e10bd83b6e6b0

SHA512
809a8d652869977bcaa702fc7ab4963ef48554e122acd08314c7645dbb878bb32e0c5be0aa08606956fcf1fac5431cc401f5949ef781e52eb9919c72c88f999a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll
MD5
13e68cf6aecd7ac7f47080b230523262

SHA1
c3d3e8ca1030e96ce20d00695c0bc9778ae43c96

SHA256
067e009ec640b958e2be69863d3a486daf59b6b523725f94eb8f649d839f340a

SHA512
8266a604c4db593565c75a203ce6dc9221bfee279ad0a87a2ace19dbd8c193762f327378a5337aebffff3187849f8808b8c4612e599ece1ea7aaf091f5a6ba13

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.INI
MD5
3fe6a123d0c45e029f56a609eab81093

SHA1
38dabbd862ebb7f1cb3e87a586053bb88bda7b4b

SHA256
dce269e4f2071e8fba665b887957504bd42418176469ae1a671781aeaeaff756

SHA512
47b00bcd95134325fcbe27d19702234d50be2f53485e72a4f34887797d4ba0999da35a7e3e8119bd74d60a6fa5e21b83b480cdd1ea50bd844f17b73717c1209b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
MD5
2827351b0af210d7118dbe0c2e894e21

SHA1
eb9a09a375a2652f78256ab69b883914f4219e3b

SHA256
7533cd228397a23e7c807f95cc9cb5cbea9f820c7cc71be7e2cfe3fe4b243c7d

SHA512
a1800510b511bd23acad9ffdc08ca4187421f7e366c21307f2d9a86193d6b0bc0a4be4dcb8773099bf91b7b880b028af3225467bcaac4dea327907fb4ea4b7e1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
MD5
2827351b0af210d7118dbe0c2e894e21

SHA1
eb9a09a375a2652f78256ab69b883914f4219e3b

SHA256
7533cd228397a23e7c807f95cc9cb5cbea9f820c7cc71be7e2cfe3fe4b243c7d

SHA512
a1800510b511bd23acad9ffdc08ca4187421f7e366c21307f2d9a86193d6b0bc0a4be4dcb8773099bf91b7b880b028af3225467bcaac4dea327907fb4ea4b7e1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config
MD5
332f07af284ae49f72f9b8554936340e

SHA1
422a0d4659036445311fed59949443f2d46c0d5c

SHA256
8a4d689f426e0523d7011753f369ea208e0c08039c7ddb51aaf97b8dc16f18d3

SHA512
7aad55c55b223826e6388158bd2dca01ab95d4195d0f4445b417e42b67b96a2a44acb441d43c7252cf7083417f8c256a616289ff3119b2eda0a6e156632f6745

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll
MD5
882a73f430897f51897f45711cab55fc

SHA1
c52975ba6fa69d438ff5d3e3056eeeb760595181

SHA256
38a9b9819f4e3e95289d267a40d2613a9ea5eebc801ce3d3ee142adf444e6fc7

SHA512
116d5bcb7a54d2f15363597afdccfcad888d1cc44d031f525f100a52a588789a9fa3e512f46957dea6b72c13360b40fd0cb39bdae5d30117b98372261079da91

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll
MD5
845ad48e8b58985c191bcfde3ee47e91

SHA1
5912c17d51a58602814e5bab21e06adb754dc5ff

SHA256
d0df5ca626e3187a0b8cfdeaf1431e2770c44c8560c387ddaec41f500d2f0a0b

SHA512
d9ce24abd51260dbbb02a855379882ee8584af901546c4770469ad3509959be5d1437e33f3e2249ac77bb342dfaa398692bda5661d7235b26b541bfd7375664e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
MD5
5364d8bea03ec9f3b70ad65107570d9c

SHA1
1f8bcbe737fb4b6c116c4d2493afdb307d6df22f

SHA256
4c1a5199c37f1149919dfed1a65be0f31612a4513a3934838d78ddc89cc2ec8b

SHA512
28d4a93df540c1bf8af065db3f28a62b7d6cb43a4f76456bf8ea09981ddf500017255597143badb6c2847ac618688d375d10e41f6d719ec1d9f39a1eacc7b8bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll
MD5
023a40faddbca03965f8d6a5cf7d476b

SHA1
e3facf40b7444728410311421c79dd7e5e8e08b9

SHA256
ab4e2c053fd2ff6b87e148c98980c63a9c250aff841f536f117508867b62d6e8

SHA512
3f693ac6fb86e69741d33bf32b86ba78cfc51a379a1cb038781aac1eca26ca5a21c789662a785ff7fa9e9bf68fa03077e6b6d4633a594426f7d538d0a9dee36e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll
MD5
1a0e64601929604a5abd0ea25a6f2803

SHA1
2f2732c7e7647c1e5cbc7b9c941948bb711c0961

SHA256
ef50129f5b2927788faff1aa0bb9df681546a6c02f607b9f5fcf7b7c33147453

SHA512
f4fcac7b7e8ccd184624061d71970266b504bc19f2424374adfcd8370b8037fdfefa7f99b0c8ad7b8cd888e3cae43dd50f523faf0243de6e3156b5a1be432f28

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.INI
MD5
93af2eaefb9b3fe0799ebb4155104fab

SHA1
ae3455155c1881d098397e6f3f1ad31858b35c5f

SHA256
d662fe4971fc12d599f47641acbbdaf3b1cc1175fca3744bc4699c93a08b074b

SHA512
f9e791c248c48bc8017647d5b07e9d8ac3c33d17ba57caf8ff89fa8dad50657832c9d5688110a367d235dd220e32060069a7c9f96da79f90211a1e7a442cbcb0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
MD5
b12c63053efe64ae12a800e7202ef65e

SHA1
f4c459ed00f653c97dda9af913760ff129ed8294

SHA256
b178c407dde32dd0810f2e1672260b23a08b917624ce67af302b9a795728c6db

SHA512
e3a3b8bfc04b7b9cb2eb4f666d25b5dbdd15c19c94f7465e446566f8f4337aaca1bac7a5cd67a6b8f275a3494fa9145087f2dcc46b9a1ba6a9e3e08867f00314

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
MD5
b12c63053efe64ae12a800e7202ef65e

SHA1
f4c459ed00f653c97dda9af913760ff129ed8294

SHA256
b178c407dde32dd0810f2e1672260b23a08b917624ce67af302b9a795728c6db

SHA512
e3a3b8bfc04b7b9cb2eb4f666d25b5dbdd15c19c94f7465e446566f8f4337aaca1bac7a5cd67a6b8f275a3494fa9145087f2dcc46b9a1ba6a9e3e08867f00314

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe.config
MD5
c0a1095205d9061cb19da9e7dc8323d0

SHA1
f50b534777f0ece5414ed533aeafdc660d97fb1d

SHA256
de0b0fe7b58f4c212cd825b3b07e978caa43103708445fdab2347986ecc12acb

SHA512
a64ce84f73859b3703c615a8422aaa6825570f7ff974e88a047d167a541d2ba7fc4bf2c77bb2c3c2afbca56f1e2e47e37197ac5f56fcf37be22f9bf195a5e370

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Atera.AgentPackage.Common.dll
MD5
3c0e332cc4eca9cab722263a0f2cc082

SHA1
e7a33fdcbbfa7ad5d2a3d9efcf07c2ca7f1e5531

SHA256
e8abad75b5f29668151f9070fce8624525c8da80203cfa9fb81d03a948a6da71

SHA512
129a84b1fa6c491b5ab98896cf3bb32a17f2a504e0cc635a028fcf4496121b832f608d007b21a8d84ae22af31a0382951635690e204dd9ac2cec17a690dc1057

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Interop.WUApiLib.dll
MD5
ba6f28e2359291c2778ec04427acea2a

SHA1
759a9518bfb3ef76b3dc1664385a13a3403feabf

SHA256
708308c9d5c2579afb21d0b10229f94b274fd5ad0a2ed0659abd3bb5f8733bf5

SHA512
20fe56f29dd58f30db8021edd6f5b7e178ce909d4b438a97bad71850f4441b9abbf1c0c83559d9c19d958d616c9aa9344b686601f37db36cb0a66a22323f951d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Newtonsoft.Json.dll
MD5
b83633d144eb1d00c744c709ab54490e

SHA1
dad6e6759042810e2a9a7c5882b0ed1399e289d3

SHA256
8855c8021ab67f0a15ffb4c1568de102e5882e478acc8000554e821d8c4c042e

SHA512
96471e13d771b6e91dfdcb1684b98762e41338972fcf47f8d46cc6bf07cb0f9271a89cd656a55d9be422a2741aae4349be7a312f88ec2c4218fc25d7588057ee

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll
MD5
e8458b60d4f251de071b765287c5661e

SHA1
b4a4d91483f658b79204ec4be2c2012efefd5a63

SHA256
52c29826c96e35373f05fefbd0f92ac9ec377cd65e8f58a945f3a86b41c3ddc6

SHA512
57b3b9cd3a47a6543e0e81a4606e7a90e4a459fe827c01ec6a21d1a64503fe6267079fa89e3120519079a1e9a0eb925f3b794d9b39f03d7eba524393dc564bea

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt
MD5
9dc2fbe0e930e08f7d5d1da59d98d924

SHA1
78cb6957c931d363cb2875064a20e3604b88808a

SHA256
9ad38c006ae1b56da77ab566a6167c2ea26bc16e8d43c55fc9dc42a092b43943

SHA512
1be3a7f94f35790f7fb2ceebbb1e137d2d2b9004464075f469517d1dde892ff9b7cc2807fd1f8db413f242ef42c3946bf221bc40fea0327257bacaef576bc3ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
a67caad04483de7ffee8359d2c6e8550

SHA1
6cc2f0c416e8d43d02fb86d6c134f2fc77bfd970

SHA256
75bfd1b527fa64ead4723b09b574b1b5542bc2164d17e216b4b6c0112ec388c0

SHA512
59c2431eb2654f6e328242035b79fa4c9057dfd5b6c4432e3c5457671143f488c8dafe33d8db3233b29b3abaca4c22674da0056a66e17a5ba9a10924a22aa248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
MD5
2902de11e30dcc620b184e3bb0f0c1cb

SHA1
5d11d14a2558801a2688dc2d6dfad39ac294f222

SHA256
e6a7f1f8810e46a736e80ee5ac6187690f28f4d5d35d130d410e20084b2c1544

SHA512
efd415cde25b827ac2a7ca4d6486ce3a43cdcc1c31d3a94fd7944681aa3e83a4966625bf2e6770581c4b59d05e35ff9318d9adaddade9070f131076892af2fa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
MD5
b97b24e989431cea371a2786279890aa

SHA1
47685405d8c4a3bb115ca1b1271f3756125a0a94

SHA256
78620c9358834a3c491c36f58bf1c5085357107c811f87c6a3d32353c3271604

SHA512
60e09235587f08e32c439734680b3c7a115dc1874b628b75c32f6b30bfb92046ed5eaf949ba827aeb28082b2eafe51d9c979754c1e6297e7d6b69b619201f796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
a9f51b6351150d2abbc899b2a4e9938e

SHA1
1323cac05da352a22c5d00f0cf10eb735f0ea098

SHA256
0ef1d93a0b95454422bbc38844e35ace8424e00482e62f3eb78630fa0f40f8ea

SHA512
50d2dc827430a4c0074f94c68fcb4610a6970d53b8a4e6f79068937b2557104535aed87af561060ce83d3e88e8340b460818b99b515fa1de2043d2656ef1fe8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
0128abe9afed24dfedb24f6884811022

SHA1
47b6b0de4812ba51fcb1f46fe7c97e3331f0353b

SHA256
e1812b48f5b0d8a832ca48ed476f7b5207eaf103d8258e3aaac3b2393bec101d

SHA512
4f1a6711f6fddd5677a1679cff12d0b9cf18d07ecf3793cad235e41578ae81d8db7d2ce77993b9c7760ce08774b33aee999af4a8ffe060f7e9a584c259a0c769

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
MD5
4c18de862068a4baf57edc15fc9a36e6

SHA1
be1c74cb459102a743a9280d91b79704e1b0aae9

SHA256
ab617c7a681598198d219b681d2129c715704647f2fcf05b46ea686e60069135

SHA512
b0b64cbc52cc881c7b1490de2440b98daaa5f2ca314221a1f0f18ab4ebbc9c3095fa68c5cb604ee58bb43b1d152f503aaec1d51ca9ec5e69513a40fde678e313

Download Submit
C:\Windows\Installer\MSI2BA5.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
MD5
2827351b0af210d7118dbe0c2e894e21

SHA1
eb9a09a375a2652f78256ab69b883914f4219e3b

SHA256
7533cd228397a23e7c807f95cc9cb5cbea9f820c7cc71be7e2cfe3fe4b243c7d

SHA512
a1800510b511bd23acad9ffdc08ca4187421f7e366c21307f2d9a86193d6b0bc0a4be4dcb8773099bf91b7b880b028af3225467bcaac4dea327907fb4ea4b7e1

Download Submit
C:\Windows\Temp\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
MD5
2827351b0af210d7118dbe0c2e894e21

SHA1
eb9a09a375a2652f78256ab69b883914f4219e3b

SHA256
7533cd228397a23e7c807f95cc9cb5cbea9f820c7cc71be7e2cfe3fe4b243c7d

SHA512
a1800510b511bd23acad9ffdc08ca4187421f7e366c21307f2d9a86193d6b0bc0a4be4dcb8773099bf91b7b880b028af3225467bcaac4dea327907fb4ea4b7e1

Download Submit
\Windows\Installer\MSI2BA5.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/768-69-0x00000000757D1000-0x00000000757D3000-memory.dmp

Filesize
8KB

Download
memory/768-68-0x0000000000000000-mapping.dmp

Download
memory/820-152-0x0000000000000000-mapping.dmp

Download
memory/820-180-0x0000000000390000-0x0000000000391000-memory.dmp

Filesize
4KB

Download
memory/820-164-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/820-172-0x0000000019350000-0x0000000019351000-memory.dmp

Filesize
4KB

Download
memory/820-182-0x0000000019D90000-0x0000000019D92000-memory.dmp

Filesize
8KB

Download
memory/820-175-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1076-343-0x0000000019BD0000-0x0000000019BD2000-memory.dmp

Filesize
8KB

Download
memory/1100-60-0x000007FEFBDA1000-0x000007FEFBDA3000-memory.dmp

Filesize
8KB

Download
memory/1216-84-0x0000000019230000-0x0000000019232000-memory.dmp

Filesize
8KB

Download
memory/1216-91-0x000000001A110000-0x000000001A111000-memory.dmp

Filesize
4KB

Download
memory/1216-85-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1216-89-0x0000000019C50000-0x0000000019C51000-memory.dmp

Filesize
4KB

Download
memory/1228-142-0x0000000000000000-mapping.dmp

Download
memory/1228-168-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download
memory/1228-149-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/1228-178-0x00000000196E0000-0x00000000196E2000-memory.dmp

Filesize
8KB

Download
memory/1348-76-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1348-72-0x0000000000000000-mapping.dmp

Download
memory/1348-79-0x000000001B110000-0x000000001B112000-memory.dmp

Filesize
8KB

Download
memory/1580-311-0x0000000000000000-mapping.dmp

Download
memory/1600-301-0x0000000000000000-mapping.dmp

Download
memory/1600-312-0x0000000000D30000-0x0000000000D32000-memory.dmp

Filesize
8KB

Download
memory/1620-294-0x0000000019D10000-0x0000000019D12000-memory.dmp

Filesize
8KB

Download
memory/1620-229-0x0000000000000000-mapping.dmp

Download
memory/1620-345-0x0000000019D16000-0x0000000019D35000-memory.dmp

Filesize
124KB

Download
memory/1620-315-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/1740-202-0x0000000000540000-0x0000000000541000-memory.dmp

Filesize
4KB

Download
memory/1740-155-0x0000000000000000-mapping.dmp

Download
memory/1740-216-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1740-213-0x0000000000780000-0x0000000000782000-memory.dmp

Filesize
8KB

Download
memory/1740-161-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2060-143-0x0000000000B50000-0x0000000000B51000-memory.dmp

Filesize
4KB

Download
memory/2060-154-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2060-130-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2060-177-0x0000000019D70000-0x0000000019D72000-memory.dmp

Filesize
8KB

Download
memory/2060-121-0x0000000000000000-mapping.dmp

Download
memory/2112-300-0x0000000000000000-mapping.dmp

Download
memory/2140-87-0x0000000000000000-mapping.dmp

Download
memory/2188-305-0x0000000000000000-mapping.dmp

Download
memory/2336-322-0x0000000000000000-mapping.dmp

Download
memory/2364-325-0x0000000000000000-mapping.dmp

Download
memory/2408-102-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2408-104-0x0000000000EE0000-0x0000000000EE2000-memory.dmp

Filesize
8KB

Download
memory/2408-100-0x0000000000C60000-0x0000000000C61000-memory.dmp

Filesize
4KB

Download
memory/2408-96-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/2408-92-0x0000000000000000-mapping.dmp

Download
memory/2492-215-0x0000000000D70000-0x0000000000D71000-memory.dmp

Filesize
4KB

Download
memory/2492-209-0x0000000000000000-mapping.dmp

Download
memory/2492-240-0x0000000019750000-0x0000000019752000-memory.dmp

Filesize
8KB

Download
memory/2520-105-0x0000000000000000-mapping.dmp

Download
memory/2556-106-0x0000000000000000-mapping.dmp

Download
memory/2604-288-0x000007FFFFF00000-0x000007FFFFF01000-memory.dmp

Filesize
4KB

Download
memory/2604-266-0x00000000193E0000-0x00000000193E2000-memory.dmp

Filesize
8KB

Download
memory/2604-231-0x0000000000000000-mapping.dmp

Download
memory/2636-107-0x0000000000000000-mapping.dmp

Download
memory/2636-114-0x0000000000F60000-0x0000000000F62000-memory.dmp

Filesize
8KB

Download
memory/2664-332-0x000000001AAB0000-0x000000001AAB2000-memory.dmp

Filesize
8KB

Download
memory/2664-328-0x0000000000000000-mapping.dmp

Download
memory/2692-323-0x0000000000000000-mapping.dmp

Download
memory/2696-194-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/2696-187-0x0000000000000000-mapping.dmp

Download
memory/2696-214-0x0000000000C40000-0x0000000000C42000-memory.dmp

Filesize
8KB

Download
memory/2696-207-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2712-324-0x0000000000000000-mapping.dmp

Download
memory/2724-241-0x0000000019CB0000-0x0000000019CB2000-memory.dmp

Filesize
8KB

Download
memory/2724-188-0x0000000000000000-mapping.dmp

Download
memory/2724-212-0x0000000000400000-0x0000000000401000-memory.dmp

Filesize
4KB

Download
memory/2724-199-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/2740-333-0x0000000000000000-mapping.dmp

Download
memory/2740-342-0x000000001B0A0000-0x000000001B0A2000-memory.dmp

Filesize
8KB

Download
memory/2792-115-0x0000000000000000-mapping.dmp

Download
memory/2828-341-0x0000000000000000-mapping.dmp

Download
memory/2828-116-0x0000000000000000-mapping.dmp

Download
memory/2832-316-0x0000000000000000-mapping.dmp

Download
memory/2848-203-0x0000000001160000-0x0000000001161000-memory.dmp

Filesize
4KB

Download
memory/2848-239-0x0000000019AC0000-0x0000000019AC2000-memory.dmp

Filesize
8KB

Download
memory/2848-191-0x0000000000000000-mapping.dmp

Download
memory/2848-208-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2860-318-0x0000000000000000-mapping.dmp

Download
memory/2880-263-0x0000000000DF0000-0x0000000000DF2000-memory.dmp

Filesize
8KB

Download
memory/2880-224-0x0000000000000000-mapping.dmp

Download
memory/3008-126-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/3008-326-0x0000000000000000-mapping.dmp

Download
memory/3008-117-0x0000000000000000-mapping.dmp

Download
memory/3008-140-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3008-167-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/3024-133-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3024-136-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/3024-118-0x0000000000000000-mapping.dmp

Download
memory/3024-173-0x0000000019EA0000-0x0000000019EA2000-memory.dmp

Filesize
8KB

Download