7105347cf337b515841a7296f45179ba33cf99d96afdd3480a6f7919f5ccbcb5

Resubmissions

18/09/2023, 14:01

230918-rbyspsca77 8

18/09/2023, 13:28

230918-qqmhjshe7t 8

18/09/2023, 12:58

230918-p7qe4ahd4x 8

Analysis

max time kernel
1800s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20230915-es
resource tags

arch:x64arch:x86image:win10v2004-20230915-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18/09/2023, 14:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdobeAcrobat.msi
Size

2.6MB
MD5

650eac6e0151ca012d04dfd8842c5faa
SHA1

b7a4e282797aa11ae9c8b6f0ec425954d66309c8
SHA256

7105347cf337b515841a7296f45179ba33cf99d96afdd3480a6f7919f5ccbcb5
SHA512

b81dbb86366020489a4793765a8c337ef90738863082bfcf632813df6d06d70e8c71df2f51aa6b8758d7d4d10d91f7672995ce068ee2bdd1625430560b77dde0
SSDEEP

49152:eqR5+cz/JUsaMqD9vVVKwKmEO00q5J/vyutCsY7jFEqDrr0ILinUI:HCCUsgpvKmEBNvyeD2jP3r0IF

Score

8^/10

bootkit discovery evasion persistence upx

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	316	msiexec.exe
4	316	msiexec.exe
6	316	msiexec.exe
86	2240	MsiExec.exe

Downloads MZ/PE file

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SSUService\ImagePath = "\"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe\""	SRManager.exe

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 64 IoCs

pid	Process
3800	AteraAgent.exe
1512	AteraAgent.exe
3372	AgentPackageADRemote.exe
2884	AgentPackageUpgradeAgent.exe
2508	Agent.Package.Availability.exe
4204	AgentPackageMonitoring.exe
3416	AgentPackageSystemTools.exe
1408	AgentPackageAgentInformation.exe
228	AgentPackageMarketplace.exe
1712	AgentPackageProgramManagement.exe
1172	AgentPackageSTRemote.exe
4944	AgentPackageTicketing.exe
3680	AgentPackageUpgradeAgent.exe
4120	AgentPackageOsUpdates.exe
3800	AgentPackageInternalPoller.exe
4744	AgentPackageHeartbeat.exe
3016	AgentPackageRuntimeInstaller.exe
4620	AgentPackageAgentInformation.exe
5116	SplashtopStreamer.exe
3968	PreVerCheck.exe
2892	_isF112.exe
4508	_isF112.exe
2236	_isF112.exe
4124	_isF112.exe
1472	_isF112.exe
5020	_isF112.exe
4836	_isF112.exe
2012	_isF112.exe
4664	_isF112.exe
2236	_isF112.exe
3608	_is117C.exe
1724	_is117C.exe
1852	_is117C.exe
3460	_is117C.exe
4652	_is117C.exe
5096	_is117C.exe
4412	_is117C.exe
1516	_is117C.exe
3780	_is117C.exe
3988	_is117C.exe
4912	6-0-13.exe
2588	6-0-13.exe
2700	dotnet-runtime-6.0.13-win-x64.exe
2420	AgentPackageHeartbeat.exe
2900	_is7D85.exe
3608	_is7D85.exe
4388	_is7D85.exe
2704	_is7D85.exe
1616	_is7D85.exe
4004	_is7D85.exe
1800	_is7D85.exe
4604	_is7D85.exe
3920	_is7D85.exe
3816	_is7D85.exe
4180	SetupUtil.exe
184	SetupUtil.exe
4412	SetupUtil.exe
2840	SRSelfSignCertUtil.exe
2236	_is9A66.exe
3920	_is9A66.exe
388	_is9A66.exe
2104	_is9A66.exe
4820	_is9A66.exe
2796	_is9A66.exe

Loads dropped DLL 64 IoCs

pid	Process
4912	MsiExec.exe
3052	rundll32.exe
3052	rundll32.exe
3052	rundll32.exe
4124	MsiExec.exe
952	MsiExec.exe
952	MsiExec.exe
4204	AgentPackageMonitoring.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2588	6-0-13.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
4688	Splashtop_Software_Updater.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
3376	SRManager.exe
3376	SRManager.exe
3376	SRManager.exe
2240	MsiExec.exe
2240	MsiExec.exe
2240	MsiExec.exe
3376	SRManager.exe
3296	SRServer.exe
3296	SRServer.exe
3296	SRServer.exe
3296	SRServer.exe
3296	SRServer.exe
3296	SRServer.exe
3296	SRServer.exe
3732	SRAgent.exe
3732	SRAgent.exe
3732	SRAgent.exe
3376	SRManager.exe
3376	SRManager.exe
3636	SRFeature.exe
3636	SRFeature.exe
3636	SRFeature.exe
3636	SRFeature.exe
3636	SRFeature.exe

Registers COM server for autorun 1 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	SRService.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	SRService.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll"	SRService.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3376-2024-0x00000000730E0000-0x0000000073331000-memory.dmp	upx
behavioral1/memory/3376-2691-0x00000000730E0000-0x0000000073331000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} = "\"C:\\ProgramData\\Package Cache\\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\\dotnet-runtime-6.0.13-win-x64.exe\" /burn.runonce"	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} = "\"C:\\ProgramData\\Package Cache\\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\\dotnet-runtime-6.0.13-win-x64.exe\" /burn.runonce"	dotnet-runtime-6.0.13-win-x64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 20 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log	AgentPackageInternalPoller.exe
File created	C:\Windows\system32\SRC8798.tmp	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManager.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MsiExec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log	AgentPackageHeartbeat.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log	AgentPackageOsUpdates.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log	AgentPackageSystemTools.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log	AgentPackageMarketplace.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log	AgentPackageProgramManagement.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_F21B1638A969820C3F1441E2854EF613	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log	AgentPackageSTRemote.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManager.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log	AgentPackageRuntimeInstaller.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8	Agent.Package.Availability.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log	AgentPackageUpgradeAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log	AgentPackageADRemote.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_F21B1638A969820C3F1441E2854EF613	Agent.Package.Availability.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894	Agent.Package.Availability.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log	AgentPackageTicketing.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log	AgentPackageMonitoring.exe
File opened for modification	C:\Windows\system32\SRCredentialProvider.dll	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE	SRManager.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_BDD4A3CA13696E12BB45668760AFF4D4	SRManager.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppFileHound.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Reflection.Emit.Lightweight.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd64.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\DIFxCmd.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Net.WebClient.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Dapper.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db-journal	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\stprintmon.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\pcach.cch	AgentPackageProgramManagement.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.inf	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\Microsoft.NETCore.App.runtimeconfig.json	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Diagnostics.Tracing.dll	msiexec.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\api-ms-win-core-debug-l1-1-0.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf	msiexec.exe
File opened for modification	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3-journal	SRAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackage.Common.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt	AgentPackageInternalPoller.exe
File opened for modification	C:\Program Files (x86)\Splashtop\Splashtop Software Updater\	Au_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Reflection.Metadata.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\sthid.sys	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\uninstall_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.NonGeneric.dll	AteraAgent.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.13\System.Memory.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db	AgentPackageMonitoring.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58043f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIB85.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A2E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI578E.tmp	msiexec.exe
File created	C:\Windows\Installer\e580434.msi	msiexec.exe
File created	C:\Windows\Installer\e58043a.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5F0DB006-2AE3-4D36-8077-65247FD687D4}	msiexec.exe
File created	C:\Windows\rescache\_merged\431186354\1002969988.pri	SRManager.exe
File opened for modification	C:\Windows\Installer\MSI3EA2.tmp	msiexec.exe
File created	C:\Windows\Installer\e580443.msi	msiexec.exe
File created	C:\Windows\Installer\e580431.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	msiexec.exe
File created	C:\Windows\rescache\_merged\2137598169\1157865493.pri	SRManager.exe
File created	C:\Windows\rescache\_merged\2263554406\1568964029.pri	SRManager.exe
File created	C:\Windows\rescache\_merged\64831148\2869113085.pri	SRManager.exe
File created	C:\Windows\rescache\_merged\3200614358\2178503777.pri	SRManager.exe
File created	C:\Windows\rescache\_merged\4245263321\591919436.pri	SRManager.exe
File created	C:\Windows\Installer\e580444.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{C6D031BB-DA38-4EA1-8BE1-7665FA8D227F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFEC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5915.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC589.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\482193516\1762117427.pri	SRManager.exe
File created	C:\Windows\rescache\_merged\1712550052\2426765056.pri	SRManager.exe
File opened for modification	C:\Windows\Installer\MSIBB5.tmp	msiexec.exe
File created	C:\Windows\Installer\e580438.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC569.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3479232320\3556206279.pri	SRManager.exe
File opened for modification	C:\Windows\Installer\e58043a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI446F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8E3.tmp	msiexec.exe
File created	C:\Windows\Installer\e58043e.msi	msiexec.exe
File created	C:\Windows\Installer\e58043f.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9511601E-12FF-4972-BF9C-2992F2CA5A32}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\e580434.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEFB1.tmp	msiexec.exe
File created	C:\Windows\Installer\e580433.msi	msiexec.exe
File created	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\rescache\_merged\92721896\3797041133.pri	SRManager.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI50C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e580431.msi	msiexec.exe
File created	C:\Windows\rescache\_merged\1045417640\2701674316.pri	SRManager.exe
File opened for modification	C:\Windows\Installer\e580444.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1471.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECB3.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3628602599\3460428083.pri	SRManager.exe
File opened for modification	C:\Windows\Installer\MSI5AFC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBED0.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8CDACE3C-0064-4A17-A02C-49F831D5F73A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59E2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI48E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6979.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5683.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI554A.tmp	msiexec.exe
File created	C:\Windows\Installer\e580448.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI11D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2188	sc.exe
4604	sc.exe
1464	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 3 IoCs

installer

resource	yara_rule
behavioral1/files/0x0007000000023620-1578.dat	nsis_installer_2
behavioral1/files/0x0007000000023409-2006.dat	nsis_installer_1
behavioral1/files/0x0007000000023409-2006.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cda81468adccd8050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cda814680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cda81468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcda81468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cda8146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
2484	taskkill.exe
4072	TaskKill.exe
4916	taskkill.exe
4604	taskkill.exe
2232	taskkill.exe
4092	taskkill.exe
1160	taskkill.exe
2356	taskkill.exe
1240	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SRServer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 0f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e641400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e424b0000000100000044000000430038004500350033003400450045003100320039004600320037004400350035003400360030004300450031003700460044003600320038003200310036005f000000180000000100000010000000ffac207997bb2cfe865570179ee037b95c000000010000000400000000100000190000000100000010000000a344f71a7a52a76ee49b74b1d8816b150300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c040000000100000010000000d91299e84355cd8d5a86795a0118b6e92000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.Search_cw5n1h2txyewy%5Cresources.pri\1d7e5369da0bc36\a01460c8	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\ISUPGRADE = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	6-0-13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	SRManager.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Agent.Package.Availability.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	Agent.Package.Availability.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	Agent.Package.Availability.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-53501 = "Recommended Troubleshooting Client (HTTP/HTTPS Out)"	SRManager.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21\52C64B7E\@%SystemRoot%\system32\icsvc.dll,-707 = "Virtual Machine Monitoring (RPC)"	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SRManager.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\WOW64 = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cscript.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 98110000d01f8bc638ead901	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	SRManager.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C\Blob = 5c0000000100000004000000001000000f000000010000003000000065b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e641400000001000000140000006837e0ebb63bf85f1186fbfe617b088865f44e42180000000100000010000000ffac207997bb2cfe865570179ee037b90300000001000000140000007b0f360b775f76c94a12ca48445aa2d2a875701c040000000100000010000000d91299e84355cd8d5a86795a0118b6e9190000000100000010000000a344f71a7a52a76ee49b74b1d8816b152000000001000000b4060000308206b030820498a003020102021008ad40b260d29c4c9f5ecda9bd93aed9300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3231303432393030303030305a170d3336303432383233353935395a3069310b300906035504061302555331173015060355040a130e44696769436572742c20496e632e3141303f060355040313384469676943657274205472757374656420473420436f6465205369676e696e6720525341343039362053484133383420323032312043413130820222300d06092a864886f70d01010105000382020f003082020a0282020100d5b42f42d028ad78b75dd539591bb18842f5338ceb3d819770c5bbc48526309fa48e68d85cf5eb342407e14b4fd37843f417d71edaf9d2d5671a524f0ea157fc8899c191cc81033e4d702464b38de2087d347d4c8057126b439a99f2c53b1ff2efcb475a13a64cb3012025f310d38bb2fb08f08ae09d09c065a7fa98804935873d5119e8902178452ea19f2ce118c21accc5ee93497042328ffbc6ea1cf3656891a24d4c8211485268de10bd14575de8181365c57fb24f852c48a4568435d6f92e9caa0015d137fe1a0694c27cc8ea1b32e6cac2f4a7a3030e74a5af39b6ab6012e3e8d6b9f731e1dcade418a0d8c1234747b3a10f6ea3ab6d9806831bb76a672dd2bd441a9210818fb03b09d7c79b325ac2ff6a60548b49c193ede1b45ce06feb26f98cd5b2f93810e6eace91f5bed3fb6f9361345cbc93452883362a66285fb073ce8b262506b283d45cf615194ced62e05e33f2e8e8ec0aa7b0032b91b23679bef7ad081e75a665ccbbe34850f377911afedb50a246c8615898f57c02163c8328ad3986ecd4b70d53d0f847e675308dec30937614a65b4b5d74614d3f129176debf58cb72102941f0d5c56d267668114113589adc262b01f4894d59db78cf814a3e40475fc98150738510232159608a6454c1cc211ae838197c661ccd78384530994fff634f4cbbaa0d0853417c583d47b3fab6ec8c320902cc6c3c0c56110203010001a38201593082015530120603551d130101ff040830060101ff020100301d0603551d0e041604146837e0ebb63bf85f1186fbfe617b088865f44e42301f0603551d23041830168014ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300e0603551d0f0101ff04040302018630130603551d25040c300a06082b06010505070303307706082b06010505070101046b3069302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304106082b060105050730028635687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63727430430603551d1f043c303a3038a036a0348632687474703a2f2f63726c332e64696769636572742e636f6d2f446967694365727454727573746564526f6f7447342e63726c301c0603551d20041530133007060567810c01033008060667810c010401300d06092a864886f70d01010c050003820201003a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CMicrosoft.Windows.AppRep.ChxApp_cw5n1h2txyewy%5Cresources.pri\1d5acddee1afafc\a01460c8\@{Microsoft.Windows.Apprep.ChxApp_1000.19041.1023.0_neutral_neutral_cw5n1h2t = "Windows Defender SmartScreen"	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	SRManager.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs	cscript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB130D6C83AD1AE4B81E6756AFD822F7\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\Version = "808962985"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{8CDACE3C-0064-4A17-A02C-49F831D5F73A}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\DisplayName = "Microsoft .NET Host - 6.0.13 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB130D6C83AD1AE4B81E6756AFD822F7\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\DisplayName = "Microsoft .NET Runtime - 6.0.13 (x64)"	dotnet-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\600BD0F53EA263D408775642F76D784D\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}	dotnet-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\PackageCode = "7C9D16C6A32B9544D8C0852A372E34EB"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}	dotnet-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_48.55.52137_x64\DisplayName = "Microsoft .NET Runtime - 6.0.13 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{5F0DB006-2AE3-4D36-8077-65247FD687D4}v48.55.52137\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x64\Version = "48.55.52137"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1061159FF212794FBC992292FACA523\Provider	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\BB130D6C83AD1AE4B81E6756AFD822F7\INSTALLFOLDER_files_Feature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_48.55.52137_x64	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959\E1061159FF212794FBC992292FACA523	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB130D6C83AD1AE4B81E6756AFD822F7\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB130D6C83AD1AE4B81E6756AFD822F7\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Version = "6.0.13.31930"	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\PackageCode = "E16DED461D8D9AC4092FFCDE75D32EAA"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Version = "48.55.52137"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\SourceList\PackageName = "dotnet-host-6.0.13-win-x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\ = "{ac916c06-1c22-495e-ae7e-b4e24fbbed14}"	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\ProductName = "Microsoft .NET Host - 6.0.13 (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\600BD0F53EA263D408775642F76D784D\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\ProductName = "Microsoft .NET Runtime - 6.0.13 (x64)"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C61AF4A983356BD7017B5363DF2BCFC2\C3ECADC8460071A40AC2948F135D7FA3	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DF94EABFBF456B47F477CDE6962FE1CF	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C61AF4A983356BD7017B5363DF2BCFC2	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1061159FF212794FBC992292FACA523\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_48.3.31210_x64\Dependents	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\600BD0F53EA263D408775642F76D784D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C3ECADC8460071A40AC2948F135D7FA3\ProductName = "Microsoft .NET Host FX Resolver - 6.0.13 (x64)"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\094F9C7997352096B7082D27C35AD959	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\BB130D6C83AD1AE4B81E6756AFD822F7\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi"	msiexec.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4424	regedit.exe
1284	regedit.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4504	msiexec.exe
4504	msiexec.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
4944	AgentPackageTicketing.exe
4944	AgentPackageTicketing.exe
3680	AgentPackageUpgradeAgent.exe
3680	AgentPackageUpgradeAgent.exe
3800	AgentPackageInternalPoller.exe
3800	AgentPackageInternalPoller.exe
1172	AgentPackageSTRemote.exe
1172	AgentPackageSTRemote.exe
4204	AgentPackageMonitoring.exe
4204	AgentPackageMonitoring.exe
3016	AgentPackageRuntimeInstaller.exe
3016	AgentPackageRuntimeInstaller.exe
1512	AteraAgent.exe
1512	AteraAgent.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
4180	SetupUtil.exe
184	SetupUtil.exe
184	SetupUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	316	msiexec.exe
Token: SeSecurityPrivilege	4504	msiexec.exe
Token: SeCreateTokenPrivilege	316	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	316	msiexec.exe
Token: SeLockMemoryPrivilege	316	msiexec.exe
Token: SeIncreaseQuotaPrivilege	316	msiexec.exe
Token: SeMachineAccountPrivilege	316	msiexec.exe
Token: SeTcbPrivilege	316	msiexec.exe
Token: SeSecurityPrivilege	316	msiexec.exe
Token: SeTakeOwnershipPrivilege	316	msiexec.exe
Token: SeLoadDriverPrivilege	316	msiexec.exe
Token: SeSystemProfilePrivilege	316	msiexec.exe
Token: SeSystemtimePrivilege	316	msiexec.exe
Token: SeProfSingleProcessPrivilege	316	msiexec.exe
Token: SeIncBasePriorityPrivilege	316	msiexec.exe
Token: SeCreatePagefilePrivilege	316	msiexec.exe
Token: SeCreatePermanentPrivilege	316	msiexec.exe
Token: SeBackupPrivilege	316	msiexec.exe
Token: SeRestorePrivilege	316	msiexec.exe
Token: SeShutdownPrivilege	316	msiexec.exe
Token: SeDebugPrivilege	316	msiexec.exe
Token: SeAuditPrivilege	316	msiexec.exe
Token: SeSystemEnvironmentPrivilege	316	msiexec.exe
Token: SeChangeNotifyPrivilege	316	msiexec.exe
Token: SeRemoteShutdownPrivilege	316	msiexec.exe
Token: SeUndockPrivilege	316	msiexec.exe
Token: SeSyncAgentPrivilege	316	msiexec.exe
Token: SeEnableDelegationPrivilege	316	msiexec.exe
Token: SeManageVolumePrivilege	316	msiexec.exe
Token: SeImpersonatePrivilege	316	msiexec.exe
Token: SeCreateGlobalPrivilege	316	msiexec.exe
Token: SeBackupPrivilege	3184	vssvc.exe
Token: SeRestorePrivilege	3184	vssvc.exe
Token: SeAuditPrivilege	3184	vssvc.exe
Token: SeBackupPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeDebugPrivilege	4072	TaskKill.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe
Token: SeRestorePrivilege	4504	msiexec.exe
Token: SeTakeOwnershipPrivilege	4504	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
316	msiexec.exe
316	msiexec.exe
3296	SRServer.exe
3296	SRServer.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5116	SplashtopStreamer.exe
3296	SRServer.exe
1704	SRAppPB.exe
1704	SRAppPB.exe
5020	SRDetect.exe
3296	SRServer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 2840	4504	msiexec.exe	91
PID 4504 wrote to memory of 2840	4504	msiexec.exe	91
PID 4504 wrote to memory of 4912	4504	msiexec.exe	94
PID 4504 wrote to memory of 4912	4504	msiexec.exe	94
PID 4912 wrote to memory of 3052	4912	MsiExec.exe	95
PID 4912 wrote to memory of 3052	4912	MsiExec.exe	95
PID 4504 wrote to memory of 4124	4504	msiexec.exe	96
PID 4504 wrote to memory of 4124	4504	msiexec.exe	96
PID 4504 wrote to memory of 4124	4504	msiexec.exe	96
PID 4504 wrote to memory of 952	4504	msiexec.exe	97
PID 4504 wrote to memory of 952	4504	msiexec.exe	97
PID 4504 wrote to memory of 952	4504	msiexec.exe	97
PID 952 wrote to memory of 4872	952	MsiExec.exe	98
PID 952 wrote to memory of 4872	952	MsiExec.exe	98
PID 952 wrote to memory of 4872	952	MsiExec.exe	98
PID 952 wrote to memory of 4072	952	MsiExec.exe	101
PID 952 wrote to memory of 4072	952	MsiExec.exe	101
PID 952 wrote to memory of 4072	952	MsiExec.exe	101
PID 4504 wrote to memory of 3800	4504	msiexec.exe	103
PID 4504 wrote to memory of 3800	4504	msiexec.exe	103
PID 1512 wrote to memory of 2188	1512	AteraAgent.exe	105
PID 1512 wrote to memory of 2188	1512	AteraAgent.exe	105
PID 1512 wrote to memory of 3372	1512	AteraAgent.exe	108
PID 1512 wrote to memory of 3372	1512	AteraAgent.exe	108
PID 1512 wrote to memory of 2884	1512	AteraAgent.exe	110
PID 1512 wrote to memory of 2884	1512	AteraAgent.exe	110
PID 1512 wrote to memory of 2508	1512	AteraAgent.exe	112
PID 1512 wrote to memory of 2508	1512	AteraAgent.exe	112
PID 1512 wrote to memory of 4204	1512	AteraAgent.exe	137
PID 1512 wrote to memory of 4204	1512	AteraAgent.exe	137
PID 1512 wrote to memory of 3416	1512	AteraAgent.exe	136
PID 1512 wrote to memory of 3416	1512	AteraAgent.exe	136
PID 1512 wrote to memory of 1408	1512	AteraAgent.exe	135
PID 1512 wrote to memory of 1408	1512	AteraAgent.exe	135
PID 1512 wrote to memory of 228	1512	AteraAgent.exe	133
PID 1512 wrote to memory of 228	1512	AteraAgent.exe	133
PID 1512 wrote to memory of 1712	1512	AteraAgent.exe	131
PID 1512 wrote to memory of 1712	1512	AteraAgent.exe	131
PID 1512 wrote to memory of 1172	1512	AteraAgent.exe	116
PID 1512 wrote to memory of 1172	1512	AteraAgent.exe	116
PID 1512 wrote to memory of 4944	1512	AteraAgent.exe	128
PID 1512 wrote to memory of 4944	1512	AteraAgent.exe	128
PID 2884 wrote to memory of 3680	2884	AgentPackageUpgradeAgent.exe	126
PID 2884 wrote to memory of 3680	2884	AgentPackageUpgradeAgent.exe	126
PID 1512 wrote to memory of 4120	1512	AteraAgent.exe	124
PID 1512 wrote to memory of 4120	1512	AteraAgent.exe	124
PID 1512 wrote to memory of 3800	1512	AteraAgent.exe	122
PID 1512 wrote to memory of 3800	1512	AteraAgent.exe	122
PID 1512 wrote to memory of 4744	1512	AteraAgent.exe	120
PID 1512 wrote to memory of 4744	1512	AteraAgent.exe	120
PID 1512 wrote to memory of 3016	1512	AteraAgent.exe	117
PID 1512 wrote to memory of 3016	1512	AteraAgent.exe	117
PID 3016 wrote to memory of 4460	3016	AgentPackageRuntimeInstaller.exe	139
PID 3016 wrote to memory of 4460	3016	AgentPackageRuntimeInstaller.exe	139
PID 1512 wrote to memory of 4620	1512	AteraAgent.exe	140
PID 1512 wrote to memory of 4620	1512	AteraAgent.exe	140
PID 1408 wrote to memory of 1464	1408	AgentPackageAgentInformation.exe	145
PID 1408 wrote to memory of 1464	1408	AgentPackageAgentInformation.exe	145
PID 1464 wrote to memory of 2768	1464	cmd.exe	143
PID 1464 wrote to memory of 2768	1464	cmd.exe	143
PID 1172 wrote to memory of 5116	1172	AgentPackageSTRemote.exe	146
PID 1172 wrote to memory of 5116	1172	AgentPackageSTRemote.exe	146
PID 1172 wrote to memory of 5116	1172	AgentPackageSTRemote.exe	146
PID 5116 wrote to memory of 3968	5116	SplashtopStreamer.exe	147

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdobeAcrobat.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:316

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2840
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EB1B1C0289E463B231D0278263EDCB81
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI50C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649656 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    PID:3052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7595E6D57F5F31FAE5953B4BA6FAA58C
  2⤵
  - Loads dropped DLL
  PID:4124
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C1369280C393DC95257B881C99239A08 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:952
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    PID:4872
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      PID:2984
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4072
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000000xVB4IAM"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:3800
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 46B29FC6B3EEE48C2CC0DEA4BEE643BB E Global\MSI0000
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:2240
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1E245822-8EF1-4AC5-861D-4F17B9F38829}
    3⤵
    - Executes dropped EXE
    PID:2892
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77AA5F67-018D-49D2-9F73-9E9BCCAF4DD6}
    3⤵
    - Executes dropped EXE
    PID:4508
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{949FA756-5D39-401F-B7FD-16D49D63739C}
    3⤵
    PID:2236
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4915853-3A5E-4D2D-8181-31AB54C263AC}
    3⤵
    - Executes dropped EXE
    PID:4124
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77B0BE2F-EBC2-403A-8AF4-29D63E284536}
    3⤵
    - Executes dropped EXE
    PID:1472
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F3A7E14-7C44-42E0-907B-85EEB1B8CA82}
    3⤵
    - Executes dropped EXE
    PID:5020
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C8D47D66-C23B-459F-BA70-21C4B936045F}
    3⤵
    - Executes dropped EXE
    PID:4836
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CD8401B-9D0D-4321-B9BA-7EC815259398}
    3⤵
    - Executes dropped EXE
    PID:2012
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E1FC326-6E0C-4FF3-949D-EC317460B158}
    3⤵
    - Executes dropped EXE
    PID:4664
- - C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe
    C:\Windows\TEMP\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isF112.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E6453302-A19F-4669-9499-6E573CC221EE}
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
    3⤵
    PID:2196
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRServer.exe /T
      4⤵
      Kills process with taskkill
      PID:1160
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
    3⤵
    PID:2020
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRApp.exe /T
      4⤵
      Kills process with taskkill
      PID:4916
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
    3⤵
    PID:4640
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAppPB.exe /T
      4⤵
      Kills process with taskkill
      PID:4604
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
    3⤵
    PID:2160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeature.exe /T
      4⤵
      Kills process with taskkill
      PID:2232
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
    3⤵
    PID:1160
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeatMini.exe /T
      4⤵
      Kills process with taskkill
      PID:4092
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
    3⤵
    PID:3880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRManager.exe /T
      4⤵
      Kills process with taskkill
      PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
    3⤵
    PID:1128
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAgent.exe /T
      4⤵
      Kills process with taskkill
      PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
    3⤵
    PID:1584
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRChat.exe /T
      4⤵
      Kills process with taskkill
      PID:1240
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D16D149-16E4-4C83-A11A-C7527EAFF8A6}
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03BF90C8-635E-42EB-8076-5D755DB7F4B0}
    3⤵
    - Executes dropped EXE
    PID:1724
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{931C2F78-4208-4E42-8E6B-C0E153121C41}
    3⤵
    - Executes dropped EXE
    PID:1852
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D5F8B23-FB04-4C50-A740-0E58B57270E1}
    3⤵
    - Executes dropped EXE
    PID:3460
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{148B0293-0620-44E0-98FB-0C094B24F9B9}
    3⤵
    - Executes dropped EXE
    PID:4652
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D30B3C01-BCA2-4CEF-A5E3-3F7BA5B3EBC0}
    3⤵
    - Executes dropped EXE
    PID:5096
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B4005A9F-CA5C-4F58-9FA9-AC88289D74A8}
    3⤵
    - Executes dropped EXE
    PID:4412
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2FE1A4E5-E0C4-4B90-A732-95F39EBA9B41}
    3⤵
    - Executes dropped EXE
    PID:1516
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0972F08-1387-4629-89FB-4ADFB56BBB1D}
    3⤵
    - Executes dropped EXE
    PID:3780
- - C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe
    C:\Windows\TEMP\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{51F958FA-27B0-409E-A6AC-8C4F97184890}
    3⤵
    - Executes dropped EXE
    PID:3988
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4555852-36CB-44FB-BC3A-8321B8F8C7C4}
    3⤵
    - Executes dropped EXE
    PID:2900
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0F824E36-573C-4FF4-900A-AE88361BB320}
    3⤵
    - Executes dropped EXE
    PID:3608
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D327317D-8EFE-4E3E-BDAF-51A9B1A71B48}
    3⤵
    - Executes dropped EXE
    PID:4388
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CA92C08-4514-4D93-A9A5-7A96983A0A1D}
    3⤵
    - Executes dropped EXE
    PID:2704
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3139A052-AFCF-4D0F-B511-CBABB97C50C1}
    3⤵
    - Executes dropped EXE
    PID:1616
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1BA584F2-1B16-4B74-938D-1243A3DA68AC}
    3⤵
    - Executes dropped EXE
    PID:4004
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E1834D8-72A8-4FEC-B48E-42751CB7DDE7}
    3⤵
    - Executes dropped EXE
    PID:1800
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2524A8E3-D0A6-4F35-9B0E-B67591C4BFCA}
    3⤵
    - Executes dropped EXE
    PID:4604
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8DEB9684-717E-4BA8-B953-BC75F5894826}
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe
    C:\Windows\TEMP\{4556E93D-1ABC-4D0B-916B-A45B8247B036}\_is7D85.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6145FE04-EA6F-42BC-BB8E-9FD209E1236C}
    3⤵
    - Executes dropped EXE
    PID:3816
- - C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe
    C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:4180
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s "C:\Windows\TEMP\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\InstRegExp.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4424
- - C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe
    C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe /P USERSESSIONID
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:184
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s "C:\Windows\TEMP\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\InstRegExp.reg"
    3⤵
    - Runs .reg file with regedit
    PID:1284
- - C:\Windows\SysWOW64\reg.exe
    reg.exe import "C:\Windows\TEMP\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\CredProvider_Inst.reg" /reg:64
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:3064
- - C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe
    C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SetupUtil.exe /P ST_EVENT
    3⤵
    - Executes dropped EXE
    PID:4412
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
      4⤵
      PID:4220
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
      4⤵
      PID:1120
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g
    3⤵
    - Executes dropped EXE
    PID:2840
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DFB0335-35EF-427B-A584-8A16D6050966}
    3⤵
    - Executes dropped EXE
    PID:2236
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{790EE59F-3BB4-455A-90C6-070C115C8025}
    3⤵
    - Executes dropped EXE
    PID:3920
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{14A54F23-D5F2-446E-8296-333A80385FE7}
    3⤵
    - Executes dropped EXE
    PID:388
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19473217-4397-4482-9996-E0ACA0BE65DB}
    3⤵
    - Executes dropped EXE
    PID:2104
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5AA6266-2AA3-4EDE-B8F3-C970349A104C}
    3⤵
    - Executes dropped EXE
    PID:4820
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FC6AA88-8F6A-4970-B504-209539692F5F}
    3⤵
    - Executes dropped EXE
    PID:2796
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09F70E54-DE28-4830-B734-F036083E5B27}
    3⤵
    PID:432
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{376F8151-E496-430F-B778-7F40A0008CEC}
    3⤵
    PID:1120
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{629CB9FE-1523-4380-8ED0-5DC9039AC842}
    3⤵
    PID:3368
- - C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe
    C:\Windows\TEMP\{FA9882B7-9C2F-40BC-B919-E1BFA365E29C}\_is9A66.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD5FE454-4BDD-42DC-ADCA-51FEDDBEBDF2}
    3⤵
    PID:4232
- - C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SSU_Clean.exe
    C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\SSU_Clean.exe /S
    3⤵
    PID:1628
- - C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\Splashtop_Software_Updater.exe
    C:\Windows\Temp\{4FF949EC-6A84-4772-A8A1-67614CF721CA}\Splashtop_Software_Updater.exe /S /Caller=SVR
    3⤵
    - Loads dropped DLL
    PID:4688
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA06E868-9074-4C3D-81CA-4E7D977DBB18}
    3⤵
    PID:4604
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9EB4AD44-C5D1-491B-9812-5C92DB8AFED9}
    3⤵
    PID:4920
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{209FB793-8AEF-4FB6-889E-68ED2852D931}
    3⤵
    PID:4116
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2781000-01FB-4023-9964-ED2A81D8F70D}
    3⤵
    PID:1372
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7797D27-ADA7-4FED-A73F-D08D37444505}
    3⤵
    PID:4804
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{822958DD-BAD6-46D5-840A-35B93B3ACF7F}
    3⤵
    PID:4164
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3FF9D26F-F294-40E0-9948-E3AABA5EB81A}
    3⤵
    PID:3732
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{096C15FD-570B-4032-9B9C-E5D59421E80D}
    3⤵
    PID:1040
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA4D450D-115A-4189-9FD4-0340F760D451}
    3⤵
    PID:5020
- - C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe
    C:\Windows\TEMP\{40ED1F0D-0FC1-4BAC-BFAB-D3D6C07AF3C6}\_isB949.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E1E89E40-8103-4AAE-8F05-EB8B95B030BB}
    3⤵
    PID:4124
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i
    3⤵
    - Registers COM server for autorun
    PID:4500
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90E8763F-A8E8-472C-8231-FC03A5E5E64D}
    3⤵
    PID:776
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98E05E52-5FD2-4187-8815-1417DF89F6EF}
    3⤵
    PID:2292
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FB9728E-0B5D-4430-A911-67B7C0E4A739}
    3⤵
    PID:2448
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A98A15F-FD61-4088-A714-CC7905065826}
    3⤵
    PID:1400
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{326B5860-70DB-41F1-B32E-9601443CF884}
    3⤵
    PID:3228
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F87C972C-3615-49E1-8098-5BFB8D207171}
    3⤵
    PID:4540
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90558613-BBA2-4D2D-936A-1E22685FB092}
    3⤵
    PID:1276
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ADA9FA29-008B-4A58-85B2-54FB1C6378FB}
    3⤵
    PID:4220
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{656CE755-A67B-4259-B4FE-EC5C0B1AA07D}
    3⤵
    PID:388
- - C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe
    C:\Windows\TEMP\{F5F4CBF0-8182-4189-8E17-EE0C0A0E702A}\_isBF93.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{962FB108-5D07-469D-8FDB-FB74D3F617B0}
    3⤵
    PID:4568
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r
    3⤵
    PID:1848
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6D3E50EE-2F97-438D-97D9-52D02390A793}
    3⤵
    PID:3960
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70AAC1BC-A9B9-4B36-B3BA-6C4FBC52C57B}
    3⤵
    PID:1276
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{741B0D4A-CE6B-4AA8-8BD4-B3DF9E095DCD}
    3⤵
    PID:4220
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{076CBD9A-0394-44C9-978C-EF0CCD24A552}
    3⤵
    PID:388
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B156B67F-2433-4F6B-9BE4-7A330EC8BD17}
    3⤵
    PID:4568
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6D39DE10-80ED-48CE-9F72-00ECCBF012E4}
    3⤵
    PID:4492
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{04C32FFC-94F8-4133-B9F6-B7F63B225868}
    3⤵
    PID:4232
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B2222C3-B7AD-4DC9-82BD-2097AAE3E35A}
    3⤵
    PID:3476
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{419D82F2-8668-49BF-BF30-89F1D71027A9}
    3⤵
    PID:4804
- - C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe
    C:\Windows\TEMP\{916EBCD2-5470-42D5-87D7-A113842720B6}\_isC5CE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{276F1A8F-2B6A-4656-B82C-D4EEA6A9DDE4}
    3⤵
    PID:488
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 174CF952B88503E078C78BA1DD2A5819 E Global\MSI0000
  2⤵
  PID:964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 6F71010A9E377E07D4B3454CB724792B E Global\MSI0000
  2⤵
  PID:2880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D0AC6CF9ECCFDE1E45E4F7AA328FEAE0 E Global\MSI0000
  2⤵
  PID:4904

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:2188
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "cd995c5c-4d0b-44d3-97df-82f740b932a2" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3372
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" daece93b-774d-4b66-876c-a311fa956f26 "3b387f8e-0885-4c69-a77d-0c69feedbd7f" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
    "C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "daece93b-774d-4b66-876c-a311fa956f26" "3b387f8e-0885-4c69-a77d-0c69feedbd7f" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3680
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" daece93b-774d-4b66-876c-a311fa956f26 "007c4be5-e653-4a28-8b4d-6b4e04e03c90" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  - Executes dropped EXE
  PID:2508
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\TEMP\SplashtopStreamer.exe
    "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:5116
  - - C:\Windows\Temp\unpack\PreVerCheck.exe
      "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
      4⤵
      Executes dropped EXE
      PID:3968
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
        5⤵
        
        PID:2764
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ"
    3⤵
    PID:3188
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_session_pwd=8e254088075ec8bc27ccc5a1e0bcedb7&rmm_session_pwd_ttl=86400"
    3⤵
    PID:1896
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" daece93b-774d-4b66-876c-a311fa956f26 "10105e19-29a2-4c12-b97e-bd43d5854893" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjEzIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2FhM2IzMTUwLTgwY2ItNGQzMC04N2Y4LWRjMzZmYTFkY2YyNi84ZWM5ZmY2ODM2ODI4MTc1ZjFhNmE2MGFlZmQ0ZTYzYi9kb3RuZXQtcnVudGltZS02LjAuMTMtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yZWYxMjM1Ny00OTliLTRhNWItYTQ4OC1kYTQ1YTVmMzEwZTYvZmJlMzVjMzU0YmZiNTA5MzRhOTc2ZmM5MWM2ZDhkODEvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmZTE3M2VhLTRjNTgtNGE4ZC1iOGU1LTVjN2VhN2M1OTAxMS9hMTkzNmUxMjM5ZTU5ZGM0ZGY1OGExYmMzZGI1MjdjMy9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80MzZiY2U2YS1mM2U3LTQ0OGUtOTI3OS1kNThmMWUzOWFiOGEvOWY1YzdlZDM3NzI5NGNjOGUwMjhlOTAwNTQwNjMyZDUvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmMDk1Y2JiLWFmNmMtNGQyMC05MDlkLTg3ZGI1Mzg3OTM3MC9kNGM2ZjM4MGE5YTY4ZmM4NTNiZDg5MTE4OWYzYzk3NS9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlM1WTRyU0syVmtpbWcyd01pSEVGZUI2N2U5YTBIZG9ocE13TkZ1TEVJTGpXaVNQVnpYXHUwMDJCSjNPUFJ5aUVZQmlmdkZcdTAwMkI0bnN4aTVcdTAwMkJzSG4wMGN0cU13UTZBPT0iLCJNYWNYNjRDaGVja3N1bSI6IjRqSVl1dGhzTDU4dnV0cWlkZHNGMk1pQ3NcdTAwMkJBRTBUN2FWMVgwXHUwMDJCMk1FWFNSQ0xXdGdqM0x0MklldmVxZ2l1UUVsU2VxNVF1TGJybkRjSHBRbEVpd0N3QT09IiwiV2luQVJNQ2hlY2tzdW0iOiJkLzBlWkR4L0VTSE92dUM1RURKdU4yOTFqckllYnVKTXdjdUxsV2RLOGp0Ym1kbVNYUGNhVzBpOFx1MDAyQk9kdGJwcC9SaG9TMXk3SC9mOVlTTWd6aFVPY3NBPT0iLCJXaW5YNjRDaGVja3N1bSI6InNQdmlCM3VQQVpXRG53YVZoM3YwVEpjYWRUMmNLa0d0MXVNQUM5YzBwTXNNYnduZ01IUkN3ZmxjZTlxUWNjSzJNXHUwMDJCb1BSM2t6NVpNZmh1MlA1SmdvVWc9PSIsIldpblg4NkNoZWNrc3VtIjoicTE2UjdyUzZpcjR3RW1YMTZIQVJhUThtWDByNDNhek9IODZKOXpISkNpVzlmWklhS2VYL1hvbUJrQ2xocXZxSzhIeDVuNTA2R0k4MTBPakRmbG50Y3c9PSIsIldvcmtzcGFjZUlkIjoiYmYwY2U0OWQtNzdjZi00NzIxLWJmNzAtNTc2ODYzODNjOWFiIiwiTG9nTmFtZSI6IkRvdE5ldFJ1bnRpbWVJbnN0YWxsYXRpb25SZXBvcnQiLCJTaGFyZWRLZXkiOiJqVUlTL1Q5Q1JWRGVLeFlnNFVyM2FDaGhXUXVjWTdQVnZ3ZzB6SHVxSnNjclRqalEyTHdLNlVqZnU3Y0EyTnByQVIwci9TUkFYSllZbGRQS0tGeUtLUT09In0="
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:4460
- - C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart
    3⤵
    - Executes dropped EXE
    PID:4912
  - - C:\Windows\Temp\{FFFCB196-8D6F-493D-A277-A8D7901AE4C5}\.cr\6-0-13.exe
      "C:\Windows\Temp\{FFFCB196-8D6F-493D-A277-A8D7901AE4C5}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /repair /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:2588
    - - C:\Windows\Temp\{70BA51D4-E441-47AE-88C2-061E6B95BD64}\.be\dotnet-runtime-6.0.13-win-x64.exe
        
        "C:\Windows\Temp\{70BA51D4-E441-47AE-88C2-061E6B95BD64}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{417C7C0D-0E88-4395-BA7B-0E5BB50FED06} {B8D60426-7AE8-4E13-9048-F0E3D17200F5} 2588
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:2700
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:3924
- - C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart
    3⤵
    PID:3236
  - - C:\Windows\Temp\{32618A66-DE7A-472D-B342-DF73A377C6F0}\.cr\6-0-13.exe
      "C:\Windows\Temp\{32618A66-DE7A-472D-B342-DF73A377C6F0}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=564 -burn.filehandle.self=568 /repair /quiet /norestart
      4⤵
      PID:2932
    - - C:\Windows\Temp\{73F5B2E0-9386-496E-BA91-DB70F5ECB684}\.be\dotnet-runtime-6.0.13-win-x64.exe
        
        "C:\Windows\Temp\{73F5B2E0-9386-496E-BA91-DB70F5ECB684}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{89452E69-DC3F-47E5-9074-9DC6AB2D87EE} {5EC7E0CB-EBFE-4B21-93A7-CC46D59FBB82} 2932
        5⤵
        Adds Run key to start application
        Modifies registry class
        
        PID:1804
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:1088
- - C:\Program Files\dotnet\dotnet.exe
    "C:\Program Files\dotnet\dotnet" --list-runtimes
    3⤵
    PID:1948
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:3032
- - C:\Program Files\dotnet\dotnet.exe
    "C:\Program Files\dotnet\dotnet" --list-runtimes
    3⤵
    PID:1896
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4744
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3800
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" daece93b-774d-4b66-876c-a311fa956f26 "4cecf01d-385b-4479-85d7-c613603584a6" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4120
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" daece93b-774d-4b66-876c-a311fa956f26 "eb8c3db2-b376-41b5-bb17-d1b22da7c8cd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" daece93b-774d-4b66-876c-a311fa956f26 "32121414-da61-409a-b8f0-54ac5df15c26" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  PID:1712
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" daece93b-774d-4b66-876c-a311fa956f26 "b567d5f1-14a0-4b9e-86b5-277a8f9bb34e" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:228
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" daece93b-774d-4b66-876c-a311fa956f26 "cd8f37ed-0d06-4fd0-a289-899410fb9031" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1408
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1464
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" daece93b-774d-4b66-876c-a311fa956f26 "adf8d30f-02fe-47c8-a91b-9b2ba17fdbc6" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:3416
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" daece93b-774d-4b66-876c-a311fa956f26 "12e17d16-9cfb-4694-850f-d21ad80c3e5f" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4620
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  PID:2420
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1796
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" daece93b-774d-4b66-876c-a311fa956f26 "007c4be5-e653-4a28-8b4d-6b4e04e03c90" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  PID:3304
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:5020
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:788
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:856
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" daece93b-774d-4b66-876c-a311fa956f26 "007c4be5-e653-4a28-8b4d-6b4e04e03c90" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:2440
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3776
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:4336
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1660
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:3164
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" daece93b-774d-4b66-876c-a311fa956f26 "007c4be5-e653-4a28-8b4d-6b4e04e03c90" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  PID:4176
- - C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe
    "C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe" daece93b-774d-4b66-876c-a311fa956f26 007c4be5-e653-4a28-8b4d-6b4e04e03c90 agent-api.atera.com/Production 443 or8ixLi90Mf connect
    3⤵
    PID:3256
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1160
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:2172
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4884
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4612
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4596
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:2084
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" daece93b-774d-4b66-876c-a311fa956f26 "87fbf503-ffc6-4d95-a6bc-efc256d946e7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  PID:2388
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:3968
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" daece93b-774d-4b66-876c-a311fa956f26 "909fa070-8e82-4e08-bba8-90081597d0b2" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"
  2⤵
  PID:3048
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
    3⤵
    PID:960
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
      4⤵
      Modifies data under HKEY_USERS
      PID:4960
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
    3⤵
    PID:1584
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
      4⤵
      Modifies data under HKEY_USERS
      PID:220
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "18617087-78cd-41aa-b926-13dc87ec0470" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"
  2⤵
  PID:2220
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:1628
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2492
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4068
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4496
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2044
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  - Drops file in Program Files directory
  PID:2440
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:996
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4580
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2680
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2348
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2884
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:3932
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2932
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2908
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:2308
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1408
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:3280
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2756
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:1172
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4580
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4448
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4420
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:4672
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4124
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:3040
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4788
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2876
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3920
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2372
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1320
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:4756
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:4536
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4128
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2440
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2588
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2876
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:1180
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3932
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4068
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:1796
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2084
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:5004
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:3236
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:2120
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:992
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:3400
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2716
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:1276
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2704
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:1992
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2840
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4936
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3232
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:816
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2012
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:5060
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:4476
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1580
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1172
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:1080
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3852
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:1184
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4800
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2488
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:768
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:752
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:648
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4716
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:1908
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:5004
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2696
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4616
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:2980
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4180
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:1168
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:1372
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:5004
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2884
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2160
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:3920
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:3084
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:3284
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3048
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:60
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:3608
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1992
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:3932
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:2784
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1348
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:880
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4404
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:1320
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:1472
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Drops file in Program Files directory
  PID:4216
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:2828
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" daece93b-774d-4b66-876c-a311fa956f26 "f436449f-a8ca-43a3-87ce-728880a9b95d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  PID:4832
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2044
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" daece93b-774d-4b66-876c-a311fa956f26 "50f6cf16-2fa8-4a11-860b-486d30878d9f" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  PID:636
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" daece93b-774d-4b66-876c-a311fa956f26 "362c4f30-0280-422f-9bdc-f1c8737c6c72" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  PID:4964
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" daece93b-774d-4b66-876c-a311fa956f26 "5fcb12c2-6d80-4ab8-91d6-c0bc0ebfa164" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Writes to the Master Boot Record (MBR)
  PID:4700

C:\Windows\system32\cscript.exe
cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
1⤵
- Modifies data under HKEY_USERS
PID:2768

C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"
1⤵
PID:2104

C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"
1⤵
PID:4940
- C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
  "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"
  2⤵
  - Sets service image path in registry
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:3376
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
    -h
    3⤵
    - Loads dropped DLL
    - Modifies data under HKEY_USERS
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:3296
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c sc stop SSUService
      4⤵
      PID:816
    - - C:\Windows\system32\sc.exe
        
        sc stop SSUService
        5⤵
        Launches sc.exe
        
        PID:4604
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c sc config SSUService start=demand
      4⤵
      PID:2108
    - - C:\Windows\system32\sc.exe
        
        sc config SSUService start=demand
        5⤵
        Launches sc.exe
        
        PID:1464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S
      4⤵
      PID:4156
    - - C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe
        
        "C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S
        5⤵
        
        PID:1160
      - C:\Windows\TEMP\~nsu.tmp\Au_.exe
        
        "C:\Windows\TEMP\~nsu.tmp\Au_.exe" /S _?=C:\Program Files (x86)\Splashtop\Splashtop Software Updater\
        6⤵
        Drops file in Program Files directory
        
        PID:3888
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"
    3⤵
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:3732
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:1704
- - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe
    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"
    3⤵
    - Loads dropped DLL
    PID:3636
  - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe
      "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"
      4⤵
      Suspicious use of SetWindowsHookEx
      PID:5020
  - - C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
      SRUtility.exe -r
      4⤵
      PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e580432.rbs

Filesize
8KB

MD5
96a3e4a87c102fc9bc3924276a787da9

SHA1
bcae2e1aadc6ff4b1e951eafae3ba35fd31982c2

SHA256
dae4ab2272804e96a327dcdcc828f2eb7d11c1f1954c16acffcf499f32f80ea7

SHA512
0d373ea3360c786797235cb379e143f77eddca2eb1c78c26d9153f1ccd3572121cb0581fa234820cb0de33dd9f797ab96d8754e7cb137e7c60e35fde1e4c632b

Download Submit
C:\Config.Msi\e580437.rbs

Filesize
75KB

MD5
74c8700db068d8bb11309e039594edb7

SHA1
c371a8b550db349746f3dfb8506ec8a81ad4ac57

SHA256
a3ed6724302d2d14269f1f5382777cd07413417896295d596d2645f717067a46

SHA512
8cee55056345beba0d8ead89581735e95938deaa6fb04deead42edc3a4106c5373d220d6f2e1888cedd20e60b7058a5f09ea33368a3e5a0a5d6cba154ab42e24

Download Submit
C:\Config.Msi\e580439.rbs

Filesize
480B

MD5
f0452f1fb352d63fffc611de0182feb5

SHA1
36589b487ef8caa5e5ea4c6cc4c09ff1291d006f

SHA256
8c065dd01ee10db7596d979f44c2603ac76b99c2a797f7cb56c8e9e531fb9f35

SHA512
f3522203c14913ae8a108ca0359ada4cdf1492f45e821a8d2ff311396f6f57d5925ba9e30a725d70801482dec1a17a3fd5adb0a007c22ee019c01650f9885f2f

Download Submit
C:\Config.Msi\e58043d.rbs

Filesize
56KB

MD5
afbc9f3ee9f11cb03ab1c2034c1dabef

SHA1
f8b1109d1549178c782c6a22eeff07db36aa5698

SHA256
7e311d0933b857881b6f415edcfb5709f3c9b4333a389c000a8fdfbcf22609e1

SHA512
393c992143603cf0dc76dfb2977754823e6552f95174899b4f67e681681fd6bdd818baadf49a6f030efcbdb8193dd68bdaaf8d5ad112876328a76cd55faa2dea

Download Submit
C:\Config.Msi\e580442.rbs

Filesize
8KB

MD5
949cd8a390206a4c68ce022075b225c0

SHA1
9629001ebc92803512c8744c3be91bce96253f96

SHA256
fdd58b9807da0634ebe54a13169eed63b161731906c7fdce43f4b4031d363d4f

SHA512
72ea46c84e1a4154d18ee3e247729054d321c220ad46ff60b3ee966fa75ce79e8f7308fcb33f3fdc1f919de88fc7b6623c4b23c2af4c5d90d942af694a9f8d49

Download Submit
C:\Config.Msi\e580447.rbs

Filesize
10KB

MD5
52ba60c52fdbbcfb14297d336f2fcc49

SHA1
a5510d50b69c2e82f10b32e3e89eca79016601b8

SHA256
6a8014419f208001438b3ca2ed485e4ec5228bb4427bc0f76b5b15771e5235e5

SHA512
cb53c5b187ab4f0f582220baddb2a375eccdb4966c479e5d337ba5be89fb0ea60cfea95800792db42092d26a77e03fa5828a9372b3d83e8c80e5f9983f466db5

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
753B

MD5
8298451e4dee214334dd2e22b8996bdc

SHA1
bc429029cc6b42c59c417773ea5df8ae54dbb971

SHA256
6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

SHA512
cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
305B

MD5
27c1adfa459a0d4c1a3ee1e4e92f8e0e

SHA1
e21b1152b78827c8e59d84c541c190c099297632

SHA256
8e88d3edb3da0f6dfe4dc7716ab64256fab189429a6690b129d6789f7eeca49b

SHA512
f8f66043ad65be01a11e130ccedd14a1e638950bb95999e650f62362c05e81d413d330e87cc5fdade02776fc742ebf96331a3752ab80eda9931041089563ae36

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
140KB

MD5
3903a77b261e98112513a7aa6b26576b

SHA1
cdda48b92bac86f7a3cc184d9f1b4a353ebd9a37

SHA256
a108d13b7b274f8c03e2b7a804987ea885c611dd087562314e9dfee0796e7c12

SHA512
8ae88286d75e80034db85d96bd949ffb51d28ed191c41b2cb6efe7cd24d2ef27236991e72130282da6a2fcd5d4949f4f831261e55d231beee311565602c6cf09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
140KB

MD5
3903a77b261e98112513a7aa6b26576b

SHA1
cdda48b92bac86f7a3cc184d9f1b4a353ebd9a37

SHA256
a108d13b7b274f8c03e2b7a804987ea885c611dd087562314e9dfee0796e7c12

SHA512
8ae88286d75e80034db85d96bd949ffb51d28ed191c41b2cb6efe7cd24d2ef27236991e72130282da6a2fcd5d4949f4f831261e55d231beee311565602c6cf09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
140KB

MD5
3903a77b261e98112513a7aa6b26576b

SHA1
cdda48b92bac86f7a3cc184d9f1b4a353ebd9a37

SHA256
a108d13b7b274f8c03e2b7a804987ea885c611dd087562314e9dfee0796e7c12

SHA512
8ae88286d75e80034db85d96bd949ffb51d28ed191c41b2cb6efe7cd24d2ef27236991e72130282da6a2fcd5d4949f4f831261e55d231beee311565602c6cf09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
209KB

MD5
8102239301d5ad14d672505a44363e6c

SHA1
d6ec9c0cb8014186c693f1725decf55663e73b5c

SHA256
4557217e9af11cceba839c10aac922a3c1f7462e2a41d7f0aaffdf56c9b42379

SHA512
26ea7a871cabc3568b778972ad57682196ab98c32b3255b4758ec9c35a156f2a9143417d6128c4aad288b0177710d230aef10ab06e8bf8a2964d703e427f876d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
14a140be1341919f7445e8052efc18bc

SHA1
f5ac65fd60d3ef395c0b304db0adead0acf72915

SHA256
5312a819e602e27e106af1e1bf679899501b769ea40889101e63eb7c02fc86d0

SHA512
927866121f710f5872bd61d8fac49a4fb48e8dccf1a86e46d6795389ae49020fcb22d050cc871f775c2571d666c966b8f691914593be5d94b60164c65f8a9270

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

Filesize
154KB

MD5
e3ca6ba742fba06522ab0fe063c620de

SHA1
58f1e87ae1ac14cf043c1af4c21d00e4197c712b

SHA256
f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079

SHA512
2de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

Filesize
154KB

MD5
e3ca6ba742fba06522ab0fe063c620de

SHA1
58f1e87ae1ac14cf043c1af4c21d00e4197c712b

SHA256
f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079

SHA512
2de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

Filesize
154KB

MD5
e3ca6ba742fba06522ab0fe063c620de

SHA1
58f1e87ae1ac14cf043c1af4c21d00e4197c712b

SHA256
f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079

SHA512
2de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.ini

Filesize
14B

MD5
7f42e3f3adac5a471dbdb9c349de371d

SHA1
dc5112ac9ed67cfdb96bd385df8b44e0974fb194

SHA256
0fd40e4da610c04c3e8837663ab8a1612c25188300e03f878590f59e1713b774

SHA512
ad9fd32547e8161046ff3368b07200c3490370f88bfdc8fb1b4381ea962c2606686e2fe17b3e6f67ec9121ac853d226b66eb5ac51cae315d23c16f18ec07c2e0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\data\iot_conf.json

Filesize
189B

MD5
e3e41ec8b95cea12c654a4a298be19a6

SHA1
45e37a784e9dc83e44209bf137fb68fced53394c

SHA256
d26c9c4477cbe8c98acbd579e814879067fbaf2320dd8c1f0308bc300f4d10e6

SHA512
ccc5392ecc3b578a8ee3012b3f14d3fc526e913abe12aaf0abd0cb143a628823b8f0c277f1696c87eac01a3b11bf431f6cc605b97b4426569fad813863194472

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.INI

Filesize
11B

MD5
6a60c1af9c4d177210367f3327b110c7

SHA1
02c2de34b0a2a721a6c5a2f4c3a8efbedef9f781

SHA256
1c75e7cc11f2e97a4aebec0f5facf1ea187e4d1ad327d506acb52d41ede1fdac

SHA512
70f6721e6a9ce6f75009ba0a03d61812afb0bc32e1989dc527738ecc11c7e9b9e13d3a4ea9addefadfda712357ff268bb8bddbca6289ce3b4b4e75921d4ca64f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

Filesize
46KB

MD5
49f6fd3aaaa1cee2aab8d7e1afcbd655

SHA1
c3d08bdd6c9ff0ee82c9b316744fcdbd5c91d7b4

SHA256
6a3c33bf64227327f53adce800d38ef4483f73d900b75a9a5ac059603c782614

SHA512
01ed9a485237424895ca1c35c9484ea1d9ba8ccc57d1194e6f6398a686ef85d4958f3a1b55fa79562aa1da5b4612cec603e3639d9687f8cfd02e439a3262a12d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

Filesize
46KB

MD5
49f6fd3aaaa1cee2aab8d7e1afcbd655

SHA1
c3d08bdd6c9ff0ee82c9b316744fcdbd5c91d7b4

SHA256
6a3c33bf64227327f53adce800d38ef4483f73d900b75a9a5ac059603c782614

SHA512
01ed9a485237424895ca1c35c9484ea1d9ba8ccc57d1194e6f6398a686ef85d4958f3a1b55fa79562aa1da5b4612cec603e3639d9687f8cfd02e439a3262a12d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

Filesize
46KB

MD5
49f6fd3aaaa1cee2aab8d7e1afcbd655

SHA1
c3d08bdd6c9ff0ee82c9b316744fcdbd5c91d7b4

SHA256
6a3c33bf64227327f53adce800d38ef4483f73d900b75a9a5ac059603c782614

SHA512
01ed9a485237424895ca1c35c9484ea1d9ba8ccc57d1194e6f6398a686ef85d4958f3a1b55fa79562aa1da5b4612cec603e3639d9687f8cfd02e439a3262a12d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe.config

Filesize
1KB

MD5
13cfeb2261e4daeaa3c06f7a60078f91

SHA1
d76b6d07d8fec75789025fbab18048ad193b1462

SHA256
6bbdcc477f0c1efbd0129ac7716f96cc2844103169aaebff03d4c8f5c54745d6

SHA512
f804155363feb09427f7c8e968eaaa7dda15f739769864a23c8a0fc9137151a03f02fb30b11f47a69ddcefff02bf933721c3757a3fb78c705d0537205bbd3a92

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll

Filesize
92KB

MD5
90d8a186af3a61219624ab9c0add216e

SHA1
54406883c5a06f6bdc4f605e677ada22f0cba787

SHA256
14d9893b7dc20a7f6694e356dd8626dc99473fedb7cd8d97a7c8fcf8a6e2bb6f

SHA512
ad26dd9a5e7190f190c222f792a4950b3971936d36694f93f74496afd69ca1fb3623d08cdf0b72f5e80edb7cb5776071facc7c30d1b47facdb48635c27e2921e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll

Filesize
862KB

MD5
742d07a16d0cbc1f51e06105bceb26e1

SHA1
2c46261b744660bea4c2ef66a732cb304c297b35

SHA256
586a9b7e517e3c18924578f469b505658c2daeff7b617c093f64e19aacab738e

SHA512
96519e9b16f4e2c6735f80d8ffb90a7293eab1603f14fd32b0656b43ed3053d1a181413e1929cfc7069cffb38d8cad43e3f112752428a18c650f3301b3fc7f9d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\StructureMap.dll

Filesize
277KB

MD5
2c9fc0dd4287f23c537f9f8bc3255f99

SHA1
54ebb69b0dcfd7bd972744306c5fb7ddd93a1b3e

SHA256
431323a387efe633d6205ce7a6c8a7386ed33010a174e3f249e4cb50f25299ff

SHA512
10b2171c0373a8cb8cd4593e19f7cc0c25006dad8c3a692ea02ece720834a695656b8288090339308ee54c475c5cd4c3a7bbeb6a6712db475fefc7492a68b12f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

Filesize
2KB

MD5
d011460274793d2b8c93a4eb215f6225

SHA1
87983ffe7d0cb9af60946baff298e7c083e913b5

SHA256
3f9b16b941cafe7997de26577396a7b9b5774ec5f3e1f3a2c1bc6814497b2936

SHA512
ac5e4f7e03e8391d2f3e8b9c67cc5b0a4df74b01a8cd286c80f0b2ddaaa5f663e1f6a5ed1ce3eef3b9f03a6a8ead753755ea079e7c6f2dffc6be20a3f8be0785

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

Filesize
3KB

MD5
38c09b697c6efa5bf8e98c24a601da86

SHA1
5a03b34d6344e069fa441d9f3adc39ccb005b6ac

SHA256
f8101cba2f101bbf358eaf25e4176427162123fdd33c3824d836c4e6387f5c4b

SHA512
43c0891be4f193c48ab482d967930034cb7471613b95b78a0519870a8cae9a5e002959c7880807c0a603302db0ae0948b588ca0abfd6769c0ee1a4060c946f1f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt

Filesize
4KB

MD5
5a6fe9789a964a40da8039725f191c87

SHA1
cd65bfdb9349b5bb2b45165f9c0ca0be38bf7377

SHA256
a74cbac6f8abff229cfea28374d928dac7d99cfe09edf217c2f991c426e8b943

SHA512
15e06c42e77e0cf3cfe194ac978a43ec59eccb1b688374a6b2d23aad62e8eae30103d8ccea401b2527e5b8ff1533c3d3a47052d132747117908a82568be29807

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.INI

Filesize
12B

MD5
0a8a4ae0e06afe3edbb1f46b1eb44768

SHA1
ccff9593a9b9a124801c12d58cb65833205f4b70

SHA256
27d4c6308a4659bc8ee2c8c52fcfceff6f97ee27a3f2d4fe33d8f8513a91c31a

SHA512
7f9eeadf4b466be84cce3cd2fcdb1aa795e49f8c69e159619dd48893c7fd46ceacd2e6cc595d6453145dfa9cf42feb242cbdb75b36c06e35024e91eb41eced3e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
389KB

MD5
13c1f92cc8fe543485b80f54af8e9e40

SHA1
49bfe22c50f2172497cf7f1df76090b12c56cd5c

SHA256
f438d541fd6caf77ad2e26fa24239a71a2ab03d6842958d0eb41cf60ee31953b

SHA512
609e31eb4581ab7fe30125ec3f7c31e21c19049682b7add4331d41968a54a987acdd96a0a3c75202b561b44f080610acaec7d9051964960d43d0676fb3cd8de0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
389KB

MD5
13c1f92cc8fe543485b80f54af8e9e40

SHA1
49bfe22c50f2172497cf7f1df76090b12c56cd5c

SHA256
f438d541fd6caf77ad2e26fa24239a71a2ab03d6842958d0eb41cf60ee31953b

SHA512
609e31eb4581ab7fe30125ec3f7c31e21c19049682b7add4331d41968a54a987acdd96a0a3c75202b561b44f080610acaec7d9051964960d43d0676fb3cd8de0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
389KB

MD5
13c1f92cc8fe543485b80f54af8e9e40

SHA1
49bfe22c50f2172497cf7f1df76090b12c56cd5c

SHA256
f438d541fd6caf77ad2e26fa24239a71a2ab03d6842958d0eb41cf60ee31953b

SHA512
609e31eb4581ab7fe30125ec3f7c31e21c19049682b7add4331d41968a54a987acdd96a0a3c75202b561b44f080610acaec7d9051964960d43d0676fb3cd8de0

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

Filesize
1KB

MD5
c6ecf24757926eba64e674bff8b747d1

SHA1
3a46083826c20e8e085c42bbfdfeef4f9e2b90d9

SHA256
c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc

SHA512
efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db

Filesize
16KB

MD5
69fddf79ff421a23c151de5cce682b4c

SHA1
0d08c0be40c30ab772be8634000a391883b6d19d

SHA256
696ef64b18edc378751c0267b6a92b4c012d17e0651f301d52cdc55f56a3f4d8

SHA512
87583af027f6ada2487812623a0866e6b99adfd13354d53fc564251d1a1b21930f3dbb42d6e69d54f2afcecf5012e87b52e5860df111a566baaccd4d80fd7987

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt

Filesize
7KB

MD5
e013fc09695e13dc82009e4ec9e7feaf

SHA1
d4acd1421bb0df7dd7a6620f150560398e428678

SHA256
5f978533db64f6d9c4fd9991505d50202a9dc202d4eecf14331e0a17a415b691

SHA512
c7e14060adb0e733f4d77e823ea67067cd880470a56bc7ae239409c2b621cb2e7f1194d2094c66b58f6a1d1dcda20a6fb0ef6e4be8745becffbebf9bfcadf020

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

Filesize
187KB

MD5
cb8d366685189bbf05f774f993ee7d8a

SHA1
70d8b754701e6d3da91881648ece548e4d967c1a

SHA256
293d7c3e48116fe5a985911f15128f7067e6e72c7bbe9e6ea86f3c33f3553c7f

SHA512
ac808c13be86e7d1519333bf275cdb24e98444cc712e494903d52b904d9cb9d723f658ccfb1f39deeea3fde2e5cbfcbc0772b6bb5f1a81d4530a083e3f740836

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config

Filesize
776B

MD5
336caa70d9ef388edf8b234e5fc40cee

SHA1
864ccb7643fc99313e5acbeb59d608cd179e01bb

SHA256
9bb07566c5ceaf46cfc1164a63553bb3c00ad8a04138211c6eba81b60f4fe355

SHA512
eb037ff55c7d61a4170a9143b7ba40cc43ddbc9e8df673d7af03548c27c4410f53a5cdfafe8942559b9e5061419512f3c8faa5a6d32ed147dd33f832cf43e637

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe

Filesize
26.7MB

MD5
7cbdcb7e0ad6c186b7129497cf32d70b

SHA1
a23e134bb0b145f96353b40a0423d59fc76ae8d6

SHA256
59f853f718cb9d089e28393443d0db303934822290af4bf4023a0bf419cb0f9c

SHA512
b0fbe2077b8f0195839f0695877bf44c971a753d9c2a41add6e3000bd734a4cb0c6f09e0307442c1f95c7bda9071c2b633ea0f477933e5931f86ed8fe4982852

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

Filesize
53KB

MD5
b7aca4b1a547ca9ba8931fb2f3a8ffe4

SHA1
ade0df9aa1b3419b1f5dca663a5ba86221fca0b9

SHA256
bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80

SHA512
7344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
12026eb1e9a0ea93b5331060ceae5db9

SHA1
f69eb1eac44e3fbb436a58354046c4fd2ea28d44

SHA256
13da459dd9dd937791d19d259861eec6347b318edd82990893fde187c508ece6

SHA512
b4a57399ed75f7d80457ba43db7c3f0ef65ccb355bff73e64e4bddad5a6e26d5fad51db0410a923e6152c3d230883613d8e3f975cd1aea5c72c474f37068346a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
12026eb1e9a0ea93b5331060ceae5db9

SHA1
f69eb1eac44e3fbb436a58354046c4fd2ea28d44

SHA256
13da459dd9dd937791d19d259861eec6347b318edd82990893fde187c508ece6

SHA512
b4a57399ed75f7d80457ba43db7c3f0ef65ccb355bff73e64e4bddad5a6e26d5fad51db0410a923e6152c3d230883613d8e3f975cd1aea5c72c474f37068346a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.INI

Filesize
12B

MD5
7ee83499fea6848679d28edc872e7215

SHA1
240baad2aeb0c81851da18e356409c78e2cef5a7

SHA256
158f2ff9e592d4679a7471299f2f3a7aa6968d6779b81655ad1a7ae811948105

SHA512
ed3f4e8726ef683e88f04c6937e82f27e2f67c9316781478b07e5d0c90b061a09a0a5f90ba5a2da65732e9b54654cda4d39556dcbd18dd78bf61cc20c43193fe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

Filesize
498B

MD5
1819851a638eb6d98a3cc80ac4ad6894

SHA1
b74a8c6c5152c4463e487b88e534afe7144eb832

SHA256
f1d85574d2849984bf608191a519a98b1dd830b023e9430571ea6ea9fb62b981

SHA512
fa6638ea1e921da96a39e31e85ff757e6c9bad92bd997b7a516be5f34d00158bd2fe1367d6d13e22e79e703a1c590286de409c45f28b0c75ded3284a1fcfeb0d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

Filesize
28KB

MD5
c955e047e811602e41556907bbc03133

SHA1
09a9a2e43f8b4eaebe72efd5589598f17bb9ab77

SHA256
d9c521304e7f1167f7886d9bbc6a93d3165ded1c4a994041194bc73fdf0b0266

SHA512
b2b8a2d1b08c14b3afc5e75befb039ab08c7883ef92cbe8b8c64e1bdab7f0c7ddf87a14c3a961e7a8be86b0322a09d7f06b643f78fcc28a0d414e7c48bc011b7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

Filesize
28KB

MD5
c955e047e811602e41556907bbc03133

SHA1
09a9a2e43f8b4eaebe72efd5589598f17bb9ab77

SHA256
d9c521304e7f1167f7886d9bbc6a93d3165ded1c4a994041194bc73fdf0b0266

SHA512
b2b8a2d1b08c14b3afc5e75befb039ab08c7883ef92cbe8b8c64e1bdab7f0c7ddf87a14c3a961e7a8be86b0322a09d7f06b643f78fcc28a0d414e7c48bc011b7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.INI

Filesize
12B

MD5
f22ab1e79e12a9c334224d1430e0acc6

SHA1
8a22de0c36533b655a653b3565f31e5c089d79f6

SHA256
6e2ed34eb8144b1ed355e85f82a4963e74965958530d131b122c5583a5a01caf

SHA512
1563cbc91dbbebf792285200c569fffac27bcf5600a77d490067bd2814ab1e94bf6579aae973f18d56b301f78e9a76ff0a9dcd35277b33d4c1cba93ca31ec155

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
ecd142b17df53894c180e22d1c316de1

SHA1
fa475a494f7842a0df33e1da15302b30cb5478c3

SHA256
4437c33c0fc686d7ca5cd73b67cd17206077b233b4561a5998a6abff83c5dc93

SHA512
8a3644a380263e754ceceaf050ea867525a4503ce6436b3d39fd89006a53516f8cadffe866a61d12e31b422edf8793c9a69bf87a6cced366e6be8be30cf74819

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
ecd142b17df53894c180e22d1c316de1

SHA1
fa475a494f7842a0df33e1da15302b30cb5478c3

SHA256
4437c33c0fc686d7ca5cd73b67cd17206077b233b4561a5998a6abff83c5dc93

SHA512
8a3644a380263e754ceceaf050ea867525a4503ce6436b3d39fd89006a53516f8cadffe866a61d12e31b422edf8793c9a69bf87a6cced366e6be8be30cf74819

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
ecd142b17df53894c180e22d1c316de1

SHA1
fa475a494f7842a0df33e1da15302b30cb5478c3

SHA256
4437c33c0fc686d7ca5cd73b67cd17206077b233b4561a5998a6abff83c5dc93

SHA512
8a3644a380263e754ceceaf050ea867525a4503ce6436b3d39fd89006a53516f8cadffe866a61d12e31b422edf8793c9a69bf87a6cced366e6be8be30cf74819

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

Filesize
535B

MD5
d505e3de03f172fa2b246e210054c5f7

SHA1
f5a480f56f760eeba3b29108387e54d70a721127

SHA256
a568f933f09b1ad1ee5e88ddcffa1fe5921d18b73477136e1faee55f2bef399a

SHA512
80f01447b43525dbdf5b283522fe14d9aecef16e55ea3fe36dc0a94b53c49e03bb56136f0911c348fb78fb5af6112b1de7c38cbffbd73acb2971655ef1b2b859

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
a76d4559bb344a7542f94d982a9df2bf

SHA1
21b31f294dc911560a80a74baa62777d63f76022

SHA256
cf8c00f4f6b100256e3a00d4b927027987f31cbcdb4833400541f764a975f877

SHA512
c61ffa67e53b89032eac70b735ec75b8c591b18e22507bced3e146135840a09a127f350992689657c4b9ff81fd541da89bdd0a3c340ab074b4a9e83b753dd07e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

Filesize
181KB

MD5
325dd5dfbcfa91c2c4a12fe85ff689fe

SHA1
a65ea6431939308c8b98fe50f08d5744992b9e1e

SHA256
b08296b198e6382603fb69a1328f8736110d5ea15ab916892470a43dfdb9d2c1

SHA512
bada1c5010d393ec7c82ab3941624f8bac0940c67624758248b0f5fa8f7ea2b216c45459625cb5a76e3a129d01dc3da0cc16ece45d4dcbd024ea3c23063d2afc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

Filesize
323KB

MD5
8be96daf43333fdf064eecc3448553b3

SHA1
66ded3f48721cfdeb69865b6f4c1c49da16fd6b8

SHA256
f2a7a58ffd46753eb8aba3382279364ee71caaaf4fec7f694d5fad3f6f5bd73f

SHA512
d7fefef4000d98b47037075b3236004743c95ec35f35ad46c37e6ef364c4b182383c62a8a1006e976d6bf5c2511c1da9ecc842714f2771a0eb8d481262fb351c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
4b69cfbd0f0efe9188feb19da1c542d6

SHA1
7a90c027284a74d640947e61b8f45e99438c0e41

SHA256
bcfead40b7eeb5aab0da1eefd8ca25f174bcadac35cd0634573551d6b74d78dc

SHA512
bc4fb1a4f91243f5fbb5279470acd41f88778669e07cae9d4d58e28c8dfaff965fea67e9c969d433f65ea5df104aba17140976d2895fb4bebf2c7dcff3e66f3a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll

Filesize
54KB

MD5
e607fc44193329435021b60177888c96

SHA1
d458135faa3a78ab413987b9990b4d6434fc9075

SHA256
f5f59626e8c3229fb73836e39b3d57e963f9d6caf6321bc48236839dc4dae8a7

SHA512
fd5f89f68efd0ac80f47de5935a06af85465d6e3d75d77664d2ab7843c5fcbeb0c1b7f93786c3183f8cd8d98513b1cbe3039d6d0c9e170b64d475ec069093adc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
5d135f8cc7f7955157e485c872f14c74

SHA1
9dec4875055aec33c1c59b7193d4f882ca4babc4

SHA256
0f413a6682838f86c7425488eb01ed02503815384b60a1432bff75fbfb199478

SHA512
4b7c9746f1ee70bcc43316c4a116e28294b92b53201b763671f5c0e4273767457baac02bb1a79fba09647fd3bca9fa11d7722afcd097a6ac4754c90878b685ce

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
162B

MD5
b1559331fe63a1ae44962144cb44ef48

SHA1
94212f88ffc5a1984f04341d71deac8d14ed065f

SHA256
98e476915e2604013dcdf0e0f7a20045cfe8044284ab1568afdddd2246af7074

SHA512
47bd3c3a0e832d141e1d140c13dd7b97c72f8a3e52a22795e062995a5a69dff1a875e1e08c6a84c602fac4e47745180f498dccc71a185c09928e2cf9c9570fb8

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

Filesize
9KB

MD5
1ef7574bc4d8b6034935d99ad884f15b

SHA1
110709ab33f893737f4b0567f9495ac60c37667c

SHA256
0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

SHA512
947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

Filesize
10KB

MD5
f512536173e386121b3ebd22aac41a4e

SHA1
74ae133215345beaebb7a95f969f34a40dda922a

SHA256
a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

SHA512
1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

Filesize
76KB

MD5
b40fe65431b18a52e6452279b88954af

SHA1
c25de80f00014e129ff290bf84ddf25a23fdfc30

SHA256
800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

SHA512
e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3

Filesize
72KB

MD5
2bb3a868e4c4417e2757610f2ee3cb7c

SHA1
095c7a436097b3225db3769b46cffb41f0435554

SHA256
918f4cfa9666b09dd63385e6807e95f4f704a7efd9e3da7d88f9a614b8626ba3

SHA512
7402226fd59b729e025678d2ff59844d804dfa5ccb714e26473a99c05e894c87078291577f7b5d9cab26a09ca733d9e9351ee9beb87c0d20da118b697cc2208c

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe

Filesize
59KB

MD5
c99e96b1e59a66acdb5175367b1de52c

SHA1
1573f27228a3f7d13e172cdb63a661941ed1749c

SHA256
641739066172eefa6b4a74192c1d9a790719a3ac44aa3add259c10deb6a3b2f5

SHA512
711fedc98ce052047b185a55aeea7d752e8c819d86894e1d5d1e82ab5bb0b12cda41cafd80f961fe79bf0e1729a22e9755d3a366f9c7f2e278f0e4e4d1e38837

Download Submit
C:\Program Files\dotnet\LICENSE.txt

Filesize
9KB

MD5
31c5a77b3c57c8c2e82b9541b00bcd5a

SHA1
153d4bc14e3a2c1485006f1752e797ca8684d06d

SHA256
7f6839a61ce892b79c6549e2dc5a81fdbd240a0b260f8881216b45b7fda8b45d

SHA512
ad33e3c0c3b060ad44c5b1b712c991b2d7042f6a60dc691c014d977c922a7e3a783ba9bade1a34de853c271fde1fb75bc2c47869acd863a40be3a6c6d754c0a6

Download Submit
C:\Program Files\dotnet\ThirdPartyNotices.txt

Filesize
78KB

MD5
f77a4aecfaf4640d801eb6dcdfddc478

SHA1
7424710f255f6205ef559e4d7e281a3b701183bb

SHA256
d5db0ed54363e40717ae09e746dec99ad5b09223cc1273bb870703176dd226b7

SHA512
1b729dfa561899980ba8b15128ea39bc1e609fe07b30b283001fd9cf9da62885d78c18082d0085edd81f09203f878549b48f7f888a8486a2a526b134c849fd6b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
133KB

MD5
a90579f241ab4d4d83b3a6f234d9472c

SHA1
8d7a563343761b77b57e1f4af440156862e7722c

SHA256
a54b4a3f19be39922488d86417824194c7dc5adc4493c37f87133fd3fc80948f

SHA512
2554aa432615939e77925363824527086f556e3eea53e26f79864834f879c8728cfe1458079b590053208e44a0eb4966361b3d85b173b09807cdc7a43a9687b0

Download Submit
C:\ProgramData\Splashtop\Common\Event\stevt_srs.dll

Filesize
27KB

MD5
29f288f751fbcea5cd75ea9774882787

SHA1
5a4c30382c63e29e848b681d39cc213c2198e12e

SHA256
711702eb24803788ce601996f90b7ef57eef1f764f7aaf3a96e2196ed4a9533e

SHA512
b7fc0a739b33e79232ef506393cf90297f4d41f165f34b5be50648d8a1967419e1f0ee369e809d5c142898824e8b5a3784106d33a2d1d72cd811d5352f4bbd60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
1c9a5cef19f91d0601eaba97786d650f

SHA1
1088ab163799ce0d1ff1820a0ec4bf82005038ff

SHA256
8a87e189fba9f73b1192bc9b7a8854daeb9b7b2eaed35f223e678e41249e3514

SHA512
303572562ee9a50fe99fe74d5d8aeae5b7269a6ec35fb0871e3d0b203771a70450e516a804c6e56963450dc6b48d9ca47721c27ea65561cbac2746356ff4ef11

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9

Filesize
727B

MD5
c876a28c8d42c6e2a3ad0519f688cefe

SHA1
16d187a66b2c3968d3183ac169f57f5731d90619

SHA256
d5da1d1374aa110907b2ed8e812c3b6748710dca8481d8b6d0dd7bfce11609a7

SHA512
4dd26d5411e3635debd6e97b999f868c30194dbd768252c02ed5fd03987be7504634bc76d8f45a40f2c2260ee4c1454e652ebe366ad7acbc1336d6f5d84c125d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
70756448df9d2671799e3f2a30c5ddc5

SHA1
dadb4aaf07e19482c000b0b5542bd4554f33c89b

SHA256
14a513f6e7c3b9ff01e9f1ae345fe088ecb68533aa902e336b589d17d234aec2

SHA512
76c078d4cdc793e29359a0cfc409878ba1d7341f8c5b1cf8352c7a47d9b529a60dca29c51f29320ca64279293fb14b35e9cd520ae7a5b66d7dea465cd098a54e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
b7ebf99e200cd50f377591e6bc9d1eb7

SHA1
011428bd0cc4aed8c8bcc57757695c618102b9c2

SHA256
34bd7645e8223e1122bcea2f6553f64e72626850cbfe6eef4936da10c41f60d4

SHA512
24b74513e10008e699d1aa838bde574bdffa9159ea94d2631d896010613aa27cd421a664e5f9579f879044c156293e1f0904094798e2f37e2ab2229360ef15d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9

Filesize
408B

MD5
3500b5d764ee71a12a1fb7d4ec8e4f97

SHA1
462a1ede91565927e054b659a7ac2438166d6772

SHA256
f0fad8aa8716e0368e6bb12e343b4bfb63b88436f9bcf3710134fffa89bb7d8c

SHA512
b552740e35dd2d954ac8546991eb6b866cbc7aa03de10f911313625dd1cca6463354252464f8007e4ad2bf471d6b804070c53daada103b184d5022cf21781df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
5f26013189a6fffb739006ddbc8680a2

SHA1
6c826d7938d2bcbcb0d1d4fa75a7faf94dcf3d79

SHA256
60651e239a1b0edd87002c8ba1fe5525bf7a7486ae6a323f026797cde4bc59b2

SHA512
73c4c12a760a9b677c27c9582431e80d85f744882a879a0632b1e5d342789c098dddb070aeaaa9b72ca4a66d392b9292989273f9ef644ce527becd8100063ef0

Download Submit
C:\Windows\Installer\MSI11D1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI11D1.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1471.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1471.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI1471.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI50C.tmp

Filesize
296KB

MD5
b7d7680522435d9b46b6910c097fff55

SHA1
97096854be4279fbe8df73ba1623aa4483a89f14

SHA256
5dff784a94991e0522bd6b8b7e6c80277df8765ee86eb91dcfd1cac3b2820978

SHA512
707369839f0cfe750b9062d2fe2f91c44134d0b58f22075c2cfdcd4b42a3abb43b49913dfaa55fbc0180c9c4e8ab3220ecfa5b2cdccfaa45913a5dc56770ce6b

Download Submit
C:\Windows\Installer\MSI50C.tmp

Filesize
296KB

MD5
b7d7680522435d9b46b6910c097fff55

SHA1
97096854be4279fbe8df73ba1623aa4483a89f14

SHA256
5dff784a94991e0522bd6b8b7e6c80277df8765ee86eb91dcfd1cac3b2820978

SHA512
707369839f0cfe750b9062d2fe2f91c44134d0b58f22075c2cfdcd4b42a3abb43b49913dfaa55fbc0180c9c4e8ab3220ecfa5b2cdccfaa45913a5dc56770ce6b

Download Submit
C:\Windows\Installer\MSI50C.tmp

Filesize
296KB

MD5
b7d7680522435d9b46b6910c097fff55

SHA1
97096854be4279fbe8df73ba1623aa4483a89f14

SHA256
5dff784a94991e0522bd6b8b7e6c80277df8765ee86eb91dcfd1cac3b2820978

SHA512
707369839f0cfe750b9062d2fe2f91c44134d0b58f22075c2cfdcd4b42a3abb43b49913dfaa55fbc0180c9c4e8ab3220ecfa5b2cdccfaa45913a5dc56770ce6b

Download Submit
C:\Windows\Installer\MSI50C.tmp-\AlphaControlAgentInstallation.dll

Filesize
18KB

MD5
c64ebf8545dc18dddf755762d1b9e7d1

SHA1
91aeab36a5efe0c92bb443e442f3d482157817a3

SHA256
3f82fea701fea5832cdcfa48f0e480bebc9e0080b212b3896bec09b335640e32

SHA512
e3dddfd262e2edd63cb461776d4bafb54583047f09f75123daba3f4c753b22fbd2f13f28b18b39740371c95564112fa381851d793e8e188fa3e7cd46bc47a8e7

Download Submit
C:\Windows\Installer\MSI50C.tmp-\AlphaControlAgentInstallation.dll

Filesize
18KB

MD5
c64ebf8545dc18dddf755762d1b9e7d1

SHA1
91aeab36a5efe0c92bb443e442f3d482157817a3

SHA256
3f82fea701fea5832cdcfa48f0e480bebc9e0080b212b3896bec09b335640e32

SHA512
e3dddfd262e2edd63cb461776d4bafb54583047f09f75123daba3f4c753b22fbd2f13f28b18b39740371c95564112fa381851d793e8e188fa3e7cd46bc47a8e7

Download Submit
C:\Windows\Installer\MSI554A.tmp

Filesize
225KB

MD5
d711da8a6487aea301e05003f327879f

SHA1
548d3779ed3ab7309328f174bfb18d7768d27747

SHA256
3d855b58ce7da9f24f1bef8d0673ba4a97105a7fd88433de7fb4e156b4306283

SHA512
c6d1c938e8a0acf080dcab1276d78237e342a98772e23ac887b87a346878c376fb0af8364e52a36c5b949005aa3218308bc6193f8b580f622ef39d9955c7c681

Download Submit
C:\Windows\Installer\MSI6979.tmp

Filesize
4.5MB

MD5
dcf1c5be73edef9f4969109f9ba5147d

SHA1
8ce70c29fffd8ecd54fab1ab5d021f4be7960a3e

SHA256
3b26989d2114f3f21ded0a4838643c629c550bc2fe01fa9147fced0ac5223e74

SHA512
cd72ee30040f84fe6c7077de2697a2ff1ccf787f434eaf33cfca10c39ceb1534b869c69496cd168c50c7cd348e1b36743dd305757dd2bd2eba09a02a132d07e1

Download Submit
C:\Windows\Installer\MSIBB5.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSIBB5.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\e580431.msi

Filesize
2.6MB

MD5
650eac6e0151ca012d04dfd8842c5faa

SHA1
b7a4e282797aa11ae9c8b6f0ec425954d66309c8

SHA256
7105347cf337b515841a7296f45179ba33cf99d96afdd3480a6f7919f5ccbcb5

SHA512
b81dbb86366020489a4793765a8c337ef90738863082bfcf632813df6d06d70e8c71df2f51aa6b8758d7d4d10d91f7672995ce068ee2bdd1625430560b77dde0

Download Submit
C:\Windows\Installer\e580438.msi

Filesize
47.3MB

MD5
92a47f95f326cd152a37d645de986a70

SHA1
af1a584c076549e102a7d6680dc87659c107bbc0

SHA256
3a63472cab8a7d175db712bf8c52ef0c472f050137331daddba3e886634348b2

SHA512
b061bac51428d48416dd634c2f1fae2e89ecb419300283a56ff9585ffcaa9a64274444262ebca3b8d26d02246c49c79020e95961979cc2ff0c85091c0151cc26

Download Submit
C:\Windows\Installer\e58043a.msi

Filesize
25.7MB

MD5
c91d74f41cd6760829076752ead92560

SHA1
c903dfadf85025b9c02a65b9a4382ea85c5a460a

SHA256
c667c83c12109e96a025d5b1394a1d3cda3df4a520bcc73c7cef373f0e4088e5

SHA512
2520c30df18d63f92b83fbac107109122da81ea0db336a179a6673170e32d840ff67e673119bd2d4c6c86541d646248488d2410f1072ed69f51369ac8a51a918

Download Submit
C:\Windows\Installer\e58043f.msi

Filesize
804KB

MD5
c6de3476cf791eb894a55334b636763d

SHA1
b2d5ccbe7270378caa69488629df240be84a91de

SHA256
dea630108cd4a2b1a9777b9958c2e4fa7416b315d19646c46195c431c5b432a1

SHA512
50a7c2897975c277b1265c0d7c6419c14cec78e1910374af836550ac5ea064d33507809a11c917d67614ed1234b42b5d860d7ae943b5a3ca11ea8b32f62a221a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
1KB

MD5
d91299e84355cd8d5a86795a0118b6e9

SHA1
7b0f360b775f76c94a12ca48445aa2d2a875701c

SHA256
46011ede1c147eb2bc731a539b7c047b7ee93e48b9d3c3ba710ce132bbdfac6b

SHA512
6d11d03f2df2d931fac9f47ceda70d81d51a9116c1ef362d67b7874f91bf20915006f7af8ecebaea59d2dc144536b25ea091cc33c04c9a3808eefdc69c90e816

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4

Filesize
1KB

MD5
78f2fcaa601f2fb4ebc937ba532e7549

SHA1
ddfb16cd4931c973a2037d3fc83a4d7d775d05e4

SHA256
552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988

SHA512
bcad73a7a5afb7120549dd54ba1f15c551ae24c7181f008392065d1ed006e6fa4fa5a60538d52461b15a12f5292049e929cffde15cc400dec9cdfca0b36a68dd

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
308B

MD5
f129fbb93b9aeba46c739389e4c01704

SHA1
438e443674133fea1478a36c453ace12407b99bf

SHA256
caf0e36d9a820bd25cdb7161a2a07e062cdaf37deb3073f77701c8ebaf192d77

SHA512
65fb7e3681a7671e731f9380c56303836959c1b44711e838d13e56d7ad911b164965feb4061ac2e82503893d13c1a4bdb62adbb0c0dcf1453ece68205a47b632

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1

Filesize
308B

MD5
96342a897aba3ab8426f37bbf0aa7594

SHA1
ae4dc6a0f382fb8065bc0be701b5ac22ea5be654

SHA256
04f746104af972dbca81ef61d173fbbd5d9a5d0cbaac5abad5facfb1d5472aa1

SHA512
bb4b48e701799846029a917336042564b6c29a4047058d8666edec991a3126ce6e81acab95a75a422f7c7d9f8112446536a1933030dc30999bb2c1579f284a1a

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
58359f5337df9f071226a706f7316f55

SHA1
c92d12af68ef33d6dadb30f347b3fe2ee28f3e61

SHA256
9a4ef811b558304006206d2ba7db8e80d8c55c61addd13ca9c3c1f3540d1f958

SHA512
83ed7284cba40a8e7532909ebd9efe0f980245b0e6f50e3a7d7d455cb958233a97c83f65b67cacc1fb181138d348e418bf80b91eafd9fbd840d8eee4cb8924d4

Download Submit
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4

Filesize
254B

MD5
58359f5337df9f071226a706f7316f55

SHA1
c92d12af68ef33d6dadb30f347b3fe2ee28f3e61

SHA256
9a4ef811b558304006206d2ba7db8e80d8c55c61addd13ca9c3c1f3540d1f958

SHA512
83ed7284cba40a8e7532909ebd9efe0f980245b0e6f50e3a7d7d455cb958233a97c83f65b67cacc1fb181138d348e418bf80b91eafd9fbd840d8eee4cb8924d4

Download Submit
C:\Windows\Temp\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
ecd142b17df53894c180e22d1c316de1

SHA1
fa475a494f7842a0df33e1da15302b30cb5478c3

SHA256
4437c33c0fc686d7ca5cd73b67cd17206077b233b4561a5998a6abff83c5dc93

SHA512
8a3644a380263e754ceceaf050ea867525a4503ce6436b3d39fd89006a53516f8cadffe866a61d12e31b422edf8793c9a69bf87a6cced366e6be8be30cf74819

Download Submit
C:\Windows\Temp\InstallUtil.log

Filesize
4KB

MD5
8abd426a16aae9f51c58a2c4f1335a35

SHA1
1a31b7ed698d312c32556adf97f4c84695ee6c42

SHA256
826d58efa80eba88033a9c9205fac0474fb95ae29ea3ebc00181360cb7ed4e0f

SHA512
69741dca675903a959ac345c0aab781d42a9b496b2a91ac18c0ef7b1c7ce7bae4df6a1c87cce620fc362482c4d837ce9afd4f3710a44d1d50ff7fa638e597bc5

Download Submit
C:\Windows\Temp\PreVer.log

Filesize
2KB

MD5
7f6be7dbfe1cc9eb3a75f4d242112443

SHA1
7018b3187cd7e730bd17c6e5fba015db2f9349b0

SHA256
1154d3ae7f934bf2a93fa3c7d872a6274a94e305fc7393f653c92e984cfc80bf

SHA512
a1feea20eb1a575d5c6c517b6a7e949d21ee078f4c083e9e765fa0e251bf54999bfb6c1be11e4c436742fee6042d8edbe7fe3c67fd81d585a5fae05920d8353e

Download Submit
C:\Windows\Temp\Tmp9BA5.tmp

Filesize
3KB

MD5
560af444a6a7faa0b0ca94dc16ca2a58

SHA1
df31453fafde354870a0a9a8ca50b18e284c32e4

SHA256
94739ca46676bd602a78671257fbfce39feaabc9664c6326bf4970a0108e3429

SHA512
7c853176c088d56a517e52c6687b6debf08f6f9726376720ade9d13fafc9be0ca72f0f2b35562a61ece653aeb789c838c60447f463b2bbe70c21bfc8c039b681

Download Submit
C:\Windows\Temp\nsyAFE0.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Windows\Temp\unpack.log

Filesize
2KB

MD5
f699afbf14b8d2d25e39ad0f98bda23f

SHA1
bfb3cf3e8efd86fd882f8a42cc7b90a5e2e112ba

SHA256
2ab73e0cf7ab725f3c10562c5f83f2eb9578721ecfd45cf32a3811cbf2b565d7

SHA512
5532ac8cd3f932419182428f57e5ef64f4f8f91fb388b7c10c19506de196b84c19fdc21f29f9411497dd06ef7060e9e815411a7ef59e4fb273d0869fae56fde0

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
b96640259879d928c8708fd1c58b1d0b

SHA1
83afdbc7f7138c1c4896a5c01cc18b2d52d56bd6

SHA256
c4ef569e220490e6316b80f0ac5fdf2031a2abc718672e581d7193881f8869a8

SHA512
a3c680d8c5f65f964d0e63eb749536e755e89bc002cbf07c918c74f445c3d0679f04afcace9b132e9b7643cb282874dea9dbba8bd83cc7db5f4bcdcc250dc649

Download Submit
C:\Windows\Temp\unpack\PreVerCheck.exe

Filesize
1.7MB

MD5
351e3a4ec04587153ecb8884dfec5a3d

SHA1
17fb16e611e681420617220233d4accc63fbd68e

SHA256
220141e9aaa99808db4451f4dc3a81aa659811cc2e9d637e458749fc98bf89f3

SHA512
5d19efdda526ac9be9f68d195461e63d73eaa76be2908a9d6e1da396c25141cba8e8ba0d369ad240351ea0195d3aa839789610f7f855b7f76cbf3c401b00d42b

Download Submit
C:\Windows\Temp\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\IsConfig.ini

Filesize
538B

MD5
86fb4a915929524f76a887a37490a470

SHA1
95c2d8d4879c0ecef89f377be83c25d5f2ea992c

SHA256
26be6365339c243b58c20f942fee384ecd0897cf8a89e787410bc8927fff3e09

SHA512
90457e5728c9467dbe1e57112674d944c0fa0a77099fbd3dc487a949c74c154a9342231c999bf93bde33054801fbfccd1cb0bc81dd7a40012a67297d334e5f76

Download Submit
C:\Windows\Temp\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\String1033.txt

Filesize
181KB

MD5
f6e8b3a854b72500091ea75e6fabfabc

SHA1
8302691f421300d09ecaa527bb0eafe142efbb86

SHA256
78f8dde46e879f7692af0d4ecef489e621fc0ed061baa6ad7d72f17863368087

SHA512
900ef19d5db93afee5297b00dc230a9faf3c4bd3657f2ec39203422cd285799957cc86a63a348da59b0a99fb60e71395e8923a8d32b9ee60a7129c6017cdcd17

Download Submit
C:\Windows\Temp\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\_is117C.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
C:\Windows\Temp\{22B18DAD-952B-4CF6-9F04-999DDC2F2D93}\setup.inx

Filesize
343KB

MD5
e1bfed7bf9459e0df6522b6b794ebea4

SHA1
88da94524f008b3ba838dea3cffc63d472dfebec

SHA256
4f3e5c1b593c01a0bb49159deb17fb82a883e55104f8f323cc29bea9e7163023

SHA512
ea181f4041e183b8c3ca6fdb5a554a75d611be2f723cde220ffb8913024da5bdb4ee08b8aeeb606c52223e4b6e384192067d7eebc78f745fc63cb9481e3951d5

Download Submit
C:\Windows\Temp\{65D8CC86-5897-45B8-BA77-066653FE5641}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Windows\Temp\{65D8CC86-5897-45B8-BA77-066653FE5641}\_isres_0x0409.dll

Filesize
1.8MB

MD5
befe2ef369d12f83c72c5f2f7069dd87

SHA1
b89c7f6da1241ed98015dc347e70322832bcbe50

SHA256
9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

SHA512
760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

Download Submit
C:\Windows\Temp\{70BA51D4-E441-47AE-88C2-061E6B95BD64}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{70BA51D4-E441-47AE-88C2-061E6B95BD64}\.be\dotnet-runtime-6.0.13-win-x64.exe

Filesize
609KB

MD5
7fc7feff419ae763ddee6799c273f627

SHA1
95a73d59edd7bf46a188675c27dfc6706a978c8a

SHA256
d40e53e227fd65afd42c5178ea75737b6082763773a48fd4ce79a296c366a288

SHA512
f3514ceee0b72c00ebd13f28bb4db5e7db231153cb894cd04039857d30ff04ad6934c1ecc26c872af55951588b27f5a4e71139c479a659ea5516213ba0613f04

Download Submit
C:\Windows\Temp\{73F5B2E0-9386-496E-BA91-DB70F5ECB684}\.ba\1033\thm.wxl

Filesize
5KB

MD5
f44c2959eeeff784d8aca917a909d906

SHA1
6eb702ff663a96eb915c31402345fab970d389d6

SHA256
835aa38b22480e84ccdf9f925ef2cd640e015bc2077674a6313c5175ea3db5be

SHA512
5ce766ad44454efd56f05461cb2ba019da0eacbdf938e8e803bd9296a48dd8eb7dc47d602a4ca9b210839a6e58fc19ea7ae1d9ef5f1f07b4cc6297214733496e

Download Submit
C:\Windows\Temp\{73F5B2E0-9386-496E-BA91-DB70F5ECB684}\.ba\wixstdba.dll

Filesize
197KB

MD5
4356ee50f0b1a878e270614780ddf095

SHA1
b5c0915f023b2e4ed3e122322abc40c4437909af

SHA256
41a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104

SHA512
b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9

Filesize
727B

MD5
c876a28c8d42c6e2a3ad0519f688cefe

SHA1
16d187a66b2c3968d3183ac169f57f5731d90619

SHA256
d5da1d1374aa110907b2ed8e812c3b6748710dca8481d8b6d0dd7bfce11609a7

SHA512
4dd26d5411e3635debd6e97b999f868c30194dbd768252c02ed5fd03987be7504634bc76d8f45a40f2c2260ee4c1454e652ebe366ad7acbc1336d6f5d84c125d

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
70756448df9d2671799e3f2a30c5ddc5

SHA1
dadb4aaf07e19482c000b0b5542bd4554f33c89b

SHA256
14a513f6e7c3b9ff01e9f1ae345fe088ecb68533aa902e336b589d17d234aec2

SHA512
76c078d4cdc793e29359a0cfc409878ba1d7341f8c5b1cf8352c7a47d9b529a60dca29c51f29320ca64279293fb14b35e9cd520ae7a5b66d7dea465cd098a54e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9

Filesize
408B

MD5
b020e5f00e21c82a7cc6cef942470619

SHA1
6a6a6aedf69930acf8e2abdadbc559a58f75cd3d

SHA256
47acf2d1f4ddd1b6bb1ec6f0b8513e9e0093f9688fab17616640ef2ee12d2cdf

SHA512
592edb731590c8f99e9ecffd4f236816a5cd8b85b74d49a2a8ce9cc67fcca4d8492c5f5e4360573fd4a894ea50d732d90e59b9587c6a77b1c09829d335d770d9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
ca3c91251380661120e1f1957c72728c

SHA1
00949d1fef8c4285a1db644e06823833f7712808

SHA256
929c41caebdc383d2b4c1841eca7c24b100484efb90f323391ac0116179207d3

SHA512
1955257ec7f48d952ceca0721c4ce1a8e2cf995d57efd827c486e246b1f683fda2cda9e9cf05cf0857fbcab895f03512cb50dfe75fb85972afc606e3974c18a2

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
c828a26ad185f3b02f2bc5ab49448c1d

SHA1
f41d91fe7c05471a57483198880ee285e442f3c7

SHA256
003870056688e25d610741c837f6749f2ce22fd6669e2ed73f35e99eb1ef9f1c

SHA512
fe3872cff996de2618ccb1e3c139a1ffe11f252d8da7796d592944981e25ca9358199338a3f6838b6717f3f038e054dae65c73d0aa924e6260636b535e3e5c51

Download Submit
\??\Volume{6814a8cd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{51271240-8b70-4e10-9586-ee0520de0e9a}_OnDiskSnapshotProp

Filesize
5KB

MD5
11e4d0f55e6a80aab54923a6c325ffbe

SHA1
97d75439042d9b9798cfc8399346f9878b4fffce

SHA256
45404378499e136a94f2d8348fa13167c9a5540b075268edae33eecf189abb0f

SHA512
8925a04a52592d930b5cb7c46c38807178549425fa5b0cc6479f920e46884fc7a1043ae60ef9fea320cea7bdcb954ea32e6c9a864dedfeeedc95e495baab4c1b

Download Submit
memory/228-769-0x0000020999C90000-0x0000020999C9C000-memory.dmp

Filesize
48KB

Download
memory/228-782-0x000002099A650000-0x000002099A69A000-memory.dmp

Filesize
296KB

Download
memory/228-780-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/228-790-0x000002099A4E0000-0x000002099A4FC000-memory.dmp

Filesize
112KB

Download
memory/1172-767-0x000001833ACD0000-0x000001833ACE4000-memory.dmp

Filesize
80KB

Download
memory/1172-795-0x000001833B0B0000-0x000001833B0CC000-memory.dmp

Filesize
112KB

Download
memory/1172-787-0x0000018353EB0000-0x0000018353F62000-memory.dmp

Filesize
712KB

Download
memory/1408-763-0x0000026CFF730000-0x0000026CFF75C000-memory.dmp

Filesize
176KB

Download
memory/1408-779-0x0000026CFFBF0000-0x0000026CFFCA0000-memory.dmp

Filesize
704KB

Download
memory/1408-778-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-150-0x0000022615210000-0x0000022615220000-memory.dmp

Filesize
64KB

Download
memory/1512-157-0x000002262E9D0000-0x000002262EA08000-memory.dmp

Filesize
224KB

Download
memory/1512-128-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1512-130-0x0000022615210000-0x0000022615220000-memory.dmp

Filesize
64KB

Download
memory/1512-135-0x000002262DB10000-0x000002262DBC2000-memory.dmp

Filesize
712KB

Download
memory/1512-139-0x000002262DAA0000-0x000002262DAC2000-memory.dmp

Filesize
136KB

Download
memory/1512-149-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/1712-786-0x00000213F7560000-0x00000213F7612000-memory.dmp

Filesize
712KB

Download
memory/1712-777-0x00000213DEBF0000-0x00000213DEC00000-memory.dmp

Filesize
64KB

Download
memory/1712-798-0x00000213DEC20000-0x00000213DEC3C000-memory.dmp

Filesize
112KB

Download
memory/1712-762-0x00000213DE3C0000-0x00000213DE3D0000-memory.dmp

Filesize
64KB

Download
memory/2240-1910-0x0000000003FE0000-0x00000000041A7000-memory.dmp

Filesize
1.8MB

Download
memory/2240-1762-0x0000000003FE0000-0x0000000004032000-memory.dmp

Filesize
328KB

Download
memory/2240-1737-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2240-1667-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/2240-1002-0x0000000003840000-0x0000000003A07000-memory.dmp

Filesize
1.8MB

Download
memory/2240-1605-0x0000000003880000-0x0000000003A47000-memory.dmp

Filesize
1.8MB

Download
memory/2884-724-0x0000015A2C680000-0x0000015A2C69C000-memory.dmp

Filesize
112KB

Download
memory/2884-722-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/2884-735-0x0000015A45000000-0x0000015A450B2000-memory.dmp

Filesize
712KB

Download
memory/2884-711-0x0000015A2BE40000-0x0000015A2BE50000-memory.dmp

Filesize
64KB

Download
memory/2884-761-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-38-0x00000215B82A0000-0x00000215B82CE000-memory.dmp

Filesize
184KB

Download
memory/3052-40-0x00000215B8260000-0x00000215B8270000-memory.dmp

Filesize
64KB

Download
memory/3052-39-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3052-44-0x00000215B8270000-0x00000215B8278000-memory.dmp

Filesize
32KB

Download
memory/3052-45-0x00000215B8260000-0x00000215B8270000-memory.dmp

Filesize
64KB

Download
memory/3052-46-0x00000215B8260000-0x00000215B8270000-memory.dmp

Filesize
64KB

Download
memory/3052-47-0x00000215B8260000-0x00000215B8270000-memory.dmp

Filesize
64KB

Download
memory/3052-57-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3296-1945-0x0000000001270000-0x00000000012C8000-memory.dmp

Filesize
352KB

Download
memory/3296-1947-0x0000000001C30000-0x0000000001C82000-memory.dmp

Filesize
328KB

Download
memory/3372-702-0x0000027A358C0000-0x0000027A358D0000-memory.dmp

Filesize
64KB

Download
memory/3372-721-0x0000027A36100000-0x0000027A3611C000-memory.dmp

Filesize
112KB

Download
memory/3372-715-0x0000027A36180000-0x0000027A361CA000-memory.dmp

Filesize
296KB

Download
memory/3372-707-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3372-772-0x0000027A4EBF0000-0x0000027A4ECCC000-memory.dmp

Filesize
880KB

Download
memory/3372-734-0x0000027A4EAE0000-0x0000027A4EAF0000-memory.dmp

Filesize
64KB

Download
memory/3376-2691-0x00000000730E0000-0x0000000073331000-memory.dmp

Filesize
2.3MB

Download
memory/3376-2024-0x00000000730E0000-0x0000000073331000-memory.dmp

Filesize
2.3MB

Download
memory/3416-776-0x000001F92C050000-0x000001F92C102000-memory.dmp

Filesize
712KB

Download
memory/3416-771-0x000001F913680000-0x000001F91369C000-memory.dmp

Filesize
112KB

Download
memory/3416-758-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3416-740-0x000001F912E40000-0x000001F912E4E000-memory.dmp

Filesize
56KB

Download
memory/3416-796-0x000001F92C2F0000-0x000001F92C300000-memory.dmp

Filesize
64KB

Download
memory/3800-87-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3800-86-0x00000222ACDD0000-0x00000222ACDF6000-memory.dmp

Filesize
152KB

Download
memory/3800-133-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/3800-783-0x00000213214D0000-0x0000021321508000-memory.dmp

Filesize
224KB

Download
memory/3800-88-0x00000222C7470000-0x00000222C7480000-memory.dmp

Filesize
64KB

Download
memory/3800-105-0x00000222AEA00000-0x00000222AEA3C000-memory.dmp

Filesize
240KB

Download
memory/3800-104-0x00000222AE980000-0x00000222AE992000-memory.dmp

Filesize
72KB

Download
memory/3800-100-0x00000222C7290000-0x00000222C7328000-memory.dmp

Filesize
608KB

Download
memory/3888-2015-0x0000000001C00000-0x0000000001C52000-memory.dmp

Filesize
328KB

Download
memory/4120-784-0x0000021807EC0000-0x0000021807EF2000-memory.dmp

Filesize
200KB

Download
memory/4204-789-0x000001DE7FDD0000-0x000001DE7FDE0000-memory.dmp

Filesize
64KB

Download
memory/4204-766-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download
memory/4204-764-0x000001DE7FBE0000-0x000001DE7FC2A000-memory.dmp

Filesize
296KB

Download
memory/4204-781-0x000001DE7FC30000-0x000001DE7FC7C000-memory.dmp

Filesize
304KB

Download
memory/4204-773-0x000001DE67370000-0x000001DE6738C000-memory.dmp

Filesize
112KB

Download
memory/4204-739-0x000001DE66AD0000-0x000001DE66B36000-memory.dmp

Filesize
408KB

Download
memory/4744-788-0x000001D9A4BA0000-0x000001D9A4BAA000-memory.dmp

Filesize
40KB

Download
memory/4944-785-0x0000018775230000-0x00000187752B6000-memory.dmp

Filesize
536KB

Download
memory/4944-768-0x0000018774790000-0x000001877479A000-memory.dmp

Filesize
40KB

Download
memory/4944-774-0x00007FFDDADF0000-0x00007FFDDB8B1000-memory.dmp

Filesize
10.8MB

Download