ateraagent | 394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
05/02/2025, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi
Size

2.9MB
MD5

6032d2452e05a12f1449182deb3ab258
SHA1

03a992f9020a003fe86e477ac28698afc16a73d3
SHA256

394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46
SHA512

1318d1844efe031d05499e642c9509422a9f92977b8b4c76d38c6c614d81813af4ec927d2dd807e9b7b205ab06ea1800eb4a082f1a89a4e3721a37301165e28d
SSDEEP

49152:9+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:9+lUlz9FKbsodq0YaH7ZPxMb8tT

Score

10^/10

ateraagent discovery persistence privilege_escalation rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000019451-421.dat	family_ateraagent

Blocklisted process makes network request 7 IoCs

flow	pid	Process
3	2124	msiexec.exe
5	2124	msiexec.exe
7	2124	msiexec.exe
11	2788	rundll32.exe
12	2788	rundll32.exe
17	1580	rundll32.exe
19	1580	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DABA17F5E36CBE65640DD2FE24F104E7	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DABA17F5E36CBE65640DD2FE24F104E7	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015	AgentPackageAgentInformation.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 18 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt	AgentPackageAgentInformation.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76e8ab.ipi	msiexec.exe
File created	C:\Windows\Installer\f76e8ad.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\f76e8aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFB9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76e8aa.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\f76e8ab.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFA8.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE948.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIEC55.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFCDA.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
2496	AteraAgent.exe
2912	AteraAgent.exe
1852	AgentPackageAgentInformation.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1356	sc.exe

Loads dropped DLL 35 IoCs

pid	Process
1944	MsiExec.exe
872	rundll32.exe
872	rundll32.exe
872	rundll32.exe
872	rundll32.exe
872	rundll32.exe
1944	MsiExec.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
2788	rundll32.exe
1944	MsiExec.exe
1752	rundll32.exe
1752	rundll32.exe
1752	rundll32.exe
1752	rundll32.exe
1752	rundll32.exe
1944	MsiExec.exe
2472	MsiExec.exe
2472	MsiExec.exe
1944	MsiExec.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe
1580	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2124	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
2488	TaskKill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	AgentPackageAgentInformation.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\9E99A48A9960B14926BB7F3B02E22DA2B0AB7280	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	AteraAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2980	msiexec.exe
2980	msiexec.exe
2912	AteraAgent.exe
1852	AgentPackageAgentInformation.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeSecurityPrivilege	2980	msiexec.exe
Token: SeCreateTokenPrivilege	2124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2124	msiexec.exe
Token: SeLockMemoryPrivilege	2124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2124	msiexec.exe
Token: SeMachineAccountPrivilege	2124	msiexec.exe
Token: SeTcbPrivilege	2124	msiexec.exe
Token: SeSecurityPrivilege	2124	msiexec.exe
Token: SeTakeOwnershipPrivilege	2124	msiexec.exe
Token: SeLoadDriverPrivilege	2124	msiexec.exe
Token: SeSystemProfilePrivilege	2124	msiexec.exe
Token: SeSystemtimePrivilege	2124	msiexec.exe
Token: SeProfSingleProcessPrivilege	2124	msiexec.exe
Token: SeIncBasePriorityPrivilege	2124	msiexec.exe
Token: SeCreatePagefilePrivilege	2124	msiexec.exe
Token: SeCreatePermanentPrivilege	2124	msiexec.exe
Token: SeBackupPrivilege	2124	msiexec.exe
Token: SeRestorePrivilege	2124	msiexec.exe
Token: SeShutdownPrivilege	2124	msiexec.exe
Token: SeDebugPrivilege	2124	msiexec.exe
Token: SeAuditPrivilege	2124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2124	msiexec.exe
Token: SeChangeNotifyPrivilege	2124	msiexec.exe
Token: SeRemoteShutdownPrivilege	2124	msiexec.exe
Token: SeUndockPrivilege	2124	msiexec.exe
Token: SeSyncAgentPrivilege	2124	msiexec.exe
Token: SeEnableDelegationPrivilege	2124	msiexec.exe
Token: SeManageVolumePrivilege	2124	msiexec.exe
Token: SeImpersonatePrivilege	2124	msiexec.exe
Token: SeCreateGlobalPrivilege	2124	msiexec.exe
Token: SeBackupPrivilege	3016	vssvc.exe
Token: SeRestorePrivilege	3016	vssvc.exe
Token: SeAuditPrivilege	3016	vssvc.exe
Token: SeBackupPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeLoadDriverPrivilege	1156	DrvInst.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeDebugPrivilege	2788	rundll32.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe
Token: SeRestorePrivilege	2980	msiexec.exe
Token: SeTakeOwnershipPrivilege	2980	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2124	msiexec.exe
2124	msiexec.exe

Suspicious use of WriteProcessMemory 63 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 2980 wrote to memory of 1944	2980	msiexec.exe	35
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 872	1944	MsiExec.exe	36
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 2788	1944	MsiExec.exe	37
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 1944 wrote to memory of 1752	1944	MsiExec.exe	38
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2980 wrote to memory of 2472	2980	msiexec.exe	40
PID 2472 wrote to memory of 2820	2472	MsiExec.exe	41
PID 2472 wrote to memory of 2820	2472	MsiExec.exe	41
PID 2472 wrote to memory of 2820	2472	MsiExec.exe	41
PID 2472 wrote to memory of 2820	2472	MsiExec.exe	41
PID 2820 wrote to memory of 1400	2820	NET.exe	43
PID 2820 wrote to memory of 1400	2820	NET.exe	43
PID 2820 wrote to memory of 1400	2820	NET.exe	43
PID 2820 wrote to memory of 1400	2820	NET.exe	43
PID 2472 wrote to memory of 2488	2472	MsiExec.exe	44
PID 2472 wrote to memory of 2488	2472	MsiExec.exe	44
PID 2472 wrote to memory of 2488	2472	MsiExec.exe	44
PID 2472 wrote to memory of 2488	2472	MsiExec.exe	44
PID 2980 wrote to memory of 2496	2980	msiexec.exe	46
PID 2980 wrote to memory of 2496	2980	msiexec.exe	46
PID 2980 wrote to memory of 2496	2980	msiexec.exe	46
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 1944 wrote to memory of 1580	1944	MsiExec.exe	48
PID 2912 wrote to memory of 1356	2912	AteraAgent.exe	49
PID 2912 wrote to memory of 1356	2912	AteraAgent.exe	49
PID 2912 wrote to memory of 1356	2912	AteraAgent.exe	49
PID 2912 wrote to memory of 1852	2912	AteraAgent.exe	51
PID 2912 wrote to memory of 1852	2912	AteraAgent.exe	51
PID 2912 wrote to memory of 1852	2912	AteraAgent.exe	51

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CDF320554DFC749C96ECF86D0A4859F
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIE948.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259451378 1 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:872
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIEC55.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259451986 5 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2788
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFCDA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259456307 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1752
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIA29.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_259459630 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Drops file in Windows directory
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A5CA0FBB27B22029710EDE2E24811285 M Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\syswow64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:1400
- - C:\Windows\syswow64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2488
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000QFoFLIA1" /AgentId="9a4bb2cd-ec51-4150-87bc-70aead15dacb"
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:2496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3016

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003BC" "00000000000003B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1156

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:1356
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9a4bb2cd-ec51-4150-87bc-70aead15dacb "992d6210-1c69-487c-978c-bfe625b6258b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QFoFLIA1
  2⤵
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76e8ac.rbs

Filesize
8KB

MD5
760b6e8df600dcd18387b830f46b906c

SHA1
a05c17ee14b635f36675aa11b99948d62cfd6ce2

SHA256
a125d97664894c685067612bcc5b0b1db6a1b4145d7d74151b4b5d3506be006d

SHA512
ac282ac6d9006f05b878f5c1bd64bdca5440ab6f7516ec69542d27f50afce111c2c0f6fdcdd9b774c6839fc534d8d9647edcd6248e257c9f0e3cd41b76c847d1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
753B

MD5
8298451e4dee214334dd2e22b8996bdc

SHA1
bc429029cc6b42c59c417773ea5df8ae54dbb971

SHA256
6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

SHA512
cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
210KB

MD5
c106df1b5b43af3b937ace19d92b42f3

SHA1
7670fc4b6369e3fb705200050618acaa5213637f

SHA256
2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

SHA512
616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
2c4d25b7fbd1adfd4471052fa482af72

SHA1
fd6cd773d241b581e3c856f9e6cd06cb31a01407

SHA256
2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

SHA512
f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

Filesize
12B

MD5
1e065e191e89cc811ff49c96fa8fa5e6

SHA1
bc50ff2a20a8b83683583684fcac640a91689ed4

SHA256
d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e

SHA512
5a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
247KB

MD5
aa5cf64d575b7544eefd77f256c4dc57

SHA1
bd23989db4f9af0aae34d032e817d802c06ca5a9

SHA256
79c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920

SHA512
774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

Filesize
546B

MD5
158fb7d9323c6ce69d4fce11486a40a1

SHA1
29ab26f5728f6ba6f0e5636bf47149bd9851f532

SHA256
5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

SHA512
7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

Filesize
688KB

MD5
111e2e63bccead95bb5ffc53c9282070

SHA1
eaae7df21e291aa089bc101b1e265ca202be1225

SHA256
9615fe5fe63c48b13ffd8c9bc76170a9ed1cfea6a3d0901e857a1c6c6edaea76

SHA512
ffc818615fb30e24633c90b8f5a55c100b5f307414ec54e5a2914bb4ea36d3fb3aa6ed0e5815976a2f6d1b7f056e7da1f108a8eed81b458decebe721ad30b920

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\log.txt

Filesize
23KB

MD5
76d23a19a5f456656b347a6ac02b5601

SHA1
769a0c8a1cfb99d383d1d180153a028894e2793a

SHA256
294ee911151bb06463a9852bec80d2cfa67e50a5ed12cb825848eb251623e909

SHA512
bbaae1027388027db496732790ba7dd9285b8044971f76981ea052bcb6840a55170ff1b32b828f7316af6d1a2960a61d01d665002993fed1ec5c59b8696b8a19

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
218B

MD5
f39be89e8e86d60e954689e8a921a7ee

SHA1
f10d347f75f8f69fb8feba2a1d957bda1ca0fcb3

SHA256
13c1836dd58de7283bf68526b2a34e7b655b3d6bfde8910f681f4309f0a26a3b

SHA512
5645d30c9667095a63ad9ec6f9a1b7fb11aafeff874519509ad388a01b46d092329462626fb73ac067305f3c131d8ef5a1ef510d2e419e228586e58f49b4d85a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
a92359bcd40ab68df3b2a726b293703e

SHA1
03af49fbe93ce7312ceb352c712941d1ac5fd2f0

SHA256
e61fca89129e6e9eecaafaa8612f1d82efb267b900a8ca27427fa0b32e065c63

SHA512
f2f2ff4c354ce68642ec37357e40c28cfc2449bfa9971ffe59c800a50287f8a39b5729a6fb2aaf8f23b9f45ea3e478a9f12dbba0479d93e4c2c598263aa7ce92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
727B

MD5
12d865d718c648c03e5657a02fbd7128

SHA1
67992668978bbcf0dc94166c3d68fe91adf5a4f7

SHA256
605bc5c5942c346edd5a9639cd65d9829c8aa80d06b01dfd1b7c8dfa5fc5f671

SHA512
02628a076f36de16e92be4b799074dcc843df16a065313662b163a368b46e9a458388e9e4a5c7deedeb9ea3db9da47ba886fa9be7fb8724c5f6af46a372c4c41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
7ede1c2319349ee09eef9b918f848ee1

SHA1
907bc671d8865713c6c6758ab35d880bc195cd26

SHA256
0091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e

SHA512
673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
4fa72e280e9f4d27c8446ba21478a062

SHA1
2e6caf3ec8f9125aaeaccee11942478264ca5f71

SHA256
d86cad9d69c9fb677c18a4ecac5f6cbc061c95a59c84caa7bd9fd81518c37d49

SHA512
48d8e49aa6a56a3f531bc52487ae2203183b03e533d48f7ccde24b435d8f42ded7895bc50e5b161c3e4f76be68111928a5591bdc49c0f0d83a8dc63642e42fc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

Filesize
404B

MD5
a07fd5a4d4d20d9d0062de0c77f090fe

SHA1
f64d068b36dca3bf7838f9573e38a09b03bd74f9

SHA256
19f8d77a33979dcdfc786c2029b14ef97ab7cd96f31ece1f272060cd5331699c

SHA512
afb9e7634b39614a48d62cc579da8eed7e3ebbba2006e20d959341592d40024b3028fb095a0d86e026134e35261bebe867e8b9ed9198bff3c89ebda2a0dc3b04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ca950fef5ebd2c29ea01f19797ec377

SHA1
44a7358c2a9ff267115c59249b8c28d53241b87e

SHA256
526e128ee2732bbc2a74d72617cb02e118b1b6362b016097232f0f79ff039b52

SHA512
77e4f7de7d594912d1282bad4f4df84723a7bbc75eda1b1e205d5478dd99fc2eaf10d81fcd89cda9687b555aa74748a5ebd579b968db14257680d084f758a46e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29a76681858fc53c0053e86a188b21f6

SHA1
4f2c696f4e636690c0495b337bba0950e05140eb

SHA256
3ea01c8f828ee51a4e37dc5c0af33336508abb015277e2d4ac4a06b666850fa7

SHA512
f4faaf3b5942770a1121a881786acb0479577fc79c32a416e07cce7e4eaac35b594098d2632b822126cf6f1e041724aa8e9783684661d282bdf0a5db492ed6ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
2f03a1ff35316b287f0857e63c0428b0

SHA1
d33aaaeb493631c7a94ae0e61c52cc95d7023e6b

SHA256
64a61ef494386c6f9f71fe1bdc04f0f88995e4308b2714aeb36301e7a2336a49

SHA512
8df36bb3dd2f427948af7815a2dc062383aad65d1c08389c7b4d76d3b77005ebbeec6414c206a4e3a7b8e97d230356eda273b8f87f4c61e36b297a042eb0d7b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC479.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC602.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Windows\Installer\MSIE948.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSIEC55.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSIFFB9.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\f76e8aa.msi

Filesize
2.9MB

MD5
6032d2452e05a12f1449182deb3ab258

SHA1
03a992f9020a003fe86e477ac28698afc16a73d3

SHA256
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46

SHA512
1318d1844efe031d05499e642c9509422a9f92977b8b4c76d38c6c614d81813af4ec927d2dd807e9b7b205ab06ea1800eb4a082f1a89a4e3721a37301165e28d

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7dd666b7572c2cf8c3700f0d63b13a59

SHA1
c2a866d910854e891f68cf7030d385f434627ce8

SHA256
eef685409e12d52fc2d755e8d2bd525e2f44d9b65a95fdafd20e447a4531fde7

SHA512
fab793fe311c38877081b64c7a5237fdd10df3d07df0e5114c1d7eaad1b28c6cb83d29621887562cf8c52b479b6eaab165e0525ac5e68d4fd9402aa31780edda

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7407fa726650b128f752efc38801290a

SHA1
ed8ad632b9ba98ceb158ebd94e37a1d630f4eb3a

SHA256
2817edb2c5e23331afc98f3068e03a74cbdbd09eff694d1d30bd66ed222037f0

SHA512
a0034516e005ee468e5d01bb2b429c601664d04d286250b41b0daf97b2a18d765aa23b43934ae1b1c509ae5d5e5c44a677f838787df0698afdcd6abcbf535718

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77c37dbbf9661447dfe5920170488277

SHA1
a7eb91f198673d5b2d91427838559d6e9703b841

SHA256
b1f7f95d817248546907485164bc0ceba7e695b8acf6c534ddb578c27aafc1f5

SHA512
69213b5220b91aed363591e7fb3bd3f333a0547ba26da31260ad762a9b1812741ddce39695c5883546b265ea0d89cb3de237b09d376cb20171e133780e86629c

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7a2f767c6e34f46a36fa174017def41

SHA1
b9195ab75919ca21965d8a2efff3e3ba464b1381

SHA256
088f246caa0a58aaa0aa98b025bd30845ce60043814dae97e988a8a26ef43288

SHA512
0d2827ab1164f831162530d002ca76cb44197c0e9853fb501d345e1bfb28713463160fe829cf7a62c4eeb2e8ef2c4cf7f75651a006705adca65353fb36a7d593

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
342f74ac71c0d80bb24d94debd249f4a

SHA1
291dc064336078d2a65726344d4f85b62fd5014a

SHA256
692e7162d876f006e3cee9762cc9790b448704e1ffd589f62e01bf526956ba68

SHA512
6fbea0646d063062657c28912538e42e985a78bab9106180070348fd89b9a8292de0a0e3d91ea4184db0bccfc1fe35735ab3eb70d32add5f9f6e936981455c50

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f26b15bf7878596e4373c9ac7c910ad

SHA1
1c3789a0fb39b2253b61159d4ca13a6106708ff5

SHA256
6d9d7a7db4af38522128a382a404560b111e6cb18214a635b6c33dfed9ab5b86

SHA512
8cd52e3f61746399dbba2a7b4192d9720469f4968addb03d1bcd983834eb555d288121769ed0f55ab9cf7451d055de61ff1d4c51b50ab677369f6125ddbbd188

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d34e334ae4deab1a606d17ab9cce7b8d

SHA1
58d28e49054d3a2ae154622aabc23d25b63eef68

SHA256
d3a2e5609000f8ffaaba60b4f6c7fc1d07d70a18801c2453596355a9301bf43a

SHA512
777d6da30949d77d9ad5acbd0b366dde63a46ef6d2b576936a4c8c3692c2c19db23467b692e7671ee8fbc1dbc08942136e90ec03dc25f2339c461f0c3f59124e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de73b0efe9f2cdc086b85462cdd45b73

SHA1
882f81b995375c13ffb0c5eea0934af6cad0ac04

SHA256
def67b21e57b0aafa9203c76211e075895bbfa594bb63695d626444e5a2b09b3

SHA512
128d0008c6ee31518c7f715b9cc6ee4fcd08a2b717e78e33a99d922a2950ee5eb716fc37d3a97be9a28749a7bfe3ca7dce05160b5aba7a1135e83ffc289f034e

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a30545a1d2b3383be59905ee341f5764

SHA1
72a80f123683e8632470a45572a33318fc177013

SHA256
8cb6d46d5befb4d4c5def4442c916f3d6ac76e37a7dd7920ec7da6f928bb3fb4

SHA512
f4447e1c36f77c40e665019e525529cf77569318fc9257eb69f7ab7e87e958e17dc0468ab4b38a7e12ce1093b0d01053fe0a0ba62481ae9493cfc83bff9714b3

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1a85f457c24d2615324ae27853e2f7e

SHA1
e6e9717a4ede639450ce04872ae5a557b125a57c

SHA256
532eb89c99f4d3dab5fc60ea1705ab76a1ddcfb7f7c73602107a2cfe42973a0e

SHA512
4dac7510e336adc1566727233f6e823a2bc3b50bc86bf74cddd3da77f0bcc48488684eb4cd24f3ce4992018055b4a7e448e9d7bef21d6df64434331682071fc5

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ed4e72d66556e9da0f125fede3fbf58

SHA1
c78e8457b2e9e57bf58ac2bc56b6830724e0c347

SHA256
9a172a0ffc8b71e474b355914bfe4684cc8aca7aa5152a68075b851db5c8a750

SHA512
00c1194e623834797c46c875fde758b6ac7462b009ee237688dd8cce4fbacbbf1b76ae2216e0882b472277c065d1eb2077d26e1bd9fb9fc441116797509369b9

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1a2d478c1deff6b228a3978195eafb8

SHA1
110342ef42326acb7b5e26f6ee1028df4c6b5183

SHA256
a6b11ae2177f5297d115198a8a6b2e488d1f3698efe6649777c124dd129866b1

SHA512
f7d7d4708855d101a5e6ba18f6a433043f8a9eec24da725d64fee78861c866f11df5efac0e21261afcdbf0491dbb641f16979073f23a25ffc28663082b985756

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3960c270e06fe77cb73d89daa29997b1

SHA1
b6dc2ed6656d9217dc728ef4ff4044bc11b13a60

SHA256
3fa355f239bcd990586491eebcece74231424b4d50e53a6244c9da3b15fb3a27

SHA512
a2e4e8899498585a9743f129707a774a1d314da64b3a96e948809bca96a83b87bbfba6eba78f053bc25353b2d430d2c87962a841e9ac01d3fc82570120bc9bf2

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
47ce5ad3e34b2e4b504f8ff4f1ae646d

SHA1
126d98ac9a20703af66f327a22e9de4c3294cb71

SHA256
ca65df8f33f228c61c5f8598496755ae7836b5a0a35ba4856047ce42eae02bad

SHA512
3e129d1cc13f522b242b18daec1771ecc3bead8b5c5c5b6e5faccbcbfd9f51fff6191d40a55f11c1cc0fd54f120a974a07e4106d869a3449def148b66043d1e2

Download Submit
C:\Windows\Temp\Cab1803.tmp

Filesize
29KB

MD5
d59a6b36c5a94916241a3ead50222b6f

SHA1
e274e9486d318c383bc4b9812844ba56f0cff3c6

SHA256
a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

SHA512
17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

Download Submit
C:\Windows\Temp\Tar1816.tmp

Filesize
81KB

MD5
b13f51572f55a2d31ed9f266d581e9ea

SHA1
7eef3111b878e159e520f34410ad87adecf0ca92

SHA256
725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

SHA512
f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

Download Submit
\Windows\Installer\MSIE948.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
\Windows\Installer\MSIE948.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
\Windows\Installer\MSIEC55.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
memory/872-76-0x0000000000830000-0x000000000083C000-memory.dmp

Filesize
48KB

Download
memory/872-72-0x00000000007E0000-0x000000000080E000-memory.dmp

Filesize
184KB

Download
memory/1580-309-0x0000000000530000-0x000000000053C000-memory.dmp

Filesize
48KB

Download
memory/1580-313-0x0000000004890000-0x0000000004942000-memory.dmp

Filesize
712KB

Download
memory/1580-305-0x0000000000480000-0x00000000004AE000-memory.dmp

Filesize
184KB

Download
memory/1852-1278-0x00000000008F0000-0x0000000000932000-memory.dmp

Filesize
264KB

Download
memory/1852-1281-0x0000000000C60000-0x0000000000D10000-memory.dmp

Filesize
704KB

Download
memory/1852-1282-0x0000000000160000-0x000000000017C000-memory.dmp

Filesize
112KB

Download
memory/2496-245-0x0000000000F30000-0x0000000000FC8000-memory.dmp

Filesize
608KB

Download
memory/2496-233-0x0000000001000000-0x0000000001028000-memory.dmp

Filesize
160KB

Download
memory/2788-109-0x00000000046E0000-0x0000000004792000-memory.dmp

Filesize
712KB

Download
memory/2788-101-0x0000000000470000-0x000000000049E000-memory.dmp

Filesize
184KB

Download
memory/2788-105-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2912-1107-0x0000000019D30000-0x0000000019D68000-memory.dmp

Filesize
224KB

Download
memory/2912-300-0x0000000019870000-0x0000000019922000-memory.dmp

Filesize
712KB

Download