67158ec3e3edcaff528ce829517c6ab20095b2dda6a3f60a5ebf53025d116040

Analysis

max time kernel
150s
max time network
148s
platform
windows10_x64
resource
win10v20210408
submitted
09-07-2021 12:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Dike_Infocert_upgrade.msi
Size

628KB
MD5

0162581e46cffb64d7c8c90c4134695b
SHA1

5af1b43c0264814e030b0b0116a9cf998d1ce8ca
SHA256

67158ec3e3edcaff528ce829517c6ab20095b2dda6a3f60a5ebf53025d116040
SHA512

13acfccd5022f4cbb6d4e4b9a6d8ca8ef2d919a4b67c5e196f4ed62d387dadd460594cbc42761f8e48a32f1a184df5c5fea6857ea1f61f251ce301877eccdb2c

Score

10^/10

bootkit discovery persistence

Malware Config

Signatures

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Blocklisted process makes network request 3 IoCs

Processes:

msiexec.exe

flow pid process

8 568 msiexec.exe
10 568 msiexec.exe
12 568 msiexec.exe
Downloads MZ/PE file

flow	pid	process
8	568	msiexec.exe
10	568	msiexec.exe
12	568	msiexec.exe

Executes dropped EXE 64 IoCs

Processes:

AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageSTRemote.exeAgentPackageWindowsUpdate.exeAgentPackageHeartbeat.exeAgentPackageADRemote.exeAgentPackageTicketing.exeAgentPackageMonitoring.exeAgentPackageInternalPoller.exeAgentPackageUpgradeAgent.exeAgentPackageProgramManagement.exeAgentPackageNetworkDiscovery.exeAgentPackageTaskScheduler.exeAgentPackageUpgradeAgent.exeSplashtopStreamer3360.exeAgentPackageInternalPoller.exePreVerCheck.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeSetupUtil.exeSetupUtil.exeSetupUtil.exeSRSelfSignCertUtil.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exeISBEW64.exe

pid	process
2196	AteraAgent.exe
4112	AteraAgent.exe
4460	AgentPackageAgentInformation.exe
4588	AgentPackageAgentInformation.exe
572	AgentPackageAgentInformation.exe
4256	AgentPackageSTRemote.exe
2852	AgentPackageWindowsUpdate.exe
4192	AgentPackageHeartbeat.exe
4656	AgentPackageADRemote.exe
5044	AgentPackageTicketing.exe
4556	AgentPackageMonitoring.exe
3684	AgentPackageInternalPoller.exe
4676	AgentPackageUpgradeAgent.exe
4832	AgentPackageProgramManagement.exe
792	AgentPackageNetworkDiscovery.exe
4212	AgentPackageTaskScheduler.exe
4548	AgentPackageUpgradeAgent.exe
3844	SplashtopStreamer3360.exe
4244	AgentPackageInternalPoller.exe
2852	PreVerCheck.exe
2996	ISBEW64.exe
4828	ISBEW64.exe
3340	ISBEW64.exe
5012	ISBEW64.exe
4140	ISBEW64.exe
3752	ISBEW64.exe
4496	ISBEW64.exe
4636	ISBEW64.exe
4144	ISBEW64.exe
3496	ISBEW64.exe
4788	ISBEW64.exe
4836	ISBEW64.exe
2560	ISBEW64.exe
4840	ISBEW64.exe
4604	ISBEW64.exe
1216	ISBEW64.exe
892	ISBEW64.exe
1208	ISBEW64.exe
2276	ISBEW64.exe
4700	ISBEW64.exe
4504	ISBEW64.exe
4448	ISBEW64.exe
1808	ISBEW64.exe
5044	ISBEW64.exe
3532	ISBEW64.exe
4704	ISBEW64.exe
1720	ISBEW64.exe
4088	ISBEW64.exe
5016	ISBEW64.exe
4424	ISBEW64.exe
4804	SetupUtil.exe
4828	SetupUtil.exe
4476	SetupUtil.exe
4124	SRSelfSignCertUtil.exe
4780	ISBEW64.exe
4504	ISBEW64.exe
4448	ISBEW64.exe
1808	ISBEW64.exe
5044	ISBEW64.exe
4220	ISBEW64.exe
5084	ISBEW64.exe
920	ISBEW64.exe
2356	ISBEW64.exe
2200	ISBEW64.exe

Sets service image path in registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Loads dropped DLL 64 IoCs

Processes:

MsiExec.exeMsiExec.exeSplashtop_Software_Updater.exeSRManager.exeSRServer.exeSRAgent.exeSRFeature.exe

pid	process
2724	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
4732	Splashtop_Software_Updater.exe
4732	Splashtop_Software_Updater.exe
4732	Splashtop_Software_Updater.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
3240	MsiExec.exe
4560	SRServer.exe
4560	SRServer.exe
4560	SRServer.exe
4560	SRServer.exe
2248	SRAgent.exe
2248	SRAgent.exe
2248	SRAgent.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
4616	SRManager.exe
1580	SRFeature.exe
1580	SRFeature.exe
1580	SRFeature.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

AgentPackageMonitoring.exe

description ioc process

File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe

Drops file in System32 directory 29 IoCs

Processes:

SRManager.exeAgentPackageInternalPoller.exeAgentPackageHeartbeat.exeAgentPackageTicketing.exeAgentPackageMonitoring.exeAteraAgent.exeAgentPackageNetworkDiscovery.exeAgentPackageUpgradeAgent.exeAgentPackageADRemote.exeMsiExec.exeAgentPackageAgentInformation.exeAgentPackageTaskScheduler.exeAgentPackageProgramManagement.exePreVerCheck.exeAgentPackageSTRemote.exeAteraAgent.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	SRManager.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log	AgentPackageInternalPoller.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log	AgentPackageHeartbeat.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log	AgentPackageTicketing.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log	AgentPackageMonitoring.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	SRManager.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9A4D93321211DF6EB063AE7C571FBD27	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\cc46fabb156b92451cd150d9a4e4394c7c8661377bbe44785a20f5bc4406f53f\ycp25ib2.rcz	AgentPackageNetworkDiscovery.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log	AgentPackageUpgradeAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManager.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log	AgentPackageADRemote.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageNetworkDiscovery.exe.log	AgentPackageNetworkDiscovery.exe
File created	C:\Windows\system32\SRCCC2A.tmp	MsiExec.exe
File opened for modification	C:\Windows\system32\SRCredentialProvider.dll	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTaskScheduler.exe.log	AgentPackageTaskScheduler.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\cc46fabb156b92451cd150d9a4e4394c7c8661377bbe44785a20f5bc4406f53f\2lce2hjm.glh	AgentPackageNetworkDiscovery.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log	AgentPackageProgramManagement.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9A4D93321211DF6EB063AE7C571FBD27	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageWindowsUpdate.exe.log	PreVerCheck.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\4a162b8d983d320e924d72c821ba56c86a77646dc1e4d854d910900b98964df9\4aqmoq1y.yo3	AgentPackageTaskScheduler.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log	AgentPackageSTRemote.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\ApplicationInsights\4a162b8d983d320e924d72c821ba56c86a77646dc1e4d854d910900b98964df9\g150girw.drd	AgentPackageTaskScheduler.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exeAteraAgent.exeSplashtop_Software_Updater.exeSRFeature.exePreVerCheck.exeAgentPackageInternalPoller.exeAgentPackageMonitoring.exe

description	ioc	process
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\64bits\stvad.sys	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LiteDB.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAPI.dll	Splashtop_Software_Updater.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTray.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PinShortCut.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdwmark.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppBrowser.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt	SRFeature.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\amf-vcedem-win32.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\log.txt	PreVerCheck.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\snmp.cfg	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_iddcx.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Interop.WUApiLib.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\NLog.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\servers.cfg.bak	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\64bits\stvideo.sys	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\Atera.Telemetry.ApplicationInsights.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.inf	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_iddcx.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxywddm.sys	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\install_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\uninstall_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.ini	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\http.cfg	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\devcon64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\LastEventsProcessed.json	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\uninstall_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd32.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\StructureMap.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip	AteraAgent.exe

Drops file in Windows directory 27 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\f74c83d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC169.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI90CD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF9F2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFA03.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE76.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A91.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB00F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC08C.tmp	msiexec.exe
File created	C:\Windows\Installer\f74c837.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{40A5F259-A153-462D-BAE6-D4D180C5FBD9}	msiexec.exe
File created	C:\Windows\Installer\f74c83a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D90.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF4C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74c837.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICA6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f74c83a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA87D.tmp	msiexec.exe
File created	C:\Windows\Installer\f74c839.msi	msiexec.exe
File created	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe

Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe

Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

3756 taskkill.exe
4352 taskkill.exe
5080 taskkill.exe
4800 taskkill.exe
628 taskkill.exe
4304 taskkill.exe
3532 taskkill.exe

pid	process
3756	taskkill.exe
4352	taskkill.exe
5080	taskkill.exe
4800	taskkill.exe
628	taskkill.exe
4304	taskkill.exe
3532	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

AgentPackageSTRemote.exeAgentPackageProgramManagement.exeAgentPackageInternalPoller.exeSRManager.execscript.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageADRemote.exeAgentPackageAgentInformation.exeAteraAgent.execscript.exePreVerCheck.execscript.exeAgentPackageHeartbeat.exeMsiExec.exeAgentPackageMonitoring.exeAgentPackageInternalPoller.exeSetupUtil.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7\Blob = 0300000001000000140000004deea7060d80babf1643b4e0f0104c82995075b7140000000100000014000000a3c85e6554e53078c105ea070a6a59ccb9fede5a04000000010000001000000042672e72f86c9ba154608d36bccd3c610f0000000100000020000000a2ffac7663c45d94e0bb448815febe55f1ed76a0bdab23cba1080a7e810b2f97190000000100000010000000a11334ea9745e3adfe3d13cffef49c545c0000000100000004000000000800001800000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee20000000010000008d0400003082048930820371a0030201020210025a8aef196f7e0d6c2104b21ae6702b300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3137313130363132323335325a170d3237313130363132323335325a305c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d311b30190603550403131254686177746520525341204341203230313830820122300d06092a864886f70d01010105000382010f003082010a0282010100ca085ee5538a971c1e432fb68aa756e98b8443a8ac9d7a55827a144b86b72f8f529f1ccab1205b6fba22dda69c2d78dae906084ebe13a6ebcbbb3eb9050c3e4ae1f0321f134ef506c54773893e80a38bf101249ba39966926b68ad0d2db4cd72a2f4f9385a65a6b48c53c1081a84f8fd2ef311756edc6a3129ac0d87cc936078df25ba265991c6835235a6ca9cb8281aced71cee14bf765c65ab381e79e97ccc492326a2525066d05961ffa0fe9a4c0c9ff9e88ede098bb815c1a4084c269c7b06dbfd8a745b587ecd63a4912f45f07a3c940b8a7cb205a967939f68e5956360d858955fe055ef93a7113b7ce692d86644e0abbda78fcda48578412454e7d8030203010001a38201403082013c301d0603551d0e04160414a3c85e6554e53078c105ea070a6a59ccb9fede5a301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030106082b0601050507030230120603551d130101ff040830060101ff020100303406082b0601050507010104283026302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d30420603551d1f043b30393037a035a0338631687474703a2f2f63726c332e64696769636572742e636f6d2f4469676943657274476c6f62616c526f6f7443412e63726c303d0603551d200436303430320604551d2000302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f435053300d06092a864886f70d01010b05000382010100444d85e5dd1c828ce164d5a89022df761865ea65d23b25374a83da9987167cb1f50b33300fc6b5fa916fc072107ef9705c51fc32b8c1dc2fa35686cd6d5591ae0a92dc9b1ad25b511ff15fb3a65380fe162589b548da546e047b2d6503d85f8f4ef28133f81ff5e4b2a8fe0e889b2561a6b7f0d535695031648d79a3ee315f845932a2972080531b657ea0f063435a0f9871800bfc96b7679386f6fcfeb7bb3a94a951d2727c67fded778ce0f889025ebee07417863c0ded93d92ab42ff40cb7dcc82660b55003ec7d1ce3595f1f6fbf2f2997d6eef8d55858a1b1cc6c412b4081a3399550279740f24a3d3665798b8d335f295353fc5e1d420e0b8cf991287b	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	PreVerCheck.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\4DEEA7060D80BABF1643B4E0F0104C82995075B7	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	PreVerCheck.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageInternalPoller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\WORKSTATION = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	PreVerCheck.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AgentPackageInternalPoller.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\INSTVD = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SetupUtil.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AgentPackageProgramManagement.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	PreVerCheck.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AgentPackageInternalPoller.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	AgentPackageADRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AgentPackageInternalPoller.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeSRService.exeMsiExec.exereg.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	SRService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\952F5A04351AD264AB6E4D1D085CBF9D\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Version = "17301504"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	SRService.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}	SRService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	SRService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\PackageName = "Dike_Infocert_upgrade.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\952F5A04351AD264AB6E4D1D085CBF9D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\PackageCode = "3B6DC62DA6DC30A4A9459C5225CF1DAD"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider"	SRService.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\ = "URL:st-streamer Protocol"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRServer"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\ProductName = "AteraAgent"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\952F5A04351AD264AB6E4D1D085CBF9D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50593798"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

AteraAgent.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb658140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e76200000001000000200000001465fa205397b876faa6f0a9958e5590e40fcc7faa4fb7c2c8677521fb5fb65809000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	AteraAgent.exe

Runs .reg file with regedit 2 IoCs

Processes:

regedit.exeregedit.exe

pid process

2996 regedit.exe
2808 regedit.exe

pid	process
2996	regedit.exe
2808	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeAteraAgent.exeAgentPackageInternalPoller.exeAgentPackageSTRemote.exeAgentPackageUpgradeAgent.exeAgentPackageNetworkDiscovery.exeAgentPackageTaskScheduler.exeAgentPackageTicketing.exeSetupUtil.exeSetupUtil.exe

pid	process
3688	msiexec.exe
3688	msiexec.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
4112	AteraAgent.exe
3684	AgentPackageInternalPoller.exe
3684	AgentPackageInternalPoller.exe
4256	AgentPackageSTRemote.exe
4256	AgentPackageSTRemote.exe
4548	AgentPackageUpgradeAgent.exe
4548	AgentPackageUpgradeAgent.exe
792	AgentPackageNetworkDiscovery.exe
792	AgentPackageNetworkDiscovery.exe
792	AgentPackageNetworkDiscovery.exe
4212	AgentPackageTaskScheduler.exe
4212	AgentPackageTaskScheduler.exe
4212	AgentPackageTaskScheduler.exe
4548	AgentPackageUpgradeAgent.exe
4548	AgentPackageUpgradeAgent.exe
792	AgentPackageNetworkDiscovery.exe
792	AgentPackageNetworkDiscovery.exe
792	AgentPackageNetworkDiscovery.exe
5044	AgentPackageTicketing.exe
5044	AgentPackageTicketing.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4804	SetupUtil.exe
4828	SetupUtil.exe

Suspicious behavior: LoadsDriver 2 IoCs

Processes:

pid process

608
608

pid	process
608
608

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	568	msiexec.exe
Token: SeSecurityPrivilege	3688	msiexec.exe
Token: SeCreateTokenPrivilege	568	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	568	msiexec.exe
Token: SeLockMemoryPrivilege	568	msiexec.exe
Token: SeIncreaseQuotaPrivilege	568	msiexec.exe
Token: SeMachineAccountPrivilege	568	msiexec.exe
Token: SeTcbPrivilege	568	msiexec.exe
Token: SeSecurityPrivilege	568	msiexec.exe
Token: SeTakeOwnershipPrivilege	568	msiexec.exe
Token: SeLoadDriverPrivilege	568	msiexec.exe
Token: SeSystemProfilePrivilege	568	msiexec.exe
Token: SeSystemtimePrivilege	568	msiexec.exe
Token: SeProfSingleProcessPrivilege	568	msiexec.exe
Token: SeIncBasePriorityPrivilege	568	msiexec.exe
Token: SeCreatePagefilePrivilege	568	msiexec.exe
Token: SeCreatePermanentPrivilege	568	msiexec.exe
Token: SeBackupPrivilege	568	msiexec.exe
Token: SeRestorePrivilege	568	msiexec.exe
Token: SeShutdownPrivilege	568	msiexec.exe
Token: SeDebugPrivilege	568	msiexec.exe
Token: SeAuditPrivilege	568	msiexec.exe
Token: SeSystemEnvironmentPrivilege	568	msiexec.exe
Token: SeChangeNotifyPrivilege	568	msiexec.exe
Token: SeRemoteShutdownPrivilege	568	msiexec.exe
Token: SeUndockPrivilege	568	msiexec.exe
Token: SeSyncAgentPrivilege	568	msiexec.exe
Token: SeEnableDelegationPrivilege	568	msiexec.exe
Token: SeManageVolumePrivilege	568	msiexec.exe
Token: SeImpersonatePrivilege	568	msiexec.exe
Token: SeCreateGlobalPrivilege	568	msiexec.exe
Token: SeBackupPrivilege	4000	vssvc.exe
Token: SeRestorePrivilege	4000	vssvc.exe
Token: SeAuditPrivilege	4000	vssvc.exe
Token: SeBackupPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe
Token: SeTakeOwnershipPrivilege	3688	msiexec.exe
Token: SeRestorePrivilege	3688	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msiexec.exeSRServer.exe

pid process

568 msiexec.exe
568 msiexec.exe
4560 SRServer.exe
4560 SRServer.exe
Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

SplashtopStreamer3360.exeSRServer.exeSRDetect.exe

pid process

3844 SplashtopStreamer3360.exe
4560 SRServer.exe
4560 SRServer.exe
3972 SRDetect.exe

pid	process
568	msiexec.exe
568	msiexec.exe
4560	SRServer.exe
4560	SRServer.exe

pid	process
3844	SplashtopStreamer3360.exe
4560	SRServer.exe
4560	SRServer.exe
3972	SRDetect.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.execmd.execmd.exeAgentPackageUpgradeAgent.exeAgentPackageSTRemote.exeSplashtopStreamer3360.exePreVerCheck.exeAgentPackageUpgradeAgent.exeAgentPackageAgentInformation.exe

description	pid	process	target process
PID 3688 wrote to memory of 2176	3688	msiexec.exe	srtasks.exe
PID 3688 wrote to memory of 2176	3688	msiexec.exe	srtasks.exe
PID 3688 wrote to memory of 2724	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2724	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2724	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 2196	3688	msiexec.exe	AteraAgent.exe
PID 3688 wrote to memory of 2196	3688	msiexec.exe	AteraAgent.exe
PID 4112 wrote to memory of 4232	4112	AteraAgent.exe	sc.exe
PID 4112 wrote to memory of 4232	4112	AteraAgent.exe	sc.exe
PID 4112 wrote to memory of 4460	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4112 wrote to memory of 4460	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4112 wrote to memory of 4588	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4112 wrote to memory of 4588	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4460 wrote to memory of 4972	4460	AgentPackageAgentInformation.exe	cmd.exe
PID 4588 wrote to memory of 4968	4588	AgentPackageAgentInformation.exe	cmd.exe
PID 4460 wrote to memory of 4972	4460	AgentPackageAgentInformation.exe	cmd.exe
PID 4588 wrote to memory of 4968	4588	AgentPackageAgentInformation.exe	cmd.exe
PID 4972 wrote to memory of 5064	4972	cmd.exe	cscript.exe
PID 4972 wrote to memory of 5064	4972	cmd.exe	cscript.exe
PID 4968 wrote to memory of 5072	4968	cmd.exe	cscript.exe
PID 4968 wrote to memory of 5072	4968	cmd.exe	cscript.exe
PID 4112 wrote to memory of 572	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4112 wrote to memory of 572	4112	AteraAgent.exe	AgentPackageAgentInformation.exe
PID 4112 wrote to memory of 4256	4112	AteraAgent.exe	AgentPackageSTRemote.exe
PID 4112 wrote to memory of 4256	4112	AteraAgent.exe	AgentPackageSTRemote.exe
PID 4112 wrote to memory of 2852	4112	AteraAgent.exe	AgentPackageWindowsUpdate.exe
PID 4112 wrote to memory of 2852	4112	AteraAgent.exe	AgentPackageWindowsUpdate.exe
PID 4112 wrote to memory of 4192	4112	AteraAgent.exe	AgentPackageHeartbeat.exe
PID 4112 wrote to memory of 4192	4112	AteraAgent.exe	AgentPackageHeartbeat.exe
PID 4112 wrote to memory of 4656	4112	AteraAgent.exe	AgentPackageADRemote.exe
PID 4112 wrote to memory of 4656	4112	AteraAgent.exe	AgentPackageADRemote.exe
PID 4112 wrote to memory of 5044	4112	AteraAgent.exe	AgentPackageTicketing.exe
PID 4112 wrote to memory of 5044	4112	AteraAgent.exe	AgentPackageTicketing.exe
PID 4112 wrote to memory of 4556	4112	AteraAgent.exe	AgentPackageMonitoring.exe
PID 4112 wrote to memory of 4556	4112	AteraAgent.exe	AgentPackageMonitoring.exe
PID 4112 wrote to memory of 3684	4112	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 4112 wrote to memory of 3684	4112	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 4112 wrote to memory of 4676	4112	AteraAgent.exe	AgentPackageUpgradeAgent.exe
PID 4112 wrote to memory of 4676	4112	AteraAgent.exe	AgentPackageUpgradeAgent.exe
PID 4112 wrote to memory of 4832	4112	AteraAgent.exe	AgentPackageProgramManagement.exe
PID 4112 wrote to memory of 4832	4112	AteraAgent.exe	AgentPackageProgramManagement.exe
PID 4112 wrote to memory of 792	4112	AteraAgent.exe	AgentPackageNetworkDiscovery.exe
PID 4112 wrote to memory of 792	4112	AteraAgent.exe	AgentPackageNetworkDiscovery.exe
PID 4112 wrote to memory of 4212	4112	AteraAgent.exe	AgentPackageTaskScheduler.exe
PID 4112 wrote to memory of 4212	4112	AteraAgent.exe	AgentPackageTaskScheduler.exe
PID 4676 wrote to memory of 4548	4676	AgentPackageUpgradeAgent.exe	AgentPackageUpgradeAgent.exe
PID 4676 wrote to memory of 4548	4676	AgentPackageUpgradeAgent.exe	AgentPackageUpgradeAgent.exe
PID 4256 wrote to memory of 3844	4256	AgentPackageSTRemote.exe	SplashtopStreamer3360.exe
PID 4256 wrote to memory of 3844	4256	AgentPackageSTRemote.exe	SplashtopStreamer3360.exe
PID 4256 wrote to memory of 3844	4256	AgentPackageSTRemote.exe	SplashtopStreamer3360.exe
PID 4112 wrote to memory of 4244	4112	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 4112 wrote to memory of 4244	4112	AteraAgent.exe	AgentPackageInternalPoller.exe
PID 3844 wrote to memory of 2852	3844	SplashtopStreamer3360.exe	PreVerCheck.exe
PID 3844 wrote to memory of 2852	3844	SplashtopStreamer3360.exe	PreVerCheck.exe
PID 3844 wrote to memory of 2852	3844	SplashtopStreamer3360.exe	PreVerCheck.exe
PID 2852 wrote to memory of 3864	2852	PreVerCheck.exe	msiexec.exe
PID 2852 wrote to memory of 3864	2852	PreVerCheck.exe	msiexec.exe
PID 2852 wrote to memory of 3864	2852	PreVerCheck.exe	msiexec.exe
PID 4548 wrote to memory of 4632	4548	AgentPackageUpgradeAgent.exe	cmd.exe
PID 4548 wrote to memory of 4632	4548	AgentPackageUpgradeAgent.exe	cmd.exe
PID 3688 wrote to memory of 3240	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 3240	3688	msiexec.exe	MsiExec.exe
PID 3688 wrote to memory of 3240	3688	msiexec.exe	MsiExec.exe
PID 572 wrote to memory of 2776	572	AgentPackageAgentInformation.exe	cmd.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Dike_Infocert_upgrade.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:568

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:2176

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 3CF79F3F883051924BC671C1C09D20F7
2⤵
- Loads dropped DLL
PID:2724

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="amministrazione@universoinvestigazioni.it" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002gg5y2AAA"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2196

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 87A1883E1752E6A19BB37F76ED7DA25E E Global\MSI0000
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3240

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56E0A2F9-1C1D-4C9C-BA53-DAFC90A88526}
3⤵
- Executes dropped EXE
PID:2996

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63D4F39E-7847-48B6-97A3-A8CC3C113FB0}
3⤵
- Executes dropped EXE
PID:4828

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B3B9D9D-CD9C-4224-9934-90FC478D0877}
3⤵
- Executes dropped EXE
PID:3340

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C24D6E8-B361-4A64-B063-7EA94D88B0E9}
3⤵
- Executes dropped EXE
PID:5012

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63B6DC72-2ED6-431A-86F6-28FB664ED4CA}
3⤵
- Executes dropped EXE
PID:4140

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BE092DE-1107-481F-8E8E-60BD2AE3E902}
3⤵
- Executes dropped EXE
PID:3752

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66C9F1BF-2B4F-4E72-8DB8-72F5E9FBCDB7}
3⤵
- Executes dropped EXE
PID:4496

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4B1F3629-1608-4B6C-8B29-029B99688B6F}
3⤵
- Executes dropped EXE
PID:4636

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66B76262-F622-48C1-9A41-4B13100FE32D}
3⤵
- Executes dropped EXE
PID:4144

C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe
C:\Windows\TEMP\{F3C2BAF4-ED5A-4B13-A60D-11FCB2557B56}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF9345F8-F65C-4D1C-A2A8-E18D241A1DA0}
3⤵
- Executes dropped EXE
PID:3496

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
3⤵
PID:4696

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRServer.exe /T
4⤵
- Kills process with taskkill
PID:3756

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
3⤵
PID:4532

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRApp.exe /T
4⤵
- Kills process with taskkill
PID:4352

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
3⤵
PID:4632

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRFeature.exe /T
4⤵
- Kills process with taskkill
PID:5080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
3⤵
PID:4984

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRFeatMini.exe /T
4⤵
- Kills process with taskkill
PID:4800

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
3⤵
PID:4052

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRManager.exe /T
4⤵
- Kills process with taskkill
PID:628

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
3⤵
PID:4192

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRAgent.exe /T
4⤵
- Kills process with taskkill
PID:4304

C:\Windows\SysWOW64\cmd.exe
C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
3⤵
PID:4200

C:\Windows\SysWOW64\taskkill.exe
taskkill.exe /F /IM SRChat.exe /T
4⤵
- Kills process with taskkill
PID:3532

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{825ABDE2-29A4-4460-9125-A034B08BB941}
3⤵
- Executes dropped EXE
PID:4788

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9281834-389E-49A7-AAF9-A7DA51404BBC}
3⤵
- Executes dropped EXE
PID:4836

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F8B30EE-6ED5-4E56-AFB2-ADDAFB9D9879}
3⤵
- Executes dropped EXE
PID:2560

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25ABD46A-A030-45EE-865B-1095AC85599C}
3⤵
- Executes dropped EXE
PID:4840

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D6C2D573-DF2C-4433-B7DF-44D8FCCEA0A9}
3⤵
- Executes dropped EXE
PID:4604

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA34ED05-C6C0-40E9-8451-157574E3C5E5}
3⤵
- Executes dropped EXE
PID:1216

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5DC8638-6709-448E-8F04-D89EE948F0CB}
3⤵
- Executes dropped EXE
PID:892

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4EBCE234-55B3-49F8-ACCC-C10F6AEBE355}
3⤵
- Executes dropped EXE
PID:1208

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67F30AF5-0435-4F9A-BDC6-D0C8C09EA940}
3⤵
- Executes dropped EXE
PID:2276

C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe
C:\Windows\TEMP\{C2CBB8F1-1DB4-4EB4-9EB7-15D31D67DE1A}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90CBE1B6-759B-446B-94E8-90A91360DA64}
3⤵
- Executes dropped EXE
PID:4700

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{57654969-C1C4-472B-9FDA-D000539FB773}
3⤵
- Executes dropped EXE
PID:4504

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34FADB3F-2492-4A9F-B8EF-BDD90D6F76E3}
3⤵
- Executes dropped EXE
PID:4448

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D257540-D4DE-4376-98C1-F5C69562A348}
3⤵
- Executes dropped EXE
PID:1808

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94EB9A22-CD52-43F9-B386-90BF9EEEC50B}
3⤵
- Executes dropped EXE
PID:5044

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C565211-E76A-45A3-9CDB-F8FC932F5FE2}
3⤵
- Executes dropped EXE
PID:3532

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66CEAF9E-D0FA-48BB-8FFA-E2741DACCE91}
3⤵
- Executes dropped EXE
PID:4704

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{936EE93F-DCE2-4E4F-B085-4F342929637C}
3⤵
- Executes dropped EXE
PID:1720

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{776D3058-1D49-462C-B2DE-FC51B9894012}
3⤵
- Executes dropped EXE
PID:4088

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FC98322-3651-410A-BF33-F663785658BF}
3⤵
- Executes dropped EXE
PID:5016

C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe
C:\Windows\TEMP\{853E3393-230A-4538-BE32-FBAA5C139A8D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A05F7785-A94E-4B44-89F9-E8549F611093}
3⤵
- Executes dropped EXE
PID:4424

C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe
C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4804

C:\Windows\syswow64\regedit.exe
regedit.exe /s "C:\Windows\TEMP\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\InstRegExp.reg"
3⤵
- Runs .reg file with regedit
PID:2996

C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe
C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe /P USERSESSIONID
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Windows\syswow64\regedit.exe
regedit.exe /s "C:\Windows\TEMP\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\InstRegExp.reg"
3⤵
- Runs .reg file with regedit
PID:2808

C:\Windows\syswow64\reg.exe
reg.exe import "C:\Windows\TEMP\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\CredProvider_Inst.reg" /reg:64
3⤵
- Modifies registry class
PID:4276

C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe
C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SetupUtil.exe /P ST_EVENT
3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4476

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /C wevtutil.exe um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
4⤵
PID:5080

C:\Windows\system32\wevtutil.exe
wevtutil.exe um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
5⤵
PID:1208

C:\Windows\System32\cmd.exe
"C:\Windows\sysnative\cmd.exe" /C wevtutil.exe im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
4⤵
PID:4040

C:\Windows\system32\wevtutil.exe
wevtutil.exe im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
5⤵
PID:2124

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g
3⤵
- Executes dropped EXE
PID:4124

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{985E3B89-EB85-4C5F-8A44-8AF99DC62332}
3⤵
- Executes dropped EXE
PID:4780

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F791183C-E57C-4D3B-B29A-2F6C0ABDA895}
3⤵
- Executes dropped EXE
PID:4504

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BFE17E8-65BC-43EA-B06F-855B830F83EA}
3⤵
- Executes dropped EXE
PID:4448

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F38846C-5221-4505-93A0-B134CCE66E1D}
3⤵
- Executes dropped EXE
PID:1808

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{919D4EB8-F4B3-48E9-98CA-963C8144A94E}
3⤵
- Executes dropped EXE
PID:5044

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70B05FD1-D9CA-4DB5-8F54-F121CE92E979}
3⤵
- Executes dropped EXE
PID:4220

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D9956792-A3AA-4308-8DA4-078643A34618}
3⤵
- Executes dropped EXE
PID:5084

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{25B83643-8987-431F-8507-49879469180B}
3⤵
- Executes dropped EXE
PID:920

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE77BBB0-3E10-4552-849B-7A7B930F5D9C}
3⤵
- Executes dropped EXE
PID:2356

C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe
C:\Windows\TEMP\{E302148E-FE4F-4892-9997-AE642828FCC2}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B50E5235-C7B2-414A-9934-3EE58B8EF44A}
3⤵
- Executes dropped EXE
PID:2200

C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SSU_Clean.exe
C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\SSU_Clean.exe /S
3⤵
PID:5028

C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\Splashtop_Software_Updater.exe
C:\Windows\Temp\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\Splashtop_Software_Updater.exe /S /Caller=SVR
3⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:4732

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAFF3246-4B6F-4DDF-8922-039F40907965}
3⤵
PID:3084

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{04BBFCCA-019C-480A-AB84-D70702664455}
3⤵
PID:4540

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBB42200-C0DE-4136-B5B9-948927A4EA56}
3⤵
PID:2848

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A5A51DA-AA3C-489B-B4BF-BE09EBD58E22}
3⤵
PID:4824

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{26845AB6-2F30-4057-8974-9843C4AA8FE5}
3⤵
PID:4660

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{146D6746-74E8-4ED9-9046-BCA64C7C8927}
3⤵
PID:4588

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECDEBB99-14EF-4307-B5AA-3F118A993B6B}
3⤵
PID:4656

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C759860-E170-41EF-BBBA-47F3640D84A4}
3⤵
PID:4180

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{482EDB8A-085A-426F-9060-853E97E2D856}
3⤵
PID:5068

C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe
C:\Windows\TEMP\{FF815495-787E-4035-A84D-109D6D9200A1}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F7EAEE9-D9EF-4EB8-BE37-13045A56A8BB}
3⤵
PID:4680

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i
3⤵
- Modifies registry class
PID:680

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE69EA87-D3CA-4C1C-9EC7-63B50B7875F4}
3⤵
PID:1720

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C816509-CB82-4411-B9E0-D4F1ABAEBDDC}
3⤵
PID:3960

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FF20CC21-425A-4F16-8B2B-3075D91D2EBD}
3⤵
PID:2476

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{015FA561-3B39-49CB-8315-2EBEB1DC6B43}
3⤵
PID:4292

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6E666047-51A8-4DBD-A9E7-6B9DBA53F2C6}
3⤵
PID:4260

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{39FD44C9-F716-4BB2-98B9-4885DE818694}
3⤵
PID:4472

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30D6DDA8-503E-4842-92EE-BEFCBDCEA9A8}
3⤵
PID:4756

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1757BB16-90C0-4CC2-B305-126A8771A73E}
3⤵
PID:3156

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BF4B7FC4-3BFB-45DC-A84E-43374D5B238D}
3⤵
PID:2284

C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe
C:\Windows\TEMP\{239094C2-B2D2-4F85-B486-31ABB40556DE}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D697E23-C09D-428D-B8CC-2382F23595E3}
3⤵
PID:4684

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r
3⤵
PID:4020

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4B842A9-A768-490C-8931-1EAEE02BFB1F}
3⤵
PID:2804

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A9C2A5D7-04E0-4FFB-8D03-1069767A64AD}
3⤵
PID:572

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8F5CD2E-24FF-4E4F-A408-082232BDCC5D}
3⤵
PID:4584

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA314F9C-DA5E-4115-A0BB-C83F2DD38EA5}
3⤵
PID:4992

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF1E97C5-AA9D-4C22-BA83-5808958BB0AD}
3⤵
PID:4524

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{43CD7811-130F-4346-97F2-8A2DA13026FA}
3⤵
PID:4460

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97D9F6D0-D275-4CEB-AE60-B92CA2756621}
3⤵
PID:3752

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49604227-574A-402E-9D7D-45FC43D4F141}
3⤵
PID:4308

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46272BF6-22FB-4E5E-B8F0-ED0323C2440A}
3⤵
PID:2352

C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe
C:\Windows\TEMP\{698CE808-511D-4B71-A0FC-7D5DC37A158D}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9174D274-5154-4BE1-9C79-1A538C81A650}
3⤵
PID:4756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4000

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
PID:760

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112

C:\Windows\System32\sc.exe
"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
2⤵
PID:4232

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "21e84880-f115-4678-9d90-5eaf455851de" agent-api.atera.com/Production 443 or8ixLi90Mf "initialIdentification"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4460

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
- Suspicious use of WriteProcessMemory
PID:4972

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
- Modifies data under HKEY_USERS
PID:5064

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "a3b9151e-ee78-4f92-ad4a-346c4ade90ee" agent-api.atera.com/Production 443 or8ixLi90Mf "initialIdentification"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4588

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
- Suspicious use of WriteProcessMemory
PID:4968

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
- Modifies data under HKEY_USERS
PID:5072

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "005ca982-7e1c-4864-8080-8aff1ee3aad6" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:572

C:\Windows\SYSTEM32\cmd.exe
"cmd.exe" /c "cscript ospp.vbs /dstatus"
3⤵
PID:2776

C:\Windows\system32\cscript.exe
cscript ospp.vbs /dstatus
4⤵
- Modifies data under HKEY_USERS
PID:1720

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "7338c267-f4dc-41c0-abb1-a136012c31ec" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4256

C:\Windows\TEMP\SplashtopStreamer3360.exe
"C:\Windows\TEMP\SplashtopStreamer3360.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3844

C:\Windows\Temp\unpack\PreVerCheck.exe
"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\SysWOW64\msiexec.exe
msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
5⤵
PID:3864

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ"
3⤵
PID:2144

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_session_pwd=44e158641a0506ccbff5afd2659e3a53"
3⤵
PID:4480

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "f73be582-09c3-477c-b81d-b2ec62b82787" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"
2⤵
- Executes dropped EXE
PID:2852

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "47c5e84c-98d3-4e55-bed8-7f1558f5212e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4192

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "d364a8ec-539e-4104-868c-05b37085bfec" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4656

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "75f2d49f-c1a7-48cb-8930-0b6fbe1223b7" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:5044

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "5d659fff-9230-4bf1-a4b6-7e2a32fc7eab" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4556

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "0ca2f59b-1a24-4065-b174-731a437a2cbc" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3684

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "b26bc8e2-ca40-4cd1-af4a-09fb661a76df" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "98312f59-2532-4611-ae7f-8c728ca86001" "b26bc8e2-ca40-4cd1-af4a-09fb661a76df" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4548

C:\Windows\SYSTEM32\msiexec.exe
"msiexec.exe" /i C:\Windows\TEMP\Setupx64.msi /lv* AteraSetupLog.txt /qn /norestart
4⤵
PID:4632

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "343474ca-b0eb-47e0-b452-88f933cef2b9" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4832

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\AgentPackageTaskScheduler.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTaskScheduler\AgentPackageTaskScheduler.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "59a32b50-33be-457f-b1e0-b4a7ef3217fd" agent-api.atera.com/Production 443 or8ixLi90Mf "Schedule"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\AgentPackageNetworkDiscovery.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageNetworkDiscovery\AgentPackageNetworkDiscovery.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "0c32edf0-9ec3-45a0-bf7a-b9bbff7ca71c" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJQYXJhbXMiOiJ7XCJDb21tYW5kXCI6NixcIkRvbWFpbk5hbWVcIjpcIlwiLFwiVXNlck5hbWVcIjpcIlwiLFwiUGFzc3dvcmRcIjpcIlwiLFwiQ3VzdG9tZXJOYW1lXCI6XCJcIixcIkJhY2tncm91bmRTY2FuSG91cnNcIjpbMTAsMTRdfSIsIktleSI6IiIsIk5ldHdvcmtEaXNjb3ZlcnlDb21tYW5kVHlwZSI6NiwiSXNBZG1pbiI6ZmFsc2V9"
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:792

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "3228eb44-2810-4c26-90cc-94ec980e3ebd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncdevices"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:4244

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "47c5e84c-98d3-4e55-bed8-7f1558f5212e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
2⤵
PID:3188

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "7338c267-f4dc-41c0-abb1-a136012c31ec" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
2⤵
PID:2400

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_session_pwd=44e158641a0506ccbff5afd2659e3a53"
3⤵
PID:4496

C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 98312f59-2532-4611-ae7f-8c728ca86001 "47c5e84c-98d3-4e55-bed8-7f1558f5212e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
2⤵
- Modifies data under HKEY_USERS
PID:4308

C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"
1⤵
PID:4944

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"
1⤵
PID:4768

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"
2⤵
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4616

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
-h
3⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4560

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"
3⤵
- Loads dropped DLL
PID:2248

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"
3⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:1580

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"
4⤵
- Suspicious use of SetWindowsHookEx
PID:3972

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
SRUtility.exe -r
4⤵
PID:3760

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Bootkit

T1067

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
MD5
33dd421f03cba2285db580d195337417

SHA1
ef6a57315a9f4bc95e8372de231c76961bb26d61

SHA256
0bfee9b7976dac1a18339d57d5f9991f65ce25b87fd01c74e16f943eb3d1d899

SHA512
b3993661dce0d5a472384f244baf34f680d4bbcde066c45cfef94a2f4c5db4a796be24ecb7dd081bd6e1b5dd8da7ce9f9a7a41713f2dfda2e11e6f15edd69073

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
MD5
7ff0ac77806aed9588b143cd0fab552b

SHA1
184b62f2956b95ffe3dc98ebb31d7f45dbca83fd

SHA256
730d85d5ef4f0939154278949c126a444ed859e7718bb175ca3153ca6ed9d142

SHA512
1856bda8cc3d4161110cd75a7be4939193ed408a95f9c41e22f4cc9f85b1294584f95796bce207dd65d606ffb57760b3d2e1681efbbb7759a19a9f70fb7edac8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.INI
MD5
52ad24cd7b4b64fdb749335b1e947c0a

SHA1
4ae2c80907f7fac3df3b0186d1bc53e2890e5de9

SHA256
6211b1bd1a05e7d078d2bc8bc9edcee30a70d15ce9cd0997bf08dd90b5b516d9

SHA512
7da6f5e939807e3e0cbc47c920b17bb65e342d5797567a4f902df0f543746f76f115ed33f6529cc995dac31f05bda26c7f8e2a83c914a7e8bdf5b7d056f84fbe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
MD5
cc697eb732f601562293576e25725044

SHA1
38d32ff1faee74d5813d7ed82ab786bb7f63ace8

SHA256
3d028c4204341b8fc14fa36efadf9ab6758547708b25179ee60b6f6207d8e166

SHA512
b1881741f9bb6341436edacf5add2e717afec4b6480c9ff76345ff846f74ba6fda6e77291f378bcc4aaa9c0854b41a229b876caa0ca09e04c8edec31aecf36fd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
MD5
cc697eb732f601562293576e25725044

SHA1
38d32ff1faee74d5813d7ed82ab786bb7f63ace8

SHA256
3d028c4204341b8fc14fa36efadf9ab6758547708b25179ee60b6f6207d8e166

SHA512
b1881741f9bb6341436edacf5add2e717afec4b6480c9ff76345ff846f74ba6fda6e77291f378bcc4aaa9c0854b41a229b876caa0ca09e04c8edec31aecf36fd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config
MD5
200b9c5450a1640157e06de09698a485

SHA1
fd8cbe606fff687c4c4aa807f2ea22b73f353ad0

SHA256
e6505d2e060926a7e7e7ed3e2d66b974ec15576719d18177e2aa9e540d4acd9f

SHA512
b88b11a7bc0bba669263bf25a8ccd9cbde71a4196e59b35c4e4cd26deed6f18ff00452d585c6d1ec4986d92f6d51c9b94c0cfcc577acdbe6ae94fe2475b6ba51

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll
MD5
7911b591333e07c3d497985be2a29d3c

SHA1
f679994b1ed45ec7011e5401b0338e9fed934ac7

SHA256
e960b38ba9a34d472e22d63af322c6b1e8ccbca470fa3117bec12db6f65362f8

SHA512
f6c957ce2a73bbaa1247c60ea6267fad18c0f8cea1a74401ceb355e657889017083c7da0d857f0f7a467988cc954e0d58417e73124556cd541b8f2d2e865805a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.ModelsV3.dll
MD5
2188e1b90ffd7858b8d067fe1612cb1e

SHA1
a6d03ba0ee59727cc942ca56b85890b8b0a0944b

SHA256
8901817b84a7eea58517e7b36bcd86009afddaa34e6e2144eb279d2f11be2edc

SHA512
e5fc6e40b47231f405113d23617647af0d1c2f07f6aec332baeffdc6d2372c651d5afc8844f513695a523e59145ffa65fdc26071fee37b1de8d6375e8f90492e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll
MD5
ac62aaad8daaf570084a5c9fc39b7ee8

SHA1
cf317cade246cdc47d34706038574d0401dec6e8

SHA256
779e7bff8fc744f02e64e097fd0c32c3f93bbe8d233ff796f83384c5f73889a9

SHA512
ded66cb1c9bc73d5010103a2be632ec8fa3d7272623a5d1aa85aa19c3d857f5f74639084bed4b244c5381e5ac46e6e47d5be80790dedb3f9fdd41e3f6cd5780c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
MD5
04ef8a3c001a0ee28b1787423127271e

SHA1
aa0b319a3b8f04d1ba5704e0d87f9195deaed332

SHA256
4f02c008ea3183f19c0a5d56a71e2b6e07a99a56489d36cf40b5bac910409e18

SHA512
9c0d91eb8c9339a788c78d3850d78aae9a8e251cfc56c9c58e347f5f0fb6ba72fb111bb849c3857b4167f3f312fe3e920bb1826c2254d20954f75c7c19f65f33

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
MD5
49916107ee58eb8150c4e20ccfcc15d7

SHA1
c6e89b6881d46ae708ab1a3df023f8228e5476c0

SHA256
3e6ea764c4eaa5685f6a0e44268a7f2d7cd48c42aa6ab32f80124389757938f2

SHA512
4e18017d43e6d7410aeadc161f53efea733b0091b28dc0201ec4c153a2e8b00999f09b0439168eea932e6464a6104d76d35dbbd8b420487c41e2b81e8faba08a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
MD5
7033bdb79f5752cbcafa17b296df24b2

SHA1
1d59a4aa8545f1d8aef1606c4a8a23b1b807ff18

SHA256
7b07559d1b4b17d4aef7e6f305a0d8c2fed13931b85e217bda0ee702af523f74

SHA512
df78b9194a91a2c2ab5814e92ab8585c3aaaef3f1519146592ad345253dea0afe2be8c3d99291f4bdfaf32d3785ad5cb33586e9f4a18a01e370451b69e9fc36d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
MD5
159c9643ddfb511421327ece3bb3133b

SHA1
4c11d1e591bf0d9b89ea5a949ed26a0425b25184

SHA256
a1c9523bdb884cd43b20d3d5173f2c6bf206de17c2e79db25d372ff19cec5fb7

SHA512
c7232aed3013d5d472475c1e4ba2335f57ebb31228545d7e1a7de45bbcb0246af0115a590d608389a32f1614befa67122eb33bd9881bea7ea2ff1b5b56bd2a98

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
MD5
c56f50320ec016d53ccaa5cb824f4573

SHA1
7a3102cd45cf49f12195f9354f0412e0885f8504

SHA256
cbc15a831e6ca49482dc16a50cfd6cd8b70f1865b3ed2be57b831e1e0d8dec6e

SHA512
92720fc806dd79399df2f2f9d2f5f66a7cae2b6debef3da3f018c183a15d9e49691612615b492c573b6665ccbb3da37041a74263d1f20cf1b45c2640d6044ef2

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.INI
MD5
03b8a5a32d56d4fbdf7802d7aec58aa1

SHA1
d340ac69ebbd1883d17915ea3bb856c93ec37a98

SHA256
a42f4dfec2e8385fe457f0604977a4f5cedae391776598b04367addc6d1c8ada

SHA512
1ee29b06c9a8ee1d1f5e200f59e25ce29d4aa4c8fcf1c809e75a28f4d3c9faf3e7ff2077bc351dca81e287a0c57d17f6b1b5f535415f7837667bad29e6559991

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
MD5
e6cf1fac613f61846812b4a30efc3a39

SHA1
060b70d76d5178a6bf33d160fbc7db6a5789fbfe

SHA256
524c7a89c9de151943d41261910f5e3b58abed77a7ff8827f1903e972dd37be2

SHA512
4c03b7603cff7997a9fe53711946440fde14b24bc325b853cc72096d548b89cb992a7ac970bb1ceddb898ea1d7b456038508ad45d2bfeb63553e83b3ffb398e8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
MD5
e6cf1fac613f61846812b4a30efc3a39

SHA1
060b70d76d5178a6bf33d160fbc7db6a5789fbfe

SHA256
524c7a89c9de151943d41261910f5e3b58abed77a7ff8827f1903e972dd37be2

SHA512
4c03b7603cff7997a9fe53711946440fde14b24bc325b853cc72096d548b89cb992a7ac970bb1ceddb898ea1d7b456038508ad45d2bfeb63553e83b3ffb398e8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config
MD5
3f9b7c50015ca8be5ec84127bb37e2cb

SHA1
07fa0b2f00ba82a440bfeacafd8b0b8d1b3e4ee7

SHA256
c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532

SHA512
db5713dda4ecac0a1201add7d5d1a55bdbfc9e373b2277661869f7de9e8ba593f44bdafa6c8dbeba09df158b2dfdd1875c26c047f50597185f1f2f5612fc87b9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll
MD5
01686fb0e3083594677d84d0f46df354

SHA1
0419ea9022e5ad29217344a0962ae99a4473bc0c

SHA256
a1d6a5121135c51c1644c3d1888ae02517b3e5fa71092397485f2ad25aa1e691

SHA512
34c6a1fe79a5b19748247f162b1645a63b71632784bd9b5cd482f81c77dc8aa229d8f8aeba419696b276d34ce0e4258752c6c7f78d5e2d846d355e6bddcce0fe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll
MD5
273a2fb7bc05f02e8b4b8c123da24308

SHA1
3d81b2d5d21a0adc1ccc75e7bf9275734ef6c780

SHA256
021b1a16871473eaf99de4bdeb3682361fb2ed74d5d3207e69450828fa6dab6c

SHA512
25fab3e378815ed0986179604845a366011d12e5944f1b662b54b26ad7c4d12e3e8e6afdbc63448d1bc9548ba741ed2d484fa3f9b1ee25055b2618dac5289232

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
MD5
36243dab64849780a7b800e0b3e9419f

SHA1
cb6be598bafea04e25a9a0515141a3a6fe00fa38

SHA256
2f599ae4c76b642d30d2d5dfd0f0c009c3407cc592d3341d368f19da9b4cd29f

SHA512
3d897e9ba1fe0f706c819cc6b0f4a260e437a564ce7c84c68db43003d181b6fcb735ab63a8d2fa5cfbec6b23319e9fadc269aa8331d1f818fd665bb1029fadae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
MD5
36243dab64849780a7b800e0b3e9419f

SHA1
cb6be598bafea04e25a9a0515141a3a6fe00fa38

SHA256
2f599ae4c76b642d30d2d5dfd0f0c009c3407cc592d3341d368f19da9b4cd29f

SHA512
3d897e9ba1fe0f706c819cc6b0f4a260e437a564ce7c84c68db43003d181b6fcb735ab63a8d2fa5cfbec6b23319e9fadc269aa8331d1f818fd665bb1029fadae

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.INI
MD5
d27e792dbedd4ce70d3c7e81ff0844e3

SHA1
d729b456a03de94175935c8a83a1f1140c067b02

SHA256
9358dd9c96af7d596bf94dec1f94ecf26881b231a70c1be3ee08705d65ca2895

SHA512
8f3d39caec3a39266f4a96faf0acd430623bbe73f99f46c527fe126328979f0d41a3ff12cbfba4dece8a678a0da9e48b18563da0eff2ca0ba1441fce9477b587

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
MD5
da4dbe091ba30623cf17348d0aaee74d

SHA1
315ec6f26545384b8f68f9106be2153ca78f74e4

SHA256
e400659675dca995965712fa796acc0ab691668bc4f4b36d5294c63e2c126108

SHA512
29aac02faf7a375a44cb804c639c47887ebb4254f6b8c29cca0ad5be6f3cab8f0b41616ea58a35c0a1716ff471d27e52c22193e386d422835068d23bab380fef

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
MD5
da4dbe091ba30623cf17348d0aaee74d

SHA1
315ec6f26545384b8f68f9106be2153ca78f74e4

SHA256
e400659675dca995965712fa796acc0ab691668bc4f4b36d5294c63e2c126108

SHA512
29aac02faf7a375a44cb804c639c47887ebb4254f6b8c29cca0ad5be6f3cab8f0b41616ea58a35c0a1716ff471d27e52c22193e386d422835068d23bab380fef

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config
MD5
9a98997c57162a9b8665e44512088e4f

SHA1
4c14fb14240346c2261b466f776085f4a98250c9

SHA256
86bc14fd84dbc08192b6aa5ea54d1bcaea37195f90bfce9ab6cf884da898ed32

SHA512
f169ed80565a10ce2ce0b9a65f1e177d25dd4dbc96ff5c27e501cb43cf9f8a17e2be8b44007f35c597090520ffa811966b7b6ac13184c68b0ea800b4b659a334

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll
MD5
d1063466612c6d7db55cb176b4334163

SHA1
f64cda376c29136b19a4c6df040e1d78e50d4fb6

SHA256
5d088b60c7939037bf3a5b32beba85f681234bb1f5c457bfefac597875f5f385

SHA512
c63acfc6c40845a3fd6f017a4697eeddccb187e38e59dec530705f36c0988061310efcfb87de68acffdb6acffc58d54a8c126aeb5e8044347da6121f39805abb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI
MD5
2ee2a757a5865cc7f0d97c67a0b5d8c5

SHA1
4bdfbbfa8a5622a5419160f3395916f615918ac9

SHA256
526d4fb92081239213ed7651bd67d1d6ae80cb69f2e4c64f6305b5f9ae0b3af1

SHA512
dc39fccc5c88a3ab9a50e8d87c93972054934078b42f436a7fb030e64ba513bd3724538613742b6a087724c4cfa469e45574b190a2390a63a748e0c1982851df

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
MD5
538177ef021e529dfe997d255607fe27

SHA1
3c34dc31b559c5cd7b39bfaa462e61dc51fd037b

SHA256
b181ccac37163e346d88cdd4bf1e4dad609f3a45bb5c143f3db7dc152d395a69

SHA512
a6b3af6ef8b3ab699ebfc1192869ef4d2b56b99aaa47ab6b826ddb23c01fc2c73d3b4680e5839c65f64d1b2c89964b2d69512d214fdb58a088408203eac61cec

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
MD5
538177ef021e529dfe997d255607fe27

SHA1
3c34dc31b559c5cd7b39bfaa462e61dc51fd037b

SHA256
b181ccac37163e346d88cdd4bf1e4dad609f3a45bb5c143f3db7dc152d395a69

SHA512
a6b3af6ef8b3ab699ebfc1192869ef4d2b56b99aaa47ab6b826ddb23c01fc2c73d3b4680e5839c65f64d1b2c89964b2d69512d214fdb58a088408203eac61cec

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
MD5
9bc8c60dca1db56880a6de6186139bbb

SHA1
215828e6240b6d588e1d3e1a92e9df51ede80062

SHA256
98cbf73681a1b63d4242cb40a2bd0bb6b04a61528a4230e8eb7e10bd83b6e6b0

SHA512
809a8d652869977bcaa702fc7ab4963ef48554e122acd08314c7645dbb878bb32e0c5be0aa08606956fcf1fac5431cc401f5949ef781e52eb9919c72c88f999a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll
MD5
ced1b0417be18a7c18d13b362b83e1b4

SHA1
ee6688a75ea807aa8d51d69c1f4cec2fd201590c

SHA256
3679e9374b1639b46ead6349245adc836243d42c7237b6a94ef917b1f6ed61be

SHA512
751e24ca287541deb37e501f3bea90cdc699625331c932a31dde4f61ed0d2af1bef839f42c1f53978027285c81a01d1151ff6590040f17ef0be38d50ed50da4a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll
MD5
ddda7e8fffc144e58f39d7e973aeb64b

SHA1
bb7ed32023150cab7740524da6f2870c546d3acd

SHA256
53ba23ec48132705610c6bf3d6c9e8db6d2f3234a629c26f3a974ceb7f2e95f1

SHA512
a57e9b8c0c11ddaea7773ef3550c9a2fd5c29afcab5eea0ca4cc9507880308f130c417f01383dc9b25a02eb32737b4d8a039e7b3f57ae1d85e13da6de0d3b4dc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.INI
MD5
2fc8d65453a9c9c04a37d76b83569a72

SHA1
32d96fc8d7a9eeab00d5bb5384d301d18263d1f8

SHA256
ab306495ecfa337cf3bc9c06480c1fe778f9934b245ec7fc25a030fbe4619b98

SHA512
aa67306ddb9fdb1122d7816ee733d792259aa3bdef7a16211e1751450501fae2243c1556f55ba777dec6b9a868aa15e089e8ad22ef75ac9774623765b78ad01a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
MD5
779a81d6343a98b9b27beeafbb0a05ee

SHA1
507320c64adacae75ec7d58f641befebe348cf0d

SHA256
d88ceae464b731344f2dd7d6402b517571cff6faa6ac12d5b1f5abc5200a6693

SHA512
16048677f1a49b49ad3b9a424a4d2c8560ff3efb71967cefbe4b70c4baa72ed82bd4ef70dd73472182c66c8226102f2364dc9b3233bd246f2188c236d191a70a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
MD5
779a81d6343a98b9b27beeafbb0a05ee

SHA1
507320c64adacae75ec7d58f641befebe348cf0d

SHA256
d88ceae464b731344f2dd7d6402b517571cff6faa6ac12d5b1f5abc5200a6693

SHA512
16048677f1a49b49ad3b9a424a4d2c8560ff3efb71967cefbe4b70c4baa72ed82bd4ef70dd73472182c66c8226102f2364dc9b3233bd246f2188c236d191a70a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe.config
MD5
9bc8c60dca1db56880a6de6186139bbb

SHA1
215828e6240b6d588e1d3e1a92e9df51ede80062

SHA256
98cbf73681a1b63d4242cb40a2bd0bb6b04a61528a4230e8eb7e10bd83b6e6b0

SHA512
809a8d652869977bcaa702fc7ab4963ef48554e122acd08314c7645dbb878bb32e0c5be0aa08606956fcf1fac5431cc401f5949ef781e52eb9919c72c88f999a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll
MD5
13e68cf6aecd7ac7f47080b230523262

SHA1
c3d3e8ca1030e96ce20d00695c0bc9778ae43c96

SHA256
067e009ec640b958e2be69863d3a486daf59b6b523725f94eb8f649d839f340a

SHA512
8266a604c4db593565c75a203ce6dc9221bfee279ad0a87a2ace19dbd8c193762f327378a5337aebffff3187849f8808b8c4612e599ece1ea7aaf091f5a6ba13

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
MD5
2827351b0af210d7118dbe0c2e894e21

SHA1
eb9a09a375a2652f78256ab69b883914f4219e3b

SHA256
7533cd228397a23e7c807f95cc9cb5cbea9f820c7cc71be7e2cfe3fe4b243c7d

SHA512
a1800510b511bd23acad9ffdc08ca4187421f7e366c21307f2d9a86193d6b0bc0a4be4dcb8773099bf91b7b880b028af3225467bcaac4dea327907fb4ea4b7e1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.INI
MD5
93af2eaefb9b3fe0799ebb4155104fab

SHA1
ae3455155c1881d098397e6f3f1ad31858b35c5f

SHA256
d662fe4971fc12d599f47641acbbdaf3b1cc1175fca3744bc4699c93a08b074b

SHA512
f9e791c248c48bc8017647d5b07e9d8ac3c33d17ba57caf8ff89fa8dad50657832c9d5688110a367d235dd220e32060069a7c9f96da79f90211a1e7a442cbcb0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
MD5
b12c63053efe64ae12a800e7202ef65e

SHA1
f4c459ed00f653c97dda9af913760ff129ed8294

SHA256
b178c407dde32dd0810f2e1672260b23a08b917624ce67af302b9a795728c6db

SHA512
e3a3b8bfc04b7b9cb2eb4f666d25b5dbdd15c19c94f7465e446566f8f4337aaca1bac7a5cd67a6b8f275a3494fa9145087f2dcc46b9a1ba6a9e3e08867f00314

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe
MD5
b12c63053efe64ae12a800e7202ef65e

SHA1
f4c459ed00f653c97dda9af913760ff129ed8294

SHA256
b178c407dde32dd0810f2e1672260b23a08b917624ce67af302b9a795728c6db

SHA512
e3a3b8bfc04b7b9cb2eb4f666d25b5dbdd15c19c94f7465e446566f8f4337aaca1bac7a5cd67a6b8f275a3494fa9145087f2dcc46b9a1ba6a9e3e08867f00314

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\AgentPackageWindowsUpdate.exe.config
MD5
c0a1095205d9061cb19da9e7dc8323d0

SHA1
f50b534777f0ece5414ed533aeafdc660d97fb1d

SHA256
de0b0fe7b58f4c212cd825b3b07e978caa43103708445fdab2347986ecc12acb

SHA512
a64ce84f73859b3703c615a8422aaa6825570f7ff974e88a047d167a541d2ba7fc4bf2c77bb2c3c2afbca56f1e2e47e37197ac5f56fcf37be22f9bf195a5e370

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Atera.AgentPackage.Common.dll
MD5
3c0e332cc4eca9cab722263a0f2cc082

SHA1
e7a33fdcbbfa7ad5d2a3d9efcf07c2ca7f1e5531

SHA256
e8abad75b5f29668151f9070fce8624525c8da80203cfa9fb81d03a948a6da71

SHA512
129a84b1fa6c491b5ab98896cf3bb32a17f2a504e0cc635a028fcf4496121b832f608d007b21a8d84ae22af31a0382951635690e204dd9ac2cec17a690dc1057

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Interop.WUApiLib.dll
MD5
ba6f28e2359291c2778ec04427acea2a

SHA1
759a9518bfb3ef76b3dc1664385a13a3403feabf

SHA256
708308c9d5c2579afb21d0b10229f94b274fd5ad0a2ed0659abd3bb5f8733bf5

SHA512
20fe56f29dd58f30db8021edd6f5b7e178ce909d4b438a97bad71850f4441b9abbf1c0c83559d9c19d958d616c9aa9344b686601f37db36cb0a66a22323f951d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageWindowsUpdate\Newtonsoft.Json.dll
MD5
b83633d144eb1d00c744c709ab54490e

SHA1
dad6e6759042810e2a9a7c5882b0ed1399e289d3

SHA256
8855c8021ab67f0a15ffb4c1568de102e5882e478acc8000554e821d8c4c042e

SHA512
96471e13d771b6e91dfdcb1684b98762e41338972fcf47f8d46cc6bf07cb0f9271a89cd656a55d9be422a2741aae4349be7a312f88ec2c4218fc25d7588057ee

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll
MD5
e8458b60d4f251de071b765287c5661e

SHA1
b4a4d91483f658b79204ec4be2c2012efefd5a63

SHA256
52c29826c96e35373f05fefbd0f92ac9ec377cd65e8f58a945f3a86b41c3ddc6

SHA512
57b3b9cd3a47a6543e0e81a4606e7a90e4a459fe827c01ec6a21d1a64503fe6267079fa89e3120519079a1e9a0eb925f3b794d9b39f03d7eba524393dc564bea

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt
MD5
6d43b212fbdbb75e7d7e9af578a9cd2c

SHA1
4a7966bf28ff178a17461988b95b44e84791d213

SHA256
c9f08bb6a41f1bfcd03ff55dfbc6dace7e32fe05fac02b69757acb7071e6f693

SHA512
dd3f20b66e766e51fdb13dc7e4ac7775537286ec831fdb3b6809fdaeb71ac8502e7e9725c1ef3548daa26671e27c89f88aa6a667e40b6b1a4b2b81fa2201e12d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
a67caad04483de7ffee8359d2c6e8550

SHA1
6cc2f0c416e8d43d02fb86d6c134f2fc77bfd970

SHA256
75bfd1b527fa64ead4723b09b574b1b5542bc2164d17e216b4b6c0112ec388c0

SHA512
59c2431eb2654f6e328242035b79fa4c9057dfd5b6c4432e3c5457671143f488c8dafe33d8db3233b29b3abaca4c22674da0056a66e17a5ba9a10924a22aa248

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
MD5
b97b24e989431cea371a2786279890aa

SHA1
47685405d8c4a3bb115ca1b1271f3756125a0a94

SHA256
78620c9358834a3c491c36f58bf1c5085357107c811f87c6a3d32353c3271604

SHA512
60e09235587f08e32c439734680b3c7a115dc1874b628b75c32f6b30bfb92046ed5eaf949ba827aeb28082b2eafe51d9c979754c1e6297e7d6b69b619201f796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
MD5
501b4710f0223b412bc8248db4dd07d9

SHA1
3c4459f0c08cc16cd4c6f31e5f512bae0bcdb64b

SHA256
f115b2dac51a2cf243696fe08c635d24e5af168d4afbbca3ce2d4a78f5e6cc85

SHA512
d18aa9067a96b08b169e52a7a6e2a319ac8efd3eaf1ab4e73ddbf4943644b1e80529fcaacbd18ee386ffcdd7bbef0bed158df0121ac3abd50c2c1bfed1db1d5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
MD5
868cdaa5dfeec24a67ec477382f58f36

SHA1
29342b26d109da8aac825202520b8223cdaa7cad

SHA256
5943e7b029e8635d82e98e65cc5ddba80613dd2d95fe6d620e92ed916b57e0c1

SHA512
48c28a0c26c37719019285015ce2d1ad585d99a592e120d459e37f71a98adff41a67e8c81969cf9a39bd367c349e8eb5fb8f43082fc1d8036c19f9d6c10ce7cd

Download Submit
C:\Windows\Installer\MSICA6B.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
MD5
af1df4b695c99ca18d5aa5d3220632e2

SHA1
c1a809a8f9c48ddef6ecaf630462cab57e65f7e8

SHA256
35bf2ca5337dc1010520f375e825902a9f5705cc9378d19e2dfb606c51100a6f

SHA512
2ffc658c8457743cb337892d1114c076e25629ab2788b7948d752ade0a2e88c304d4a35b741507d9d17658e98285222cc8db3f7eb6238067d8983df94b1022bd

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
MD5
40124594567c3ce1da06a0472e988af4

SHA1
8f4f94bc47e98ddd2cc7f60908230e504aa55bb0

SHA256
3433dbcf1d93e7bdf44ba943dae1b9cc12a5db6b36a12d7b46b45d49bf852635

SHA512
b86f5b8a74a94b5c079ad474ea2ba6e45aebf7a354b594a451a2fbf59f2f26ee771886dea3833ec37dd7c18d2e6467dfdbd4cab63ba20116a32840f07328a855

Download Submit
\??\Volume{d05cfc4a-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{1cfc81dc-47cc-40b3-8f11-0200d2a6d332}_OnDiskSnapshotProp
MD5
3decfa9154cfefb4e94a02572750c5f9

SHA1
819ef1dfc6dd8241b97e32c4be15af3c50e151d5

SHA256
971e8bafe10c9cd3abd54929a341d610352862f1ce263d57981d96149696305a

SHA512
0dd296904cdac05b619ced8448bda902754f9f055fa73bed3725818d20bfca246583f0fcd375a9f3443d32eaa3e2de882eed5de8ea4d41343b99b658775c4aeb

Download Submit
\Windows\Installer\MSICA6B.tmp
MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
memory/572-179-0x0000000000000000-mapping.dmp

Download
memory/572-195-0x000001E4FE5A0000-0x000001E4FE5A2000-memory.dmp

Filesize
8KB

Download
memory/628-431-0x0000000000000000-mapping.dmp

Download
memory/792-280-0x0000000000000000-mapping.dmp

Download
memory/792-347-0x0000018EE5350000-0x0000018EE5352000-memory.dmp

Filesize
8KB

Download
memory/892-443-0x0000000000000000-mapping.dmp

Download
memory/1208-444-0x0000000000000000-mapping.dmp

Download
memory/1216-442-0x0000000000000000-mapping.dmp

Download
memory/1720-405-0x0000000000000000-mapping.dmp

Download
memory/2176-118-0x0000000000000000-mapping.dmp

Download
memory/2196-132-0x00000234595B0000-0x00000234595B1000-memory.dmp

Filesize
4KB

Download
memory/2196-135-0x0000023459910000-0x0000023459911000-memory.dmp

Filesize
4KB

Download
memory/2196-136-0x000002345B2A0000-0x000002345B2A1000-memory.dmp

Filesize
4KB

Download
memory/2196-137-0x0000023473C60000-0x0000023473C62000-memory.dmp

Filesize
8KB

Download
memory/2196-128-0x0000000000000000-mapping.dmp

Download
memory/2276-445-0x0000000000000000-mapping.dmp

Download
memory/2400-478-0x000002306E4E0000-0x000002306E4E2000-memory.dmp

Filesize
8KB

Download
memory/2560-438-0x0000000000000000-mapping.dmp

Download
memory/2724-123-0x0000000000000000-mapping.dmp

Download
memory/2776-404-0x0000000000000000-mapping.dmp

Download
memory/2852-204-0x0000015F07470000-0x0000015F07471000-memory.dmp

Filesize
4KB

Download
memory/2852-194-0x0000000000000000-mapping.dmp

Download
memory/2852-236-0x0000015F207E0000-0x0000015F207E2000-memory.dmp

Filesize
8KB

Download
memory/2852-220-0x0000015F20560000-0x0000015F20561000-memory.dmp

Filesize
4KB

Download
memory/2852-222-0x0000015F07950000-0x0000015F07951000-memory.dmp

Filesize
4KB

Download
memory/2852-384-0x0000000000000000-mapping.dmp

Download
memory/2852-229-0x0000015F07C60000-0x0000015F07C61000-memory.dmp

Filesize
4KB

Download
memory/2996-406-0x0000000000000000-mapping.dmp

Download
memory/3188-458-0x000001F7650A0000-0x000001F7650A2000-memory.dmp

Filesize
8KB

Download
memory/3240-411-0x0000000010000000-0x000000001024A000-memory.dmp

Filesize
2.3MB

Download
memory/3240-412-0x0000000002A70000-0x0000000002A72000-memory.dmp

Filesize
8KB

Download
memory/3240-399-0x0000000000000000-mapping.dmp

Download
memory/3240-419-0x0000000004A90000-0x0000000004BA2000-memory.dmp

Filesize
1.1MB

Download
memory/3240-420-0x00000000046A0000-0x00000000046A2000-memory.dmp

Filesize
8KB

Download
memory/3340-408-0x0000000000000000-mapping.dmp

Download
memory/3496-418-0x0000000000000000-mapping.dmp

Download
memory/3532-435-0x0000000000000000-mapping.dmp

Download
memory/3684-274-0x0000026E7A910000-0x0000026E7A911000-memory.dmp

Filesize
4KB

Download
memory/3684-311-0x0000026E7BB90000-0x0000026E7BB92000-memory.dmp

Filesize
8KB

Download
memory/3684-255-0x0000000000000000-mapping.dmp

Download
memory/3752-414-0x0000000000000000-mapping.dmp

Download
memory/3756-422-0x0000000000000000-mapping.dmp

Download
memory/3844-350-0x0000000000000000-mapping.dmp

Download
memory/3864-388-0x0000000000000000-mapping.dmp

Download
memory/4052-430-0x0000000000000000-mapping.dmp

Download
memory/4112-142-0x000001483BF80000-0x000001483BF81000-memory.dmp

Filesize
4KB

Download
memory/4112-149-0x0000014856390000-0x0000014856391000-memory.dmp

Filesize
4KB

Download
memory/4112-147-0x000001483C540000-0x000001483C542000-memory.dmp

Filesize
8KB

Download
memory/4112-145-0x0000014855ED0000-0x0000014855ED1000-memory.dmp

Filesize
4KB

Download
memory/4140-410-0x0000000000000000-mapping.dmp

Download
memory/4144-417-0x0000000000000000-mapping.dmp

Download
memory/4192-230-0x0000019985970000-0x0000019985971000-memory.dmp

Filesize
4KB

Download
memory/4192-215-0x00000199851E0000-0x00000199851E1000-memory.dmp

Filesize
4KB

Download
memory/4192-273-0x000001999E270000-0x000001999E272000-memory.dmp

Filesize
8KB

Download
memory/4192-432-0x0000000000000000-mapping.dmp

Download
memory/4192-200-0x0000000000000000-mapping.dmp

Download
memory/4192-251-0x000001999E280000-0x000001999E281000-memory.dmp

Filesize
4KB

Download
memory/4200-434-0x0000000000000000-mapping.dmp

Download
memory/4212-365-0x00007FF5FF7B0000-0x00007FF5FF7B1000-memory.dmp

Filesize
4KB

Download
memory/4212-345-0x000001A4A5CE0000-0x000001A4A5CE2000-memory.dmp

Filesize
8KB

Download
memory/4212-283-0x0000000000000000-mapping.dmp

Download
memory/4232-146-0x0000000000000000-mapping.dmp

Download
memory/4244-382-0x00000269C0D10000-0x00000269C0D12000-memory.dmp

Filesize
8KB

Download
memory/4244-358-0x0000000000000000-mapping.dmp

Download
memory/4256-191-0x000001A34BD20000-0x000001A34BD21000-memory.dmp

Filesize
4KB

Download
memory/4256-232-0x000001A34C590000-0x000001A34C592000-memory.dmp

Filesize
8KB

Download
memory/4256-185-0x0000000000000000-mapping.dmp

Download
memory/4256-214-0x000001A34C530000-0x000001A34C531000-memory.dmp

Filesize
4KB

Download
memory/4256-199-0x000001A364DA0000-0x000001A364DA1000-memory.dmp

Filesize
4KB

Download
memory/4256-208-0x000001A34C4C0000-0x000001A34C4C1000-memory.dmp

Filesize
4KB

Download
memory/4304-433-0x0000000000000000-mapping.dmp

Download
memory/4308-477-0x00000229749F0000-0x00000229749F2000-memory.dmp

Filesize
8KB

Download
memory/4352-425-0x0000000000000000-mapping.dmp

Download
memory/4460-160-0x000001A136340000-0x000001A136341000-memory.dmp

Filesize
4KB

Download
memory/4460-162-0x000001A14EDC0000-0x000001A14EDC2000-memory.dmp

Filesize
8KB

Download
memory/4460-150-0x0000000000000000-mapping.dmp

Download
memory/4460-158-0x000001A1363F0000-0x000001A1363F1000-memory.dmp

Filesize
4KB

Download
memory/4460-154-0x000001A135B80000-0x000001A135B81000-memory.dmp

Filesize
4KB

Download
memory/4496-415-0x0000000000000000-mapping.dmp

Download
memory/4532-424-0x0000000000000000-mapping.dmp

Download
memory/4548-366-0x0000025FD5D10000-0x0000025FD5D12000-memory.dmp

Filesize
8KB

Download
memory/4548-308-0x0000000000000000-mapping.dmp

Download
memory/4556-402-0x00000288295B0000-0x00000288295B1000-memory.dmp

Filesize
4KB

Download
memory/4556-285-0x0000028810700000-0x0000028810701000-memory.dmp

Filesize
4KB

Download
memory/4556-261-0x00000288102E0000-0x00000288102E1000-memory.dmp

Filesize
4KB

Download
memory/4556-241-0x0000000000000000-mapping.dmp

Download
memory/4556-364-0x0000028829610000-0x0000028829612000-memory.dmp

Filesize
8KB

Download
memory/4556-278-0x0000028810B60000-0x0000028810B61000-memory.dmp

Filesize
4KB

Download
memory/4588-172-0x0000016557180000-0x0000016557182000-memory.dmp

Filesize
8KB

Download
memory/4588-163-0x0000000000000000-mapping.dmp

Download
memory/4604-440-0x0000000000000000-mapping.dmp

Download
memory/4632-392-0x0000000000000000-mapping.dmp

Download
memory/4632-426-0x0000000000000000-mapping.dmp

Download
memory/4636-416-0x0000000000000000-mapping.dmp

Download
memory/4656-227-0x00000240A0750000-0x00000240A0751000-memory.dmp

Filesize
4KB

Download
memory/4656-211-0x0000000000000000-mapping.dmp

Download
memory/4656-253-0x00000240A1000000-0x00000240A1001000-memory.dmp

Filesize
4KB

Download
memory/4656-277-0x00000240B9940000-0x00000240B9942000-memory.dmp

Filesize
8KB

Download
memory/4656-246-0x00000240B9740000-0x00000240B9741000-memory.dmp

Filesize
4KB

Download
memory/4656-257-0x00000240B9710000-0x00000240B9711000-memory.dmp

Filesize
4KB

Download
memory/4676-276-0x0000022219620000-0x0000022219621000-memory.dmp

Filesize
4KB

Download
memory/4676-258-0x0000000000000000-mapping.dmp

Download
memory/4696-421-0x0000000000000000-mapping.dmp

Download
memory/4788-436-0x0000000000000000-mapping.dmp

Download
memory/4800-429-0x0000000000000000-mapping.dmp

Download
memory/4828-407-0x0000000000000000-mapping.dmp

Download
memory/4832-270-0x0000000000000000-mapping.dmp

Download
memory/4832-346-0x000001BBADE40000-0x000001BBADE42000-memory.dmp

Filesize
8KB

Download
memory/4832-284-0x000001BBAD5D0000-0x000001BBAD5D1000-memory.dmp

Filesize
4KB

Download
memory/4836-437-0x0000000000000000-mapping.dmp

Download
memory/4840-439-0x0000000000000000-mapping.dmp

Download
memory/4968-175-0x0000000000000000-mapping.dmp

Download
memory/4972-174-0x0000000000000000-mapping.dmp

Download
memory/4984-428-0x0000000000000000-mapping.dmp

Download
memory/5012-409-0x0000000000000000-mapping.dmp

Download
memory/5044-269-0x00000257F6900000-0x00000257F6901000-memory.dmp

Filesize
4KB

Download
memory/5044-245-0x00000257DD880000-0x00000257DD881000-memory.dmp

Filesize
4KB

Download
memory/5044-282-0x00000257F6B40000-0x00000257F6B42000-memory.dmp

Filesize
8KB

Download
memory/5044-237-0x0000000000000000-mapping.dmp

Download
memory/5064-176-0x0000000000000000-mapping.dmp

Download
memory/5072-177-0x0000000000000000-mapping.dmp

Download
memory/5080-427-0x0000000000000000-mapping.dmp

Download