7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4

Analysis

max time kernel
118s
max time network
152s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
16/10/2023, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.msi
Size

632KB
MD5

31b8bb512a0f8c74461b4c6ae28cc5ef
SHA1

f36be96e0f28edfcc5a232e9c4dfcdad0e94c151
SHA256

7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4
SHA512

e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e
SSDEEP

12288:0s+WC8R/Mn4c6b3Diy95fP701DpHyNRAX7PaeAkCP437+8jOZy2KsGU6a4Ks:WWrBMnsO85fP701DhyHreAzgLhOE2Z39

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 23 IoCs

pid	Process
2808	AteraAgent.exe
1048	AteraAgent.exe
2972	AgentPackageAgentInformation.exe
1704	AgentPackageAgentInformation.exe
2020	AgentPackageAgentInformation.exe
2140	AgentPackageSTRemote.exe
2700	AgentPackageUpgradeAgent.exe
2232	AgentPackageSystemTools.exe
1948	AgentPackageHeartbeat.exe
1620	AgentPackageInternalPoller.exe
1060	AgentPackageProgramManagement.exe
1756	AgentPackageMarketplace.exe
1564	AgentPackageUpgradeAgent.exe
1352	AgentPackageADRemote.exe
2136	AgentPackageRuntimeInstaller.exe
2840	AgentPackageMonitoring.exe
1448	Agent.Package.Availability.exe
2060	AgentPackageTicketing.exe
1140	AgentPackageOsUpdates.exe
2384	SplashtopStreamer.exe
2784	PreVerCheck.exe
1220	AgentPackageAgentInformation.exe
1212	AgentPackageHeartbeat.exe

Loads dropped DLL 7 IoCs

pid	Process
564	MsiExec.exe
1048	AteraAgent.exe
2384	SplashtopStreamer.exe
2840	AgentPackageMonitoring.exe
1588	MsiExec.exe
1588	MsiExec.exe
1588	MsiExec.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
3	2436	msiexec.exe
5	2436	msiexec.exe
7	2436	msiexec.exe
11	2504	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC	AgentPackageHeartbeat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC	AgentPackageHeartbeat.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageHeartbeat.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageTicketing.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	AteraAgent.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.IO.IsolatedStorage.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.Serialization.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Reader.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Http.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Threading.Tasks.Parallel.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Security.Cryptography.Csp.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.CommonLib.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Security.SecureString.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Net.WebSockets.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.Serialization.Formatters.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Thread.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.IO.MemoryMappedFiles.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Net.NetworkInformation.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Reflection.Extensions.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Handles.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Principal.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.FileVersionInfo.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.Tracing.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Xml.ReaderWriter.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentCommunication.Models.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileProviders.Physical.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.FileSystemGlobbing.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackage.Common.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\CommunityToolkit.WinUI.Notifications.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.VisualC.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll	AteraAgent.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76c305.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC825.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF1E6.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76c301.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID975.tmp	msiexec.exe
File created	C:\Windows\Installer\f76c305.msi	msiexec.exe
File created	C:\Windows\Installer\f76c302.ipi	msiexec.exe
File created	C:\Windows\Installer\f76c304.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c302.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC7F4.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76c301.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2228	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 8 IoCs

evasion

pid	Process
1960	taskkill.exe
2592	taskkill.exe
2848	taskkill.exe
932	taskkill.exe
2720	taskkill.exe
2220	taskkill.exe
1524	taskkill.exe
1804	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageHeartbeat.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AgentPackageSystemTools.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AgentPackageTicketing.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AgentPackageSystemTools.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageMarketplace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageMarketplace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageMarketplace.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AgentPackageTicketing.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AgentPackageSystemTools.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AgentPackageAgentInformation.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AgentPackageSystemTools.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AgentPackageSystemTools.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	AgentPackageTicketing.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\PackageName = "a.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\ProductName = "AteraAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\PackageCode = "55F3BED93C9708C4CBCD8D5B5BD37078"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Version = "17301504"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media	msiexec.exe

Modifies system certificate store 2 TTPs 13 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	AgentPackageAgentInformation.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	AgentPackageAgentInformation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	AgentPackageAgentInformation.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe

Suspicious behavior: EnumeratesProcesses 37 IoCs

pid	Process
2504	msiexec.exe
2504	msiexec.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
1048	AteraAgent.exe
2140	AgentPackageSTRemote.exe
1620	AgentPackageInternalPoller.exe
1564	AgentPackageUpgradeAgent.exe
2060	AgentPackageTicketing.exe
2060	AgentPackageTicketing.exe
1048	AteraAgent.exe
2840	AgentPackageMonitoring.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeSecurityPrivilege	2504	msiexec.exe
Token: SeCreateTokenPrivilege	2436	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2436	msiexec.exe
Token: SeLockMemoryPrivilege	2436	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2436	msiexec.exe
Token: SeMachineAccountPrivilege	2436	msiexec.exe
Token: SeTcbPrivilege	2436	msiexec.exe
Token: SeSecurityPrivilege	2436	msiexec.exe
Token: SeTakeOwnershipPrivilege	2436	msiexec.exe
Token: SeLoadDriverPrivilege	2436	msiexec.exe
Token: SeSystemProfilePrivilege	2436	msiexec.exe
Token: SeSystemtimePrivilege	2436	msiexec.exe
Token: SeProfSingleProcessPrivilege	2436	msiexec.exe
Token: SeIncBasePriorityPrivilege	2436	msiexec.exe
Token: SeCreatePagefilePrivilege	2436	msiexec.exe
Token: SeCreatePermanentPrivilege	2436	msiexec.exe
Token: SeBackupPrivilege	2436	msiexec.exe
Token: SeRestorePrivilege	2436	msiexec.exe
Token: SeShutdownPrivilege	2436	msiexec.exe
Token: SeDebugPrivilege	2436	msiexec.exe
Token: SeAuditPrivilege	2436	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2436	msiexec.exe
Token: SeChangeNotifyPrivilege	2436	msiexec.exe
Token: SeRemoteShutdownPrivilege	2436	msiexec.exe
Token: SeUndockPrivilege	2436	msiexec.exe
Token: SeSyncAgentPrivilege	2436	msiexec.exe
Token: SeEnableDelegationPrivilege	2436	msiexec.exe
Token: SeManageVolumePrivilege	2436	msiexec.exe
Token: SeImpersonatePrivilege	2436	msiexec.exe
Token: SeCreateGlobalPrivilege	2436	msiexec.exe
Token: SeBackupPrivilege	2640	vssvc.exe
Token: SeRestorePrivilege	2640	vssvc.exe
Token: SeAuditPrivilege	2640	vssvc.exe
Token: SeBackupPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2740	DrvInst.exe
Token: SeLoadDriverPrivilege	2740	DrvInst.exe
Token: SeLoadDriverPrivilege	2740	DrvInst.exe
Token: SeLoadDriverPrivilege	2740	DrvInst.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe
Token: SeTakeOwnershipPrivilege	2504	msiexec.exe
Token: SeRestorePrivilege	2504	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2436	msiexec.exe
2436	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2384	SplashtopStreamer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 564	2504	msiexec.exe	32
PID 2504 wrote to memory of 2808	2504	msiexec.exe	33
PID 2504 wrote to memory of 2808	2504	msiexec.exe	33
PID 2504 wrote to memory of 2808	2504	msiexec.exe	33
PID 1048 wrote to memory of 2228	1048	AteraAgent.exe	36
PID 1048 wrote to memory of 2228	1048	AteraAgent.exe	36
PID 1048 wrote to memory of 2228	1048	AteraAgent.exe	36
PID 1048 wrote to memory of 2972	1048	AteraAgent.exe	40
PID 1048 wrote to memory of 2972	1048	AteraAgent.exe	40
PID 1048 wrote to memory of 2972	1048	AteraAgent.exe	40
PID 1048 wrote to memory of 1704	1048	AteraAgent.exe	42
PID 1048 wrote to memory of 1704	1048	AteraAgent.exe	42
PID 1048 wrote to memory of 1704	1048	AteraAgent.exe	42
PID 1048 wrote to memory of 2020	1048	AteraAgent.exe	44
PID 1048 wrote to memory of 2020	1048	AteraAgent.exe	44
PID 1048 wrote to memory of 2020	1048	AteraAgent.exe	44
PID 1048 wrote to memory of 2140	1048	AteraAgent.exe	46
PID 1048 wrote to memory of 2140	1048	AteraAgent.exe	46
PID 1048 wrote to memory of 2140	1048	AteraAgent.exe	46
PID 1048 wrote to memory of 2700	1048	AteraAgent.exe	49
PID 1048 wrote to memory of 2700	1048	AteraAgent.exe	49
PID 1048 wrote to memory of 2700	1048	AteraAgent.exe	49
PID 1048 wrote to memory of 2232	1048	AteraAgent.exe	50
PID 1048 wrote to memory of 2232	1048	AteraAgent.exe	50
PID 1048 wrote to memory of 2232	1048	AteraAgent.exe	50
PID 1048 wrote to memory of 1948	1048	AteraAgent.exe	52
PID 1048 wrote to memory of 1948	1048	AteraAgent.exe	52
PID 1048 wrote to memory of 1948	1048	AteraAgent.exe	52
PID 1048 wrote to memory of 1620	1048	AteraAgent.exe	54
PID 1048 wrote to memory of 1620	1048	AteraAgent.exe	54
PID 1048 wrote to memory of 1620	1048	AteraAgent.exe	54
PID 1048 wrote to memory of 1060	1048	AteraAgent.exe	56
PID 1048 wrote to memory of 1060	1048	AteraAgent.exe	56
PID 1048 wrote to memory of 1060	1048	AteraAgent.exe	56
PID 2700 wrote to memory of 1564	2700	AgentPackageUpgradeAgent.exe	60
PID 2700 wrote to memory of 1564	2700	AgentPackageUpgradeAgent.exe	60
PID 2700 wrote to memory of 1564	2700	AgentPackageUpgradeAgent.exe	60
PID 1048 wrote to memory of 1756	1048	AteraAgent.exe	58
PID 1048 wrote to memory of 1756	1048	AteraAgent.exe	58
PID 1048 wrote to memory of 1756	1048	AteraAgent.exe	58
PID 1048 wrote to memory of 1352	1048	AteraAgent.exe	63
PID 1048 wrote to memory of 1352	1048	AteraAgent.exe	63
PID 1048 wrote to memory of 1352	1048	AteraAgent.exe	63
PID 1048 wrote to memory of 2136	1048	AteraAgent.exe	69
PID 1048 wrote to memory of 2136	1048	AteraAgent.exe	69
PID 1048 wrote to memory of 2136	1048	AteraAgent.exe	69
PID 1048 wrote to memory of 2840	1048	AteraAgent.exe	65
PID 1048 wrote to memory of 2840	1048	AteraAgent.exe	65
PID 1048 wrote to memory of 2840	1048	AteraAgent.exe	65
PID 1048 wrote to memory of 1448	1048	AteraAgent.exe	67
PID 1048 wrote to memory of 1448	1048	AteraAgent.exe	67
PID 1048 wrote to memory of 1448	1048	AteraAgent.exe	67
PID 1048 wrote to memory of 2060	1048	AteraAgent.exe	70
PID 1048 wrote to memory of 2060	1048	AteraAgent.exe	70
PID 1048 wrote to memory of 2060	1048	AteraAgent.exe	70
PID 1048 wrote to memory of 1140	1048	AteraAgent.exe	72
PID 1048 wrote to memory of 1140	1048	AteraAgent.exe	72
PID 1048 wrote to memory of 1140	1048	AteraAgent.exe	72

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2436

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD7DB33A4A0D90EDD511271DC27B629
  2⤵
  - Loads dropped DLL
  PID:564
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002jA9QEAA0"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:2808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A4B7FC96F81955850E91A7A20FCF85DF M Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:1588
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
    3⤵
    PID:1432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRServer.exe /T
      4⤵
      Kills process with taskkill
      PID:2592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
    3⤵
    PID:2224
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRApp.exe /T
      4⤵
      Kills process with taskkill
      PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
    3⤵
    PID:2300
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAppPB.exe /T
      4⤵
      Kills process with taskkill
      PID:932
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
    3⤵
    PID:2428
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeature.exe /T
      4⤵
      Kills process with taskkill
      PID:2720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
    3⤵
    PID:2576
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeatMini.exe /T
      4⤵
      Kills process with taskkill
      PID:2220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
    3⤵
    PID:1396
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRManager.exe /T
      4⤵
      Kills process with taskkill
      PID:1524
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
    3⤵
    PID:1640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAgent.exe /T
      4⤵
      Kills process with taskkill
      PID:1804
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
    3⤵
    PID:2412
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRChat.exe /T
      4⤵
      Kills process with taskkill
      PID:1960

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2640

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "00000000000004A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:2228
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "85f42345-110d-464b-bbdf-428782296b64" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2972
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "c1a0f27e-e98c-4295-a7ec-489fd4910634" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1704
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "8302408e-38d7-48e6-806c-927b9cea4890" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
  2⤵
  - Executes dropped EXE
  PID:2020
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
    3⤵
    PID:2996
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Program Files (x86)\Microsoft Office\Office14\ospp.vbs" /dstatus
      4⤵
      Modifies data under HKEY_USERS
      PID:1080
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "94585c39-b463-4d58-836a-f93e18e0356d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- - C:\Windows\TEMP\SplashtopStreamer.exe
    "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:2384
  - - C:\Windows\Temp\unpack\PreVerCheck.exe
      "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
      4⤵
      Executes dropped EXE
      PID:2784
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
        5⤵
        
        PID:1468
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "7d1583e5-3a16-4417-bd2c-70aa1c8eff41" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
    "C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "0313b9a1-86c6-46bc-bb42-a057d15de918" "7d1583e5-3a16-4417-bd2c-70aa1c8eff41" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:1564
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "81b52948-c167-4e50-90f3-a7dd742330b0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2232
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "77a3d03a-f391-4d60-b338-c1070d8533d0" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:1948
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "24995f06-7b46-4a08-a6b7-1a901928d6b6" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1620
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "790b2878-fe06-45d5-83c2-da23d11d72e9" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1060
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "49f3fa8c-128d-4bc4-9abd-e1380381c801" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1756
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "73354acc-f563-4e67-8e7f-e31ce4f808bd" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1352
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "b562d9b4-0d40-40e8-8b10-0d5c9690ff2d" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:2840
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "ff4f0e96-c5b3-4977-adff-39d9ca992049" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  - Executes dropped EXE
  PID:1448
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "09e5b398-7583-40bd-8c3a-06292338dad2" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjEzIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2FhM2IzMTUwLTgwY2ItNGQzMC04N2Y4LWRjMzZmYTFkY2YyNi84ZWM5ZmY2ODM2ODI4MTc1ZjFhNmE2MGFlZmQ0ZTYzYi9kb3RuZXQtcnVudGltZS02LjAuMTMtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yZWYxMjM1Ny00OTliLTRhNWItYTQ4OC1kYTQ1YTVmMzEwZTYvZmJlMzVjMzU0YmZiNTA5MzRhOTc2ZmM5MWM2ZDhkODEvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmZTE3M2VhLTRjNTgtNGE4ZC1iOGU1LTVjN2VhN2M1OTAxMS9hMTkzNmUxMjM5ZTU5ZGM0ZGY1OGExYmMzZGI1MjdjMy9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80MzZiY2U2YS1mM2U3LTQ0OGUtOTI3OS1kNThmMWUzOWFiOGEvOWY1YzdlZDM3NzI5NGNjOGUwMjhlOTAwNTQwNjMyZDUvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmMDk1Y2JiLWFmNmMtNGQyMC05MDlkLTg3ZGI1Mzg3OTM3MC9kNGM2ZjM4MGE5YTY4ZmM4NTNiZDg5MTE4OWYzYzk3NS9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlM1WTRyU0syVmtpbWcyd01pSEVGZUI2N2U5YTBIZG9ocE13TkZ1TEVJTGpXaVNQVnpYXHUwMDJCSjNPUFJ5aUVZQmlmdkZcdTAwMkI0bnN4aTVcdTAwMkJzSG4wMGN0cU13UTZBPT0iLCJNYWNYNjRDaGVja3N1bSI6IjRqSVl1dGhzTDU4dnV0cWlkZHNGMk1pQ3NcdTAwMkJBRTBUN2FWMVgwXHUwMDJCMk1FWFNSQ0xXdGdqM0x0MklldmVxZ2l1UUVsU2VxNVF1TGJybkRjSHBRbEVpd0N3QT09IiwiV2luQVJNQ2hlY2tzdW0iOiJkLzBlWkR4L0VTSE92dUM1RURKdU4yOTFqckllYnVKTXdjdUxsV2RLOGp0Ym1kbVNYUGNhVzBpOFx1MDAyQk9kdGJwcC9SaG9TMXk3SC9mOVlTTWd6aFVPY3NBPT0iLCJXaW5YNjRDaGVja3N1bSI6InNQdmlCM3VQQVpXRG53YVZoM3YwVEpjYWRUMmNLa0d0MXVNQUM5YzBwTXNNYnduZ01IUkN3ZmxjZTlxUWNjSzJNXHUwMDJCb1BSM2t6NVpNZmh1MlA1SmdvVWc9PSIsIldpblg4NkNoZWNrc3VtIjoicTE2UjdyUzZpcjR3RW1YMTZIQVJhUThtWDByNDNhek9IODZKOXpISkNpVzlmWklhS2VYL1hvbUJrQ2xocXZxSzhIeDVuNTA2R0k4MTBPakRmbG50Y3c9PSIsIldvcmtzcGFjZUlkIjoiYmYwY2U0OWQtNzdjZi00NzIxLWJmNzAtNTc2ODYzODNjOWFiIiwiTG9nTmFtZSI6IkRvdE5ldFJ1bnRpbWVJbnN0YWxsYXRpb25SZXBvcnQiLCJTaGFyZWRLZXkiOiJqVUlTL1Q5Q1JWRGVLeFlnNFVyM2FDaGhXUXVjWTdQVnZ3ZzB6SHVxSnNjclRqalEyTHdLNlVqZnU3Y0EyTnByQVIwci9TUkFYSllZbGRQS0tGeUtLUT09In0="
  2⤵
  - Executes dropped EXE
  PID:2136
- - C:\Windows\system32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:1304
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "44883d66-a81a-4461-86fd-5be02fc4a1a7" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:2060
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "ffebbb07-dfc0-4630-a945-f4f4666fefad" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "0349940d-a272-44e8-81f1-44dce8cabd4e" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  PID:1220
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "77a3d03a-f391-4d60-b338-c1070d8533d0" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:1212
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 0313b9a1-86c6-46bc-bb42-a057d15de918 "77a3d03a-f391-4d60-b338-c1070d8533d0" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c303.rbs

Filesize
7KB

MD5
7560721ca2fb3ec75a67b27a94f99296

SHA1
80fbc6324a2f867b0d5721f4498761534db88cac

SHA256
2c1498e380b1076a46ee8bc27171827d444c9c5afc7ca2a7aae701fd7ac7a420

SHA512
a17d34000a9081251ac176a08c2934aa981af873c6ce1f9c60f7ab439ef5d864d26902531e2103d0957b72c42527ef400789f736bc953fb20a12f190e816ac50

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
753B

MD5
8298451e4dee214334dd2e22b8996bdc

SHA1
bc429029cc6b42c59c417773ea5df8ae54dbb971

SHA256
6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

SHA512
cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
2KB

MD5
7ff0ac77806aed9588b143cd0fab552b

SHA1
184b62f2956b95ffe3dc98ebb31d7f45dbca83fd

SHA256
730d85d5ef4f0939154278949c126a444ed859e7718bb175ca3153ca6ed9d142

SHA512
1856bda8cc3d4161110cd75a7be4939193ed408a95f9c41e22f4cc9f85b1294584f95796bce207dd65d606ffb57760b3d2e1681efbbb7759a19a9f70fb7edac8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

Filesize
154KB

MD5
e3ca6ba742fba06522ab0fe063c620de

SHA1
58f1e87ae1ac14cf043c1af4c21d00e4197c712b

SHA256
f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079

SHA512
2de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

Filesize
46KB

MD5
1b692438393f8223bf90256abb3587d0

SHA1
5fd99d9db4757224da3fb8a8cac9d1f1632c47a8

SHA256
8296ecf5e781a1b6889ee7f278a31acdb70897f2d862a7b53e58a4edb34d71a6

SHA512
6d98fc4da030b884bf3b7fed9d7e026f8210b38cc1e4f96d36bd85067de6dd9286f0e8ac3715a187b595a8f7ae709fc19daa572ff83bc26802287292f8503bd7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

Filesize
12B

MD5
d8f9f68980c4da708195fa812519ad2f

SHA1
8f0066a77634e4108c20e226a5c6ba712e5a7fed

SHA256
dd8a6863451545d7ed0bab6e0e279968b2c0541c20b0a4ce7ab3054f03c54cf6

SHA512
7d3d15d3885ab1058efed06cb05dc8e713e71a3b70f3fb380657e802c362f222f23c44dc36af14089cf2c8a323a3ac07a172c1d8bb72de80eab78a66ef71e068

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

Filesize
546B

MD5
158fb7d9323c6ce69d4fce11486a40a1

SHA1
29ab26f5728f6ba6f0e5636bf47149bd9851f532

SHA256
5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

SHA512
7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
aa3bcb58a6c8dd0839e6b803ba1087b9

SHA1
0198a9c644d74712c34a3a67f460a02d77005321

SHA256
8dca6c1eb1557365e065931c992de88b075b4931fa574e8f1db5805e3a03388b

SHA512
620adc1a4cf614664975a8d778efd7cabdb1feb0df0074be8c182888f12d61918c8e7521735a624a5aec97f02ec973125cd5de7e03a02e15c8b87884ba4a70a1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

Filesize
687KB

MD5
0e7f80a7f2777f811f5bf04633ca1fd1

SHA1
8d767ef46f230a99a4d59c943eb88b5b02d4cf43

SHA256
f8054be7979b255589590fa0497e242b6294752a85795c8ee775835ef22f7a18

SHA512
d19d50879cfaa0a524be1359372014f67e4f1670e9443f393082fa5fc9c0a20d4d85d812641813b621ac3489ea07a86faf0d7e317e2cbd0fb42ddebc568a9e9e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.INI

Filesize
13B

MD5
628ca66025f77286df96177c3ebb8138

SHA1
14dba90e4c2f9b8fa7b13e9af01c5d2b6a6af6d6

SHA256
d7630e927dbb907ee379a95be9ed1cbb2a0a87fc9aed83ed6dae8340bfcf1b09

SHA512
231d3244cabcbbc811f9bc06a89517083a58ed6748a4bc6e0c1676054cd22d7cab7bc21af5a221e47fa096a5129ea908c9d09ef4b98baeec2ce78b78ebb26dc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

Filesize
187B

MD5
3f9b7c50015ca8be5ec84127bb37e2cb

SHA1
07fa0b2f00ba82a440bfeacafd8b0b8d1b3e4ee7

SHA256
c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532

SHA512
db5713dda4ecac0a1201add7d5d1a55bdbfc9e373b2277661869f7de9e8ba593f44bdafa6c8dbeba09df158b2dfdd1875c26c047f50597185f1f2f5612fc87b9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

Filesize
81KB

MD5
ea658407265ab5ce2a1794ab9ab3339c

SHA1
1bda2624f029a30e3b89e2aeccdd32b09bb031fb

SHA256
735d255f396448ef6bc30d3b38dfda4487f4832bcc6dadeec2737fdfaa938548

SHA512
7027638a120c35f8df29e24d0e061d2657d2fac37a83150cfe14a65bc91960da0c674c442fe97cc5175eb52248bef4b4f5abb78639a7dd659ceecb02e3a14280

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

Filesize
522KB

MD5
50bdc0231af5435fa5ad29927d7273d6

SHA1
6b9ba2ff309b30f5b3318ab0d31270ce70b94307

SHA256
5059afd9cfc492a74e230949ebb528572d228d29da767227bbea75716907ad75

SHA512
15719741cf26f5057251b8507af83dd5a8355b8cc142b6e0c85c4c0ca98e6e2ce5cbb955dfebd88ff5ca4b78471983feef66f7513d7bdd43468f47b55bc7ea4b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.INI

Filesize
12B

MD5
e4cdd868a064a7591198586c88f1deae

SHA1
f08f61ecc28e76a2e1bdcc85f730db49730fc558

SHA256
87ecea8648bd9d81a90ca9cca1e81632c0bdd22741a6e7bfc9d9567ff8a8f825

SHA512
05e1705db1026f444b8469784197a7050ac64808013574b9c191be36fa3a5ea0618483d00d50af1afecf467d4b42dc13cbf0991f41ce5817f88f5f7ea4d6b30c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config

Filesize
541B

MD5
d0efb0a6d260dbe5d8c91d94b77d7acd

SHA1
e33a8c642d2a4b3af77e0c79671eab5200a45613

SHA256
7d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102

SHA512
a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
b3531a7da79383c4b2d99cfd08b22cb6

SHA1
e8c4610e301ca4ba4770f24aa8707d2bc8c7ced1

SHA256
c90f1dbc011bdc87d3d0a080cb3a816f22503806c7c4e88d58b6a629935c7cba

SHA512
74c5ee184e8c7f009aff50908866e0c889a5ece03ae4b2c82b5506e6a47d45526725be4637d9fd08b49f2322810e7aa35922874f5ca357a0d9470d8fa2a0d010

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll

Filesize
693KB

MD5
9fa879062d37ed7ea4ad7a34f9bcf32c

SHA1
68737bca59cc5c9a076ff963cbb9f31909470da3

SHA256
216226f83d9fcf4e41b084c0c8278b1f91ed047bf470d4543feaf49966eb2a02

SHA512
616a3c63344691f221481311059b56e7c343fd302f8cb2f0ee22baf302341b7ba559ca41e182a80a0d5e1cd2266432f81bd05c372cecc5360fee6ddf8eb7e996

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
398KB

MD5
da72538d4032c18b769f30acb967703f

SHA1
f5b8d6268ed5fba17cf95f5f5996cb816e4359ef

SHA256
b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da

SHA512
1068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db

Filesize
40KB

MD5
fd39c32089244cc6663ad92edc080fc6

SHA1
eede038af01956f1c9800f42b0dee16cca0626f2

SHA256
f7da44aa4fc7953308a7fe9d1761f69695f8f03039102b5f4e6b340ec4b2bdbd

SHA512
6ca42878c2cf540fb52234c847007981ab1d2fd2b743580da3114479fe9bd02a1011090ae836a7a8a1477e807b1b92d5423c8f1845256c4d9367a76b8c542245

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

Filesize
7KB

MD5
a994972da1489f82572f5707d08f1b80

SHA1
cec9f275ee25b0fed4ddbcdb5e71aa245356723a

SHA256
d59846a933849133696b9a178c58bd36ae7205242639ca9e5b80e2a6ca6a7cd0

SHA512
3dde9a15238503ce431ea09cd2c7ade41767deb83b329e56d67a5df172033199b04c6a4d22c884fc9849494998f6c30275ac308ee02b371499201131da55403d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

Filesize
188KB

MD5
7122a8acddee274f03e8eff915953eae

SHA1
5be51b43c1e59459707486e4eac0668acd603420

SHA256
d534b2ad9791b4ba80141398e7aa4d0e85c4f7fa72c580ab46f096985403ddaf

SHA512
b2ab136f1cded923c70019febe1ef37386e2bbaf175d6138589375dffea11f96391e1127970ed37be83376e4936c45b66a3cfc08be5b0d704c5078c88e241bbe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.INI

Filesize
12B

MD5
1e7f47bc15b23c7ecf9e885ef67038f7

SHA1
5c79a779f9705f1549bc5431630a3517360430a8

SHA256
fa5ef118370c40b28cf76bac7b1509b28f3fe172449ee110ae69a88b9c675c9d

SHA512
d68aef4ab7c86455e1c0e0e1497d4063b5167ccca942e07865b280fe17bc96e04e9051c1054037a557de597e21e2d2581acb35541d863f0edff533c930d2ce07

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

Filesize
776B

MD5
336caa70d9ef388edf8b234e5fc40cee

SHA1
864ccb7643fc99313e5acbeb59d608cd179e01bb

SHA256
9bb07566c5ceaf46cfc1164a63553bb3c00ad8a04138211c6eba81b60f4fe355

SHA512
eb037ff55c7d61a4170a9143b7ba40cc43ddbc9e8df673d7af03548c27c4410f53a5cdfafe8942559b9e5061419512f3c8faa5a6d32ed147dd33f832cf43e637

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
9e7b588a47c38d0f3ff0064833dbd35e

SHA1
2e247eb491599336b00c941ff11b5b38a8ca1b76

SHA256
34b6abecd096e37a40d4d8c1afd0d19397ba2ade3796ad9c29988a2dfe9e2ffa

SHA512
2d40dc665ebbadc4e95ceba3ce865fb5e69295b6ec36797692269e12fb0400d758b4c78ded9a7c333f05edd9ad15feb73e5b9ce0f92dfbee70068cc09fd0104f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\Newtonsoft.Json.dll

Filesize
693KB

MD5
e7174ed94f4b7dbea0575aa534c805b3

SHA1
679401df7d91d60f80927175211bd5ec0213ecbf

SHA256
3a263d50feaf935facb2403b0aedbab94e2857e3d3d8269f9b6ff202867ab096

SHA512
3f84f97111b25150911a027c110bdba737f3b0386cb09c1393c7b54599186694078d1356b45a76754cb4abe77e3a781557edf40b88a29fb07cf6c5e702df6dda

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\ThirdPartyPackageManager.dll

Filesize
47KB

MD5
5b0b64a2e4dbb0da2a64372d1f487b6a

SHA1
5e54a79f74efc58fbf73d9e4a114a44d2f6da5d4

SHA256
b9599f8e4b09cee9dc43e8612351ead57d804b2ac7ba9ce0dc7615379de804dc

SHA512
f609671ad876b64a4e2e646d53dde5fec0def93384b39f544cec6f3f09de41031b31133f197cacaa7af60c89cb953a8ef08f1c039d5fc013d35ee2dc3afcb2d0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

Filesize
53KB

MD5
b7aca4b1a547ca9ba8931fb2f3a8ffe4

SHA1
ade0df9aa1b3419b1f5dca663a5ba86221fca0b9

SHA256
bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80

SHA512
7344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI

Filesize
12B

MD5
20f7dee705a4f03baeffa9b658fee625

SHA1
aff7da269b24cd1c37e5b13f9395564d0fdf6d5b

SHA256
aa29d45c1bdce17624bc9a2c57f89bd7b36e1f68e44ce763879cf44d977a82d6

SHA512
56068a5026fcbed08eb8d0c4fb82198d7b3eef4857aae0ca3dbb9b1fa0fe8772a930bb544bdac435c47fd612d5bcaade4bc7ba8360575769abdb3aa818bf98b3

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

Filesize
541B

MD5
d0efb0a6d260dbe5d8c91d94b77d7acd

SHA1
e33a8c642d2a4b3af77e0c79671eab5200a45613

SHA256
7d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102

SHA512
a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
e182b5896e44abee3a33adf7faef38dd

SHA1
d30d7146e03035da47dd3b7b50c08cdfa022aa35

SHA256
0d335ea84f9295e7882c358a923d265b6e0bc536a5fdd22da5931d9204b06467

SHA512
e467f383f576daf785dd728add510fa5d604a954ca4a2d7cee5bb6b8f14be8ea89219d181ae8da81510defb778b23c5c500e3d8c738f9b26d63bac8122036ef5

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

Filesize
693KB

MD5
b11c285aeb968434de2031c5451a267d

SHA1
92942073ae71b2d287767bf678a33db5718c603f

SHA256
f599fbd82e65a0feda9c19bca49f0db3324dcd4aa6251d40e1729765fecf9000

SHA512
bcccec3a4d2b26b02db11d2f6e4bfef9c9aa4153a7a5dcfc62b2276af50ccba3e060a5501d2aa9833c23f3821639d9715012925026e8ce53922f8a5452f83413

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.INI

Filesize
12B

MD5
7ee83499fea6848679d28edc872e7215

SHA1
240baad2aeb0c81851da18e356409c78e2cef5a7

SHA256
158f2ff9e592d4679a7471299f2f3a7aa6968d6779b81655ad1a7ae811948105

SHA512
ed3f4e8726ef683e88f04c6937e82f27e2f67c9316781478b07e5d0c90b061a09a0a5f90ba5a2da65732e9b54654cda4d39556dcbd18dd78bf61cc20c43193fe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

Filesize
498B

MD5
1819851a638eb6d98a3cc80ac4ad6894

SHA1
b74a8c6c5152c4463e487b88e534afe7144eb832

SHA256
f1d85574d2849984bf608191a519a98b1dd830b023e9430571ea6ea9fb62b981

SHA512
fa6638ea1e921da96a39e31e85ff757e6c9bad92bd997b7a516be5f34d00158bd2fe1367d6d13e22e79e703a1c590286de409c45f28b0c75ded3284a1fcfeb0d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
6f95c167da211416fa221a8926c64532

SHA1
10aed65d1a5e3563eb561a485e0fefd531c8574e

SHA256
b88c77e60b8ae3d9b0a067218eedd2d82deea2dd4cae60b8f41c53a05101c650

SHA512
7590157b138d95c149a0a893e1355567a55bdbe82ae9806f071b8ead3a6f5ce8b122b311fd3bae34d044c436baa405cfd98ff1c27eec1b60b647265a0feb6984

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

Filesize
693KB

MD5
99ad695930272a0d5db6be802f0966f9

SHA1
916811188b414c84bd299ba086c1b68eafd6c487

SHA256
c00d2c7ddf4e5b45682e27d3dc60568b47e109b715b2638540d3108e98104a78

SHA512
2574553b62491635524937d8b56abd8591632f237acc86b3ccf21ac7a59811cac94015003a622fd40de0a15cb967c2b1bdbab5c5b7601dd19dac5ff45292365b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\3ottmci0.newcfg

Filesize
316B

MD5
abc68d054dcbbac9f180f938943b8b3e

SHA1
e8d08d58cb8b2f88f60d953a0dae1899aff73e24

SHA256
b01d14a5e46767b7917fd550d749c21d7b8f4eb3f5fa582965c0b128088a6bf6

SHA512
38ac492c0f65e7c79eaeb6bbd7152dfcf1dfac25e656e110159d4bae1d9a7005f28f69f24a6dc2d836a226a3946d1a3fa0ce263f778488384d4f9f442ff27d6a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

Filesize
30KB

MD5
ee564070a011f3cc31f846040d93c5ca

SHA1
b498078df5739008d80a6e7624352313439546ed

SHA256
0f631801a8ee3bf167fc76b50ca05aae4cb6533cdbe7b2f1261e8c590bc80c57

SHA512
ec2b86564326d112f37cec79f4809f655d4074dab596c79820d1f186b0ab020b178815b986bd957475fbd129e3ea932d77fb1ad19804baf34d6ca45923ad9b6c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingSettings.config

Filesize
162B

MD5
5c78fe97ee3475b53db8b00ef78e4a8f

SHA1
07ef7446942563ac6db9fa5de8734831bcfca8e9

SHA256
74cedcfab23fd143fc690c8431eff92ea69e8633f318ca33fdb259aaf1757102

SHA512
18324927b0f7c95a03b0be8ddce18b54db8467dbf351da8d6559bf5b87acedb36cbb5bace31be4f7cf0e7f6b8a5be9553d16e514f7d41f8913212de0a19dcad7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\qgeebpw1.newcfg

Filesize
228B

MD5
f2a3653dd8e6f24fd200cc76c3b29ad7

SHA1
e5101d7fd9b7f52430262a8075f7a3589187596b

SHA256
96c4c998d361d18b9f4054caee12606cdd9eaf0711d55b3c9f5f0e20b6c174a4

SHA512
ac395783bc96d9005a1d741fb07cd8583139bf3d2a981948d070b1137666be6d8cb88229064c6f828273e352ef2c56adda03f4b046feda40f5096fe6784a6102

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.INI

Filesize
12B

MD5
39b44ca42c8612a5930265aeb5b57d01

SHA1
bcdb0725dac93ff166f3720fb857044b34d30915

SHA256
88ba4bc3ed257a32c86d2300ef9bb15b5737e94530ba27a806cbf5240302e64b

SHA512
8eb7df51281cda144dc77175cb2bde02294184de60db93c80a166acf37e64c3508dfc0f82ec1511aa2d5a72828b2e7f78d6ccee0015924fc15df52abe4f1268a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

Filesize
535B

MD5
d505e3de03f172fa2b246e210054c5f7

SHA1
f5a480f56f760eeba3b29108387e54d70a721127

SHA256
a568f933f09b1ad1ee5e88ddcffa1fe5921d18b73477136e1faee55f2bef399a

SHA512
80f01447b43525dbdf5b283522fe14d9aecef16e55ea3fe36dc0a94b53c49e03bb56136f0911c348fb78fb5af6112b1de7c38cbffbd73acb2971655ef1b2b859

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
a46fde4c53c84fec49864375d3a0bf58

SHA1
244a459a06354c234f9d1eb144b37a1a38881802

SHA256
21681a41bd53bf8e94a173c01c2f38466f93df92cdf0d61989ef1d41d50c5f21

SHA512
b7202c8734cf42bdf8c86f31d83f06496d01c0f0be84812a5bd7e2fdeec004bac66ad897c1fd0eb46b731ffb170f3c9439fca23d336fc9ac64fcb56b50217281

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

Filesize
181KB

MD5
66057a0e46da3924670862efe243640f

SHA1
a2cd8abcb3c2ee7e77559b81166eb180f61fabbc

SHA256
30e435fe1dc8dc5c8f8823b1fdcb6ba9c61bbb820f2a363c115ec3a31b47a6a1

SHA512
bf4070f82716f2695a77f52be7387f2ca1e8c3260d63fb4f93007b3c6b21f0842d4663f75be89088b13388504dd5dec721bd44b4f625ca6ac0c9c9b33e517ea4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

Filesize
323KB

MD5
716387d1960415fd3618db9b1557ae2f

SHA1
252fa9344c0a834a3ecbb8da7541e9fcc5df76d7

SHA256
c8f269b3aed910f85d05f92c8751c19cc353627928b248c3e56190f40d54e544

SHA512
6c2e72ffb40289839cf11709cf947a0e4a3247bce88d2d353d61a9c090cc75473487cb065d8e504ac69437fc8c47e14fad98906ab004f1190b3a3b1464001b91

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
17250c84c362f1b036449bd5f5ac2ffa

SHA1
cdfb112668b13b378b7dc553e9a93a6980e7be9c

SHA256
65fd00cdd3e0f88f40c0dfb3b585234548fdd6eb084bc98086fb1bd58d060d6c

SHA512
d4ab803657b5362546be26b419fd7024720c78d370cc4730c364d630952d52d612c8c71d3a6cf786701f823d48f1f713deef846f3abe059f558420ca58e7af03

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

Filesize
54KB

MD5
b174e9336a6229d2ec3ea783ed49b35c

SHA1
6652f271a5d9c198bae735116c78fb4071ff26b9

SHA256
767747012bbf1025b6f2d8259e8c1071ea53c12a0c4208cfe6265c01d6a47e50

SHA512
b3e28669c396fe77989626dcf0c15081cdac5bc2b6b15e4cb87ffa2b3c1225dc143b83dd8a17bb8f4bb76d0a0dd4228c9443552b9e91c3fa35b26f9251ac01c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll

Filesize
167KB

MD5
e8458b60d4f251de071b765287c5661e

SHA1
b4a4d91483f658b79204ec4be2c2012efefd5a63

SHA256
52c29826c96e35373f05fefbd0f92ac9ec377cd65e8f58a945f3a86b41c3ddc6

SHA512
57b3b9cd3a47a6543e0e81a4606e7a90e4a459fe827c01ec6a21d1a64503fe6267079fa89e3120519079a1e9a0eb925f3b794d9b39f03d7eba524393dc564bea

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
168B

MD5
bcf03c724ec4bd1a5b872ed172f373be

SHA1
7b8535f5f32c3ec33721a17b11f50ec583beaebb

SHA256
724d0fb5dee48e56c441d532a32bde36115dd89f5b08c4fa79fceaf2d028be85

SHA512
c54eafcaa56018a95166ed94d1513a97dbd4f9387c780f5759ef5eb2ce2293e981d2ce3fe4031154d9b48b7e1e80ab3ca468cf4515536aeb4e89e68aaebe26d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
30cdbf3159adc4f820d2356c3abca7a1

SHA1
51aa0ce2ecd878ad5a7108487507f3a1c32ea57f

SHA256
5127a5bab21ffe9382bcf17989de2c896d3d4fb2e5a4e2125d16c358209999b0

SHA512
bc97b561a77d61d4a5e73f53fc009d2100e596ae897a8c435fd50058d4571020560ee8f37c235756e46ff3387e7ad4941b186efc0aff47fe7d468038c9918cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A

Filesize
471B

MD5
c1863ad297487389788ea71598af9c27

SHA1
c56e429202aa215878dbd4db4585a7e4381de35e

SHA256
0b04f709db9c017f4755d695f0380b6ec2f1491eec76f2265b862c1cdcff9667

SHA512
fb1231313af5a9da17636b3960578ad15d5107ebc44e6c95e15c548fbdc2b944eb225adb5c0a761b2f0d49dd236537980da8debb684557ba486b37dc44e6069d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
32fe2753e03186e6f7802928d72b3068

SHA1
2e27b6c70115f82117365f17a829a021b64b63e1

SHA256
3b10ac1cde5dd59c40a6e618b295e3b46a08ada265e77cc7220b23c58ec0b1a8

SHA512
a977c2d0d68eccb16195c9faa103354df62a9c111ca484bb583b129f0b9d873e116089a96cf5fb87c3ffd61181f3babf0759eb854d82c0d498ded054ede52b07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
92cfa84bd0b6bc24680079625cb65a03

SHA1
35f646c8aa58f2325d4e88673028ff010f371420

SHA256
a66180eef088221cffc838a48af57d698d4269b417dff158aee45870112952b8

SHA512
c48eb9102a1f389965c769836f530a31db346f7077690ddd59122f3c9711a8c430bd674dae4e1fb9b281693d15b98b4fb05ccddb87778942f14aa441ebe088ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A

Filesize
408B

MD5
05ee504d8b55c84ca2e6a06a96dd5e13

SHA1
6f27e2afbddf5835dc4eaf5dfd767f0706f208fa

SHA256
162e7e14d908206a8551c078e11508489dd54cf4048cb5696e6d763849affd17

SHA512
d5665fb2bee40c21c0be9ee30f51c12a72138848f8fc79cd31637835a8a6322af6e0a76e5f6eefbcc797bba66120a3ec4154cf5128444a61c1ba453bd9b69411

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A8A.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4C13.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Windows\Installer\MSIC7F4.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\f76c301.msi

Filesize
632KB

MD5
31b8bb512a0f8c74461b4c6ae28cc5ef

SHA1
f36be96e0f28edfcc5a232e9c4dfcdad0e94c151

SHA256
7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4

SHA512
e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
b05880606f1f556eaf706b4f2f06f7ee

SHA1
d241c86975ce3a8a98a7dbe66b65d5b40927b2d2

SHA256
3ce71e4023bd53c6476119a7a47f7fd2404e1ee7d353f9dddfd1bc7eb00a1ff9

SHA512
4bef5997be9e5a8127026f3be63d3609d55fee1a60e21d83418c5a80f53dc5179572c1ccd3148507957943159b927c802177cdd334d6f036de3b9b626470d98a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ceb141b3766dbde1ec672a1ffd2848f9

SHA1
0681488c0dd5ffb021dbbe8e50bb0fb51b480e97

SHA256
f7b7a12af122719b1160dee178d59c6584b9edea76b9af9512a52375d4e71a24

SHA512
30ca027b288b6b6b3107dd8b124d45681a570169dcb2eea01eeb7c17dd09562bab94ec662d2e224fa9e47d0aff77ba468eb4a9a3557b77aedf11f2e280782d7d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bbf7677f82fb4a077f0cfa88e1cae650

SHA1
a11221ca5336f7ce271e04ad538cc9b50b08dc0f

SHA256
158ca29510308e7e68d4206e894604e52f7ca67d925800d7e8cd8e01be37449d

SHA512
6ede2d1bb5f9f9c822028c27b41e50ce9333d03976ad8319a50b99acc66a1bb8f1375f3a7fa261f066e3b0ce27d3e80e503c375d1e04c8ceb1571cc16576edbb

Download Submit
C:\Windows\Temp\CabEFBE.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\PreVer.log

Filesize
2KB

MD5
48febc3081010100878fa94be300739d

SHA1
d7f4fa9059f8b4cbbf800adc78e3729cc013fa59

SHA256
4e8adc97533db0c2760abb7250158f489ac4badc6bfdb50c07e2c00e937eb75a

SHA512
fca1506c35bcd3e81288fe6902f96035132950211e379993a19c34f14bbb176ed6f2820fe311640bc31267363da8f6fd1e59ff25feb4bb97104260ecbec2c015

Download Submit
C:\Windows\Temp\unpack.log

Filesize
1KB

MD5
1948f859affcb80f992dd8c5eeae5fa7

SHA1
7a0e2868380f242db329c1fd0ff2aa816910fa9e

SHA256
54945df14b8d923ac45cebf9b2a799fa50fd8e48f1c19f9273f9d7078ed1d5e5

SHA512
60d9192d52f9dfb8da5cba6ca50353d461d09e352a72c311764915b08472cd60a6989c59d9496419fd50e2605998fe569f5fdec4e1873c393c4a2e25a5feaa53

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
4f25cb013f581796041732afb2ae5fdc

SHA1
06c6008a417e23193a0a7c863ff45c3d1d314870

SHA256
8af4e6732bc6901d49cb53ab5169067913428fc26cfe6d6eaf3cf9c011ed8288

SHA512
dfbd25b5bbc3f5bf648496a15ff8f89ab4ab5bf810aea9142642fbf67c0634ab0bccea7eb13b72014a25071f29977fa7c97bc8f213ad1ac2f36627dd73ca7dd9

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
4f25cb013f581796041732afb2ae5fdc

SHA1
06c6008a417e23193a0a7c863ff45c3d1d314870

SHA256
8af4e6732bc6901d49cb53ab5169067913428fc26cfe6d6eaf3cf9c011ed8288

SHA512
dfbd25b5bbc3f5bf648496a15ff8f89ab4ab5bf810aea9142642fbf67c0634ab0bccea7eb13b72014a25071f29977fa7c97bc8f213ad1ac2f36627dd73ca7dd9

Download Submit
C:\Windows\Temp\{3388741B-7410-46C1-BF27-A8138E252151}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Windows\Temp\{3388741B-7410-46C1-BF27-A8138E252151}\_isF2D.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
\Windows\Installer\MSIC7F4.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/1048-135-0x0000000000E10000-0x0000000000E8A000-memory.dmp

Filesize
488KB

Download
memory/1048-124-0x0000000000250000-0x0000000000280000-memory.dmp

Filesize
192KB

Download
memory/1048-334-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1048-338-0x000000001A010000-0x000000001A090000-memory.dmp

Filesize
512KB

Download
memory/1048-295-0x0000000019540000-0x0000000019574000-memory.dmp

Filesize
208KB

Download
memory/1048-125-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1060-711-0x00000000012E0000-0x00000000012F0000-memory.dmp

Filesize
64KB

Download
memory/1060-748-0x00000000002D0000-0x00000000002E0000-memory.dmp

Filesize
64KB

Download
memory/1060-843-0x00000000002F0000-0x000000000030C000-memory.dmp

Filesize
112KB

Download
memory/1060-795-0x00000000011F0000-0x00000000012A2000-memory.dmp

Filesize
712KB

Download
memory/1060-722-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1352-878-0x0000000001310000-0x0000000001320000-memory.dmp

Filesize
64KB

Download
memory/1564-913-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/1564-871-0x0000000001140000-0x0000000001150000-memory.dmp

Filesize
64KB

Download
memory/1588-2174-0x0000000003C20000-0x0000000003DE7000-memory.dmp

Filesize
1.8MB

Download
memory/1588-2472-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/1620-692-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1620-698-0x00000000003E0000-0x0000000000418000-memory.dmp

Filesize
224KB

Download
memory/1620-860-0x0000000000EC0000-0x0000000000F08000-memory.dmp

Filesize
288KB

Download
memory/1620-876-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/1620-836-0x0000000000560000-0x000000000057C000-memory.dmp

Filesize
112KB

Download
memory/1620-793-0x00000000193D0000-0x0000000019482000-memory.dmp

Filesize
712KB

Download
memory/1704-337-0x0000000000CF0000-0x0000000000DA0000-memory.dmp

Filesize
704KB

Download
memory/1704-341-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1704-336-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1756-869-0x00000000000C0000-0x00000000000CC000-memory.dmp

Filesize
48KB

Download
memory/1756-874-0x0000000000260000-0x00000000002AA000-memory.dmp

Filesize
296KB

Download
memory/1756-944-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-627-0x0000000001350000-0x000000000135A000-memory.dmp

Filesize
40KB

Download
memory/1948-663-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/1948-817-0x00000000012C0000-0x0000000001346000-memory.dmp

Filesize
536KB

Download
memory/1948-791-0x0000000019DC0000-0x0000000019E40000-memory.dmp

Filesize
512KB

Download
memory/1948-708-0x00000000002E0000-0x00000000002F8000-memory.dmp

Filesize
96KB

Download
memory/2020-514-0x0000000019470000-0x00000000194F0000-memory.dmp

Filesize
512KB

Download
memory/2020-389-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2020-693-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2020-382-0x0000000000580000-0x0000000000630000-memory.dmp

Filesize
704KB

Download
memory/2020-356-0x0000000000BA0000-0x0000000000BCC000-memory.dmp

Filesize
176KB

Download
memory/2020-870-0x0000000019470000-0x00000000194F0000-memory.dmp

Filesize
512KB

Download
memory/2020-430-0x0000000000540000-0x000000000055C000-memory.dmp

Filesize
112KB

Download
memory/2136-914-0x00000000013E0000-0x00000000013F2000-memory.dmp

Filesize
72KB

Download
memory/2140-572-0x00000000197C0000-0x0000000019840000-memory.dmp

Filesize
512KB

Download
memory/2140-695-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-503-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2140-471-0x0000000000C40000-0x0000000000C54000-memory.dmp

Filesize
80KB

Download
memory/2140-545-0x00000000001F0000-0x000000000020C000-memory.dmp

Filesize
112KB

Download
memory/2140-526-0x0000000000C60000-0x0000000000D12000-memory.dmp

Filesize
712KB

Download
memory/2232-732-0x0000000000EA0000-0x0000000000F52000-memory.dmp

Filesize
712KB

Download
memory/2232-582-0x0000000000BC0000-0x0000000000BCE000-memory.dmp

Filesize
56KB

Download
memory/2232-873-0x0000000019990000-0x0000000019A10000-memory.dmp

Filesize
512KB

Download
memory/2232-599-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2232-665-0x00000000003D0000-0x00000000003EC000-memory.dmp

Filesize
112KB

Download
memory/2700-421-0x0000000000A70000-0x0000000000A80000-memory.dmp

Filesize
64KB

Download
memory/2700-418-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-520-0x0000000000C20000-0x0000000000CD2000-memory.dmp

Filesize
712KB

Download
memory/2700-694-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-787-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2700-484-0x0000000000A50000-0x0000000000A6C000-memory.dmp

Filesize
112KB

Download
memory/2808-94-0x0000000000AD0000-0x0000000000AF2000-memory.dmp

Filesize
136KB

Download
memory/2808-97-0x000000001AEB0000-0x000000001AF30000-memory.dmp

Filesize
512KB

Download
memory/2808-95-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2808-128-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-342-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-340-0x00000000002E0000-0x00000000002FC000-memory.dmp

Filesize
112KB

Download
memory/2972-335-0x000007FEF4E80000-0x000007FEF586C000-memory.dmp

Filesize
9.9MB

Download
memory/2972-331-0x0000000000310000-0x000000000033C000-memory.dmp

Filesize
176KB

Download