Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
16/10/2023, 11:51
Static task
static1
Behavioral task
behavioral1
Sample
a.msi
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
a.msi
Resource
win10v2004-20230915-en
General
-
Target
a.msi
-
Size
632KB
-
MD5
31b8bb512a0f8c74461b4c6ae28cc5ef
-
SHA1
f36be96e0f28edfcc5a232e9c4dfcdad0e94c151
-
SHA256
7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4
-
SHA512
e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e
-
SSDEEP
12288:0s+WC8R/Mn4c6b3Diy95fP701DpHyNRAX7PaeAkCP437+8jOZy2KsGU6a4Ks:WWrBMnsO85fP701DhyHreAzgLhOE2Z39
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 59 IoCs
pid Process 4688 AteraAgent.exe 3808 AteraAgent.exe 4936 AgentPackageAgentInformation.exe 4996 AgentPackageAgentInformation.exe 4468 AgentPackageAgentInformation.exe 3736 AgentPackageHeartbeat.exe 5072 AgentPackageAgentInformation.exe 4940 AgentPackageUpgradeAgent.exe 4880 AgentPackageSTRemote.exe 960 AgentPackageRuntimeInstaller.exe 4676 AgentPackageMonitoring.exe 4128 AgentPackageInternalPoller.exe 452 AgentPackageMarketplace.exe 5064 AgentPackageUpgradeAgent.exe 4212 Agent.Package.Availability.exe 4600 AgentPackageADRemote.exe 632 AgentPackageTicketing.exe 3616 AgentPackageProgramManagement.exe 1632 AgentPackageOsUpdates.exe 5072 AgentPackageAgentInformation.exe 1612 SplashtopStreamer.exe 1956 PreVerCheck.exe 3912 6-0-13.exe 4376 6-0-13.exe 5020 dotnet-runtime-6.0.13-win-x64.exe 2280 _is10EE.exe 2148 _is10EE.exe 4596 _is10EE.exe 3904 _is10EE.exe 2504 _is10EE.exe 4768 _is10EE.exe 1196 _is10EE.exe 5144 _is10EE.exe 5176 _is10EE.exe 5208 _is10EE.exe 5136 AgentPackageHeartbeat.exe 5480 _is5981.exe 5432 _is5981.exe 5548 _is5981.exe 5760 _is5981.exe 5820 _is5981.exe 4128 _is5981.exe 5844 _is5981.exe 2444 _is5981.exe 4816 _is5981.exe 5940 _is5981.exe 2144 _isA149.exe 2352 _isA149.exe 5308 _isA149.exe 1444 _isA149.exe 2908 _isA149.exe 2860 _isA149.exe 2620 _isA149.exe 4588 _isA149.exe 5448 _isA149.exe 5468 _isA149.exe 5432 SetupUtil.exe 5716 SetupUtil.exe 5532 SetupUtil.exe -
Loads dropped DLL 17 IoCs
pid Process 1636 MsiExec.exe 4676 AgentPackageMonitoring.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 4376 6-0-13.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe 636 MsiExec.exe -
Registers COM server for autorun 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" reg.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} = "\"C:\\ProgramData\\Package Cache\\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\\dotnet-runtime-6.0.13-win-x64.exe\" /burn.runonce" dotnet-runtime-6.0.13-win-x64.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 5 4444 msiexec.exe 7 4444 msiexec.exe 9 4444 msiexec.exe 108 636 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File created C:\Windows\system32\SRCB00F.tmp MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.Serialization.Xml.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libeay32.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe AgentPackageRuntimeInstaller.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt AgentPackageInternalPoller.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Threading.Tasks.Parallel.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.InteropServices.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt AgentPackageMonitoring.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.Debug.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll msiexec.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI4EA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI6FE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID58.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9C0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\e582cb8.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI2EAD.tmp msiexec.exe File created C:\Windows\Installer\e582cbb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI33FC.tmp msiexec.exe File created C:\Windows\Installer\e582cb8.msi msiexec.exe File created C:\Windows\Installer\SourceHash{91854F72-27A1-40DA-A725-D3517E127C0D} msiexec.exe File opened for modification C:\Windows\Installer\MSI2E9D.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\e582cbf.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e582cbb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI8B16.tmp msiexec.exe File created C:\Windows\Installer\e582cba.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9AA7.tmp msiexec.exe -
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1784 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 1 IoCs
resource yara_rule behavioral2/files/0x00070000000235ed-2014.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000530b1468276ad9050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000530b14680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900530b1468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d530b1468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000530b146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Kills process with taskkill 8 IoCs
pid Process 5568 taskkill.exe 5640 taskkill.exe 5720 taskkill.exe 5844 taskkill.exe 5924 taskkill.exe 5312 taskkill.exe 5392 taskkill.exe 5476 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\WOW64 = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageRuntimeInstaller.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\VTHIDSKIPOEM = "1" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SetupUtil.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" 6-0-13.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SplashtopStreamer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\ProductVersion = "3.5.8.0" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\UpgradeCode = "{001F085C-058A-480B-AD56-2940B857C38D}" MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\TEMPFOLDER = "C:\\Windows\\TEMP\\" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SetupUtil.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\BASEDTYPE = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageHeartbeat.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageSTRemote.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageProgramManagement.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" 6-0-13.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host cscript.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Version = "17301504" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Assignment = "1" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents dotnet-runtime-6.0.13-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\27F458191A72AD047A523D15E721C7D0 msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50659336" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Version = "6.0.13.31930" dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0\INSTALLFOLDER_files_Feature msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRServer" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\PackageName = "a.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\ = "{ac916c06-1c22-495e-ae7e-b4e24fbbed14}" dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents dotnet-runtime-6.0.13-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\ = "URL:st-streamer Protocol" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\PackageCode = "55F3BED93C9708C4CBCD8D5B5BD37078" msiexec.exe -
Runs .reg file with regedit 2 IoCs
pid Process 4756 regedit.exe 5612 regedit.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 220 msiexec.exe 220 msiexec.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 632 AgentPackageTicketing.exe 632 AgentPackageTicketing.exe 5064 AgentPackageUpgradeAgent.exe 5064 AgentPackageUpgradeAgent.exe 4128 AgentPackageInternalPoller.exe 4128 AgentPackageInternalPoller.exe 4880 AgentPackageSTRemote.exe 4880 AgentPackageSTRemote.exe 632 AgentPackageTicketing.exe 4676 AgentPackageMonitoring.exe 4676 AgentPackageMonitoring.exe 960 AgentPackageRuntimeInstaller.exe 960 AgentPackageRuntimeInstaller.exe 3808 AteraAgent.exe 3808 AteraAgent.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5432 SetupUtil.exe 5716 SetupUtil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4444 msiexec.exe Token: SeIncreaseQuotaPrivilege 4444 msiexec.exe Token: SeSecurityPrivilege 220 msiexec.exe Token: SeCreateTokenPrivilege 4444 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4444 msiexec.exe Token: SeLockMemoryPrivilege 4444 msiexec.exe Token: SeIncreaseQuotaPrivilege 4444 msiexec.exe Token: SeMachineAccountPrivilege 4444 msiexec.exe Token: SeTcbPrivilege 4444 msiexec.exe Token: SeSecurityPrivilege 4444 msiexec.exe Token: SeTakeOwnershipPrivilege 4444 msiexec.exe Token: SeLoadDriverPrivilege 4444 msiexec.exe Token: SeSystemProfilePrivilege 4444 msiexec.exe Token: SeSystemtimePrivilege 4444 msiexec.exe Token: SeProfSingleProcessPrivilege 4444 msiexec.exe Token: SeIncBasePriorityPrivilege 4444 msiexec.exe Token: SeCreatePagefilePrivilege 4444 msiexec.exe Token: SeCreatePermanentPrivilege 4444 msiexec.exe Token: SeBackupPrivilege 4444 msiexec.exe Token: SeRestorePrivilege 4444 msiexec.exe Token: SeShutdownPrivilege 4444 msiexec.exe Token: SeDebugPrivilege 4444 msiexec.exe Token: SeAuditPrivilege 4444 msiexec.exe Token: SeSystemEnvironmentPrivilege 4444 msiexec.exe Token: SeChangeNotifyPrivilege 4444 msiexec.exe Token: SeRemoteShutdownPrivilege 4444 msiexec.exe Token: SeUndockPrivilege 4444 msiexec.exe Token: SeSyncAgentPrivilege 4444 msiexec.exe Token: SeEnableDelegationPrivilege 4444 msiexec.exe Token: SeManageVolumePrivilege 4444 msiexec.exe Token: SeImpersonatePrivilege 4444 msiexec.exe Token: SeCreateGlobalPrivilege 4444 msiexec.exe Token: SeBackupPrivilege 4160 vssvc.exe Token: SeRestorePrivilege 4160 vssvc.exe Token: SeAuditPrivilege 4160 vssvc.exe Token: SeBackupPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe Token: SeTakeOwnershipPrivilege 220 msiexec.exe Token: SeRestorePrivilege 220 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4444 msiexec.exe 4444 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1612 SplashtopStreamer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 220 wrote to memory of 1532 220 msiexec.exe 96 PID 220 wrote to memory of 1532 220 msiexec.exe 96 PID 220 wrote to memory of 1636 220 msiexec.exe 98 PID 220 wrote to memory of 1636 220 msiexec.exe 98 PID 220 wrote to memory of 1636 220 msiexec.exe 98 PID 220 wrote to memory of 4688 220 msiexec.exe 99 PID 220 wrote to memory of 4688 220 msiexec.exe 99 PID 3808 wrote to memory of 1784 3808 AteraAgent.exe 101 PID 3808 wrote to memory of 1784 3808 AteraAgent.exe 101 PID 3808 wrote to memory of 4936 3808 AteraAgent.exe 103 PID 3808 wrote to memory of 4936 3808 AteraAgent.exe 103 PID 3808 wrote to memory of 4996 3808 AteraAgent.exe 105 PID 3808 wrote to memory of 4996 3808 AteraAgent.exe 105 PID 3808 wrote to memory of 4468 3808 AteraAgent.exe 107 PID 3808 wrote to memory of 4468 3808 AteraAgent.exe 107 PID 3808 wrote to memory of 3736 3808 AteraAgent.exe 109 PID 3808 wrote to memory of 3736 3808 AteraAgent.exe 109 PID 3808 wrote to memory of 5072 3808 AteraAgent.exe 141 PID 3808 wrote to memory of 5072 3808 AteraAgent.exe 141 PID 3808 wrote to memory of 4940 3808 AteraAgent.exe 113 PID 3808 wrote to memory of 4940 3808 AteraAgent.exe 113 PID 3808 wrote to memory of 4880 3808 AteraAgent.exe 115 PID 3808 wrote to memory of 4880 3808 AteraAgent.exe 115 PID 3808 wrote to memory of 960 3808 AteraAgent.exe 118 PID 3808 wrote to memory of 960 3808 AteraAgent.exe 118 PID 3808 wrote to memory of 4676 3808 AteraAgent.exe 124 PID 3808 wrote to memory of 4676 3808 AteraAgent.exe 124 PID 3808 wrote to memory of 4128 3808 AteraAgent.exe 123 PID 3808 wrote to memory of 4128 3808 AteraAgent.exe 123 PID 3808 wrote to memory of 452 3808 AteraAgent.exe 119 PID 3808 wrote to memory of 452 3808 AteraAgent.exe 119 PID 4940 wrote to memory of 5064 4940 AgentPackageUpgradeAgent.exe 136 PID 4940 wrote to memory of 5064 4940 AgentPackageUpgradeAgent.exe 136 PID 3808 wrote to memory of 4600 3808 AteraAgent.exe 135 PID 3808 wrote to memory of 4600 3808 AteraAgent.exe 135 PID 3808 wrote to memory of 4212 3808 AteraAgent.exe 133 PID 3808 wrote to memory of 4212 3808 AteraAgent.exe 133 PID 3808 wrote to memory of 632 3808 AteraAgent.exe 125 PID 3808 wrote to memory of 632 3808 AteraAgent.exe 125 PID 3808 wrote to memory of 3616 3808 AteraAgent.exe 126 PID 3808 wrote to memory of 3616 3808 AteraAgent.exe 126 PID 3808 wrote to memory of 1632 3808 AteraAgent.exe 128 PID 3808 wrote to memory of 1632 3808 AteraAgent.exe 128 PID 960 wrote to memory of 3452 960 AgentPackageRuntimeInstaller.exe 137 PID 960 wrote to memory of 3452 960 AgentPackageRuntimeInstaller.exe 137 PID 4468 wrote to memory of 4480 4468 AgentPackageAgentInformation.exe 139 PID 4468 wrote to memory of 4480 4468 AgentPackageAgentInformation.exe 139 PID 4480 wrote to memory of 2432 4480 cmd.exe 142 PID 4480 wrote to memory of 2432 4480 cmd.exe 142 PID 3808 wrote to memory of 5072 3808 AteraAgent.exe 141 PID 3808 wrote to memory of 5072 3808 AteraAgent.exe 141 PID 4880 wrote to memory of 1612 4880 AgentPackageSTRemote.exe 145 PID 4880 wrote to memory of 1612 4880 AgentPackageSTRemote.exe 145 PID 4880 wrote to memory of 1612 4880 AgentPackageSTRemote.exe 145 PID 1612 wrote to memory of 1956 1612 SplashtopStreamer.exe 146 PID 1612 wrote to memory of 1956 1612 SplashtopStreamer.exe 146 PID 1612 wrote to memory of 1956 1612 SplashtopStreamer.exe 146 PID 1956 wrote to memory of 2724 1956 PreVerCheck.exe 147 PID 1956 wrote to memory of 2724 1956 PreVerCheck.exe 147 PID 1956 wrote to memory of 2724 1956 PreVerCheck.exe 147 PID 220 wrote to memory of 636 220 msiexec.exe 148 PID 220 wrote to memory of 636 220 msiexec.exe 148 PID 220 wrote to memory of 636 220 msiexec.exe 148 PID 960 wrote to memory of 3912 960 AgentPackageRuntimeInstaller.exe 150 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4444
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1532
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C50CD3FB286C166CBEE5901017650F202⤵
- Loads dropped DLL
PID:1636
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002jA9QEAA0"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4688
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 923624AB4E0898A9D73E519C636C2FCF E Global\MSI00002⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:636 -
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F4FB2CF-2BE0-4B64-9BB6-350F5A4369A6}3⤵
- Executes dropped EXE
PID:2280
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F94D76A4-AB48-4DF1-B619-BBCF82861648}3⤵
- Executes dropped EXE
PID:2148
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6D41DE45-8C7C-45B3-9118-4E4E4154FDCD}3⤵
- Executes dropped EXE
PID:4596
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DDBDD05C-1980-4654-A50F-3D78DEC227B0}3⤵
- Executes dropped EXE
PID:3904
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C929939-84ED-438F-9DB4-01417DC87D49}3⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{565F9E93-9FDE-4ECD-9F96-94F9629A5804}3⤵
- Executes dropped EXE
PID:4768
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{448398D6-BC45-4B47-943C-BDE48CCFB99A}3⤵
- Executes dropped EXE
PID:1196
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5171AADE-30F9-4421-95B3-A54E1C8CCE69}3⤵
- Executes dropped EXE
PID:5144
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CEBCF4AD-46BC-408D-B264-2ED1984DF126}3⤵
- Executes dropped EXE
PID:5176
-
-
C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exeC:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{20085FB9-7F7A-458F-8FCF-427092B59992}3⤵
- Executes dropped EXE
PID:5208
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵PID:5268
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- Kills process with taskkill
PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵PID:5348
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- Kills process with taskkill
PID:5392
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵PID:5424
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- Kills process with taskkill
PID:5476
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵PID:5524
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- Kills process with taskkill
PID:5568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵PID:5596
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- Kills process with taskkill
PID:5640
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵PID:5676
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- Kills process with taskkill
PID:5720
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵PID:5748
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- Kills process with taskkill
PID:5844
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵PID:5880
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- Kills process with taskkill
PID:5924
-
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C477D09-F128-4177-8380-E33982F241D5}3⤵
- Executes dropped EXE
PID:5480
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A598B5BB-A0A7-4FAF-9A49-FA01115D7F7F}3⤵
- Executes dropped EXE
PID:5432
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{253B8DDF-DC8A-42BF-B570-59F41567B099}3⤵
- Executes dropped EXE
PID:5548
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA28C7CA-AD22-41A8-856E-B24F54E5DA91}3⤵
- Executes dropped EXE
PID:5760
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{329B3917-26E4-40E4-B937-2E882B32A6BD}3⤵
- Executes dropped EXE
PID:5820
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D98A3DE-203D-40FD-918F-C24C77F0BF98}3⤵
- Executes dropped EXE
PID:4128
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{38BAB03F-2BA9-498D-9BC4-FE91A5C6DF55}3⤵
- Executes dropped EXE
PID:5844
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E6ED6DA-3DF0-49AA-81D5-562C0A4774D3}3⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{55E44906-AD9D-424C-A851-1D6F812D52DE}3⤵
- Executes dropped EXE
PID:4816
-
-
C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exeC:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B88A967B-E439-4DD4-98FD-6150C5870962}3⤵
- Executes dropped EXE
PID:5940
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{533A8BE3-D6DE-4DBA-AB8F-5E396D6897B2}3⤵
- Executes dropped EXE
PID:2144
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4571F349-99C7-4686-8652-3941411ADED9}3⤵
- Executes dropped EXE
PID:2352
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DED6EDE2-F1C7-4926-8DEC-187423302895}3⤵
- Executes dropped EXE
PID:5308
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{020C93D4-C3E6-4DCE-8A31-23C0A2888655}3⤵
- Executes dropped EXE
PID:1444
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60D21649-26AE-489E-866C-FA7F70290252}3⤵
- Executes dropped EXE
PID:2908
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69214821-EA14-4328-820F-EAADE61E0C70}3⤵
- Executes dropped EXE
PID:2860
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30AB049C-B5B1-48AC-8B61-076EEDCB90E6}3⤵
- Executes dropped EXE
PID:2620
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8C666B0-43F2-48C7-847F-97A63A4BC82F}3⤵
- Executes dropped EXE
PID:4588
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C466125B-39F3-46B3-B50F-A99C307E7FFA}3⤵
- Executes dropped EXE
PID:5448
-
-
C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exeC:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C663545-68A8-4167-BEA9-5BCB8F11FFAB}3⤵
- Executes dropped EXE
PID:5468
-
-
C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exeC:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5432
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\InstRegExp.reg"3⤵
- Runs .reg file with regedit
PID:4756
-
-
C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exeC:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P USERSESSIONID3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5716
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\InstRegExp.reg"3⤵
- Runs .reg file with regedit
PID:5612
-
-
C:\Windows\SysWOW64\reg.exereg.exe import "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\CredProvider_Inst.reg" /reg:643⤵
- Registers COM server for autorun
- Modifies registry class
PID:5712
-
-
C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exeC:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P ST_EVENT3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5532 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:4328
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:260
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4160
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1784
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "0c0d7ffc-31ef-4fc8-a3de-97a0f821407c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4936
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "8f905f9b-8be0-46d2-a9d5-fbc548a20dbd" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
PID:4996
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "6a5ba775-128a-47da-89d9-eb54760fcd4c" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:4480 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:2432
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "18acc69b-831b-43da-a614-2532b9b928bd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3736
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "26bd1bdd-7735-4d97-8f45-8b0037de183f" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"2⤵PID:5072
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "f7076d17-b8e3-4856-9493-83ea3c88d1ea" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:4940 -
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "087fc8b7-72eb-4445-b9c8-dd13004a07f7" "f7076d17-b8e3-4856-9493-83ea3c88d1ea" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "2df1a8dd-a32d-4b8e-8ed4-f7518893a4ae" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1956 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵PID:2724
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "50f522a1-82a8-422f-b1eb-3d8c382472ad" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjEzIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2FhM2IzMTUwLTgwY2ItNGQzMC04N2Y4LWRjMzZmYTFkY2YyNi84ZWM5ZmY2ODM2ODI4MTc1ZjFhNmE2MGFlZmQ0ZTYzYi9kb3RuZXQtcnVudGltZS02LjAuMTMtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yZWYxMjM1Ny00OTliLTRhNWItYTQ4OC1kYTQ1YTVmMzEwZTYvZmJlMzVjMzU0YmZiNTA5MzRhOTc2ZmM5MWM2ZDhkODEvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmZTE3M2VhLTRjNTgtNGE4ZC1iOGU1LTVjN2VhN2M1OTAxMS9hMTkzNmUxMjM5ZTU5ZGM0ZGY1OGExYmMzZGI1MjdjMy9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80MzZiY2U2YS1mM2U3LTQ0OGUtOTI3OS1kNThmMWUzOWFiOGEvOWY1YzdlZDM3NzI5NGNjOGUwMjhlOTAwNTQwNjMyZDUvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmMDk1Y2JiLWFmNmMtNGQyMC05MDlkLTg3ZGI1Mzg3OTM3MC9kNGM2ZjM4MGE5YTY4ZmM4NTNiZDg5MTE4OWYzYzk3NS9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlM1WTRyU0syVmtpbWcyd01pSEVGZUI2N2U5YTBIZG9ocE13TkZ1TEVJTGpXaVNQVnpYXHUwMDJCSjNPUFJ5aUVZQmlmdkZcdTAwMkI0bnN4aTVcdTAwMkJzSG4wMGN0cU13UTZBPT0iLCJNYWNYNjRDaGVja3N1bSI6IjRqSVl1dGhzTDU4dnV0cWlkZHNGMk1pQ3NcdTAwMkJBRTBUN2FWMVgwXHUwMDJCMk1FWFNSQ0xXdGdqM0x0MklldmVxZ2l1UUVsU2VxNVF1TGJybkRjSHBRbEVpd0N3QT09IiwiV2luQVJNQ2hlY2tzdW0iOiJkLzBlWkR4L0VTSE92dUM1RURKdU4yOTFqckllYnVKTXdjdUxsV2RLOGp0Ym1kbVNYUGNhVzBpOFx1MDAyQk9kdGJwcC9SaG9TMXk3SC9mOVlTTWd6aFVPY3NBPT0iLCJXaW5YNjRDaGVja3N1bSI6InNQdmlCM3VQQVpXRG53YVZoM3YwVEpjYWRUMmNLa0d0MXVNQUM5YzBwTXNNYnduZ01IUkN3ZmxjZTlxUWNjSzJNXHUwMDJCb1BSM2t6NVpNZmh1MlA1SmdvVWc9PSIsIldpblg4NkNoZWNrc3VtIjoicTE2UjdyUzZpcjR3RW1YMTZIQVJhUThtWDByNDNhek9IODZKOXpISkNpVzlmWklhS2VYL1hvbUJrQ2xocXZxSzhIeDVuNTA2R0k4MTBPakRmbG50Y3c9PSIsIldvcmtzcGFjZUlkIjoiYmYwY2U0OWQtNzdjZi00NzIxLWJmNzAtNTc2ODYzODNjOWFiIiwiTG9nTmFtZSI6IkRvdE5ldFJ1bnRpbWVJbnN0YWxsYXRpb25SZXBvcnQiLCJTaGFyZWRLZXkiOiJqVUlTL1Q5Q1JWRGVLeFlnNFVyM2FDaGhXUXVjWTdQVnZ3ZzB6SHVxSnNjclRqalEyTHdLNlVqZnU3Y0EyTnByQVIwci9TUkFYSllZbGRQS0tGeUtLUT09In0="2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵PID:3452
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart3⤵
- Executes dropped EXE
PID:3912 -
C:\Windows\Temp\{95467D01-FC3D-4780-BCAE-C831EA11180B}\.cr\6-0-13.exe"C:\Windows\Temp\{95467D01-FC3D-4780-BCAE-C831EA11180B}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /repair /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:4376 -
C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.be\dotnet-runtime-6.0.13-win-x64.exe"C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{A1463483-32B9-48D6-A8C4-AA7488730347} {5D5FDEE1-5A92-42D5-95C1-91F157896C33} 43765⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:5020
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "ade75f9b-ba17-4d51-b79a-4f1328add6ab" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:452
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "4beff8be-65d2-47ae-af88-cc39d582b396" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:4128
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "a18df1b3-de06-4525-b587-d89431e2439b" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "b3523f55-bddd-4c58-b335-d9257abf9733" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "4794a633-0c54-4510-b98b-84a47651cb43" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:3616
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "471f68b9-ea6a-4900-98a5-9a5385f6378b" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"2⤵
- Executes dropped EXE
PID:1632
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "f46cafb8-7453-49c3-803b-36b6b9025bdf" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"2⤵
- Executes dropped EXE
PID:4212
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "e567fb2f-a610-4a2f-b963-0f17c51d7153" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4600
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "0754e610-4ac8-4ad4-b14a-6abd0b4c0eac" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5072
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "18acc69b-831b-43da-a614-2532b9b928bd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Executes dropped EXE
PID:5136
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5774016aa7437ad38ece0b32396b73960
SHA1669833535b35a8fe3843b3e859d4154e347f10f9
SHA256720cdf5c8d13adbdfb6059007eeb2fc793cca36aecdb5a0a45a9c6a283d8d99b
SHA512c473fc8d367802f787d330fe4c805e981b4761a82e3ad927b956c3527fd27ad1441ad3338b011f590fcdd9df90b4ffc0b48ee438fb6ad55fe47a53c1540f514a
-
Filesize
305B
MD527c1adfa459a0d4c1a3ee1e4e92f8e0e
SHA1e21b1152b78827c8e59d84c541c190c099297632
SHA2568e88d3edb3da0f6dfe4dc7716ab64256fab189429a6690b129d6789f7eeca49b
SHA512f8f66043ad65be01a11e130ccedd14a1e638950bb95999e650f62362c05e81d413d330e87cc5fdade02776fc742ebf96331a3752ab80eda9931041089563ae36
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
111KB
MD5babf570ff85fdb7339eeadfa377292bc
SHA186e7ae00563499b60a8b2943c409fd54b723519d
SHA256bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4
SHA512f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd
-
Filesize
111KB
MD5babf570ff85fdb7339eeadfa377292bc
SHA186e7ae00563499b60a8b2943c409fd54b723519d
SHA256bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4
SHA512f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd
-
Filesize
111KB
MD5babf570ff85fdb7339eeadfa377292bc
SHA186e7ae00563499b60a8b2943c409fd54b723519d
SHA256bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4
SHA512f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd
-
Filesize
2KB
MD57ff0ac77806aed9588b143cd0fab552b
SHA1184b62f2956b95ffe3dc98ebb31d7f45dbca83fd
SHA256730d85d5ef4f0939154278949c126a444ed859e7718bb175ca3153ca6ed9d142
SHA5121856bda8cc3d4161110cd75a7be4939193ed408a95f9c41e22f4cc9f85b1294584f95796bce207dd65d606ffb57760b3d2e1681efbbb7759a19a9f70fb7edac8
-
Filesize
196KB
MD5c8164876b6f66616d68387443621510c
SHA17a9df9c25d49690b6a3c451607d311a866b131f4
SHA25640b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d
SHA51244a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4
-
Filesize
464KB
MD583222120c8095b8623fe827fb70faf6b
SHA19294136b07c36fab5523ef345fe05f03ea516b15
SHA256eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503
SHA5123077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize154KB
MD5e3ca6ba742fba06522ab0fe063c620de
SHA158f1e87ae1ac14cf043c1af4c21d00e4197c712b
SHA256f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079
SHA5122de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize46KB
MD51b692438393f8223bf90256abb3587d0
SHA15fd99d9db4757224da3fb8a8cac9d1f1632c47a8
SHA2568296ecf5e781a1b6889ee7f278a31acdb70897f2d862a7b53e58a4edb34d71a6
SHA5126d98fc4da030b884bf3b7fed9d7e026f8210b38cc1e4f96d36bd85067de6dd9286f0e8ac3715a187b595a8f7ae709fc19daa572ff83bc26802287292f8503bd7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5d8f9f68980c4da708195fa812519ad2f
SHA18f0066a77634e4108c20e226a5c6ba712e5a7fed
SHA256dd8a6863451545d7ed0bab6e0e279968b2c0541c20b0a4ce7ab3054f03c54cf6
SHA5127d3d15d3885ab1058efed06cb05dc8e713e71a3b70f3fb380657e802c362f222f23c44dc36af14089cf2c8a323a3ac07a172c1d8bb72de80eab78a66ef71e068
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD5aa3bcb58a6c8dd0839e6b803ba1087b9
SHA10198a9c644d74712c34a3a67f460a02d77005321
SHA2568dca6c1eb1557365e065931c992de88b075b4931fa574e8f1db5805e3a03388b
SHA512620adc1a4cf614664975a8d778efd7cabdb1feb0df0074be8c182888f12d61918c8e7521735a624a5aec97f02ec973125cd5de7e03a02e15c8b87884ba4a70a1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize687KB
MD50e7f80a7f2777f811f5bf04633ca1fd1
SHA18d767ef46f230a99a4d59c943eb88b5b02d4cf43
SHA256f8054be7979b255589590fa0497e242b6294752a85795c8ee775835ef22f7a18
SHA512d19d50879cfaa0a524be1359372014f67e4f1670e9443f393082fa5fc9c0a20d4d85d812641813b621ac3489ea07a86faf0d7e317e2cbd0fb42ddebc568a9e9e
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.INI
Filesize13B
MD5628ca66025f77286df96177c3ebb8138
SHA114dba90e4c2f9b8fa7b13e9af01c5d2b6a6af6d6
SHA256d7630e927dbb907ee379a95be9ed1cbb2a0a87fc9aed83ed6dae8340bfcf1b09
SHA512231d3244cabcbbc811f9bc06a89517083a58ed6748a4bc6e0c1676054cd22d7cab7bc21af5a221e47fa096a5129ea908c9d09ef4b98baeec2ce78b78ebb26dc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize25KB
MD5fd9e8a53114dba71999e09386fb6ff83
SHA18b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679
SHA2564a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe
SHA5124412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize25KB
MD5fd9e8a53114dba71999e09386fb6ff83
SHA18b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679
SHA2564a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe
SHA5124412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize25KB
MD5fd9e8a53114dba71999e09386fb6ff83
SHA18b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679
SHA2564a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe
SHA5124412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config
Filesize187B
MD53f9b7c50015ca8be5ec84127bb37e2cb
SHA107fa0b2f00ba82a440bfeacafd8b0b8d1b3e4ee7
SHA256c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532
SHA512db5713dda4ecac0a1201add7d5d1a55bdbfc9e373b2277661869f7de9e8ba593f44bdafa6c8dbeba09df158b2dfdd1875c26c047f50597185f1f2f5612fc87b9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll
Filesize81KB
MD5ea658407265ab5ce2a1794ab9ab3339c
SHA11bda2624f029a30e3b89e2aeccdd32b09bb031fb
SHA256735d255f396448ef6bc30d3b38dfda4487f4832bcc6dadeec2737fdfaa938548
SHA5127027638a120c35f8df29e24d0e061d2657d2fac37a83150cfe14a65bc91960da0c674c442fe97cc5175eb52248bef4b4f5abb78639a7dd659ceecb02e3a14280
-
Filesize
522KB
MD550bdc0231af5435fa5ad29927d7273d6
SHA16b9ba2ff309b30f5b3318ab0d31270ce70b94307
SHA2565059afd9cfc492a74e230949ebb528572d228d29da767227bbea75716907ad75
SHA51215719741cf26f5057251b8507af83dd5a8355b8cc142b6e0c85c4c0ca98e6e2ce5cbb955dfebd88ff5ca4b78471983feef66f7513d7bdd43468f47b55bc7ea4b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize212KB
MD5e984f3c76408989e897cd4068ed5b7d1
SHA14318e3da5a0b29afd848f51223612720844475e9
SHA256934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17
SHA512811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize212KB
MD5e984f3c76408989e897cd4068ed5b7d1
SHA14318e3da5a0b29afd848f51223612720844475e9
SHA256934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17
SHA512811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize212KB
MD5e984f3c76408989e897cd4068ed5b7d1
SHA14318e3da5a0b29afd848f51223612720844475e9
SHA256934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17
SHA512811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize31KB
MD55c33b399551c1ff47d5486c6556121bb
SHA174d49780496b0ed524442aa95f6eb69bc83ded18
SHA256aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9
SHA5126f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize31KB
MD55c33b399551c1ff47d5486c6556121bb
SHA174d49780496b0ed524442aa95f6eb69bc83ded18
SHA256aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9
SHA5126f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize31KB
MD55c33b399551c1ff47d5486c6556121bb
SHA174d49780496b0ed524442aa95f6eb69bc83ded18
SHA256aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9
SHA5126f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5da72538d4032c18b769f30acb967703f
SHA1f5b8d6268ed5fba17cf95f5f5996cb816e4359ef
SHA256b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da
SHA5121068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5da72538d4032c18b769f30acb967703f
SHA1f5b8d6268ed5fba17cf95f5f5996cb816e4359ef
SHA256b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da
SHA5121068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5da72538d4032c18b769f30acb967703f
SHA1f5b8d6268ed5fba17cf95f5f5996cb816e4359ef
SHA256b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da
SHA5121068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config
Filesize1KB
MD5c6ecf24757926eba64e674bff8b747d1
SHA13a46083826c20e8e085c42bbfdfeef4f9e2b90d9
SHA256c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc
SHA512efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15
-
Filesize
40KB
MD57d3cce897912ccc212ec69f2a27a8b51
SHA1d839c93c987200e0ce6e2f0a80486ddb9827d6d9
SHA256e1b01c05579da3e0c6af5a589571cd80185705b63544bbfc7186553cecc15607
SHA512c95c34814c0c06a58f7521f1397b753279152002374e0eb42cb84a2746db0f05c5ac6e120be976fdb6bd60f93db14223fb7810767a1ae91c830147bb4b7818e7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize188KB
MD57122a8acddee274f03e8eff915953eae
SHA15be51b43c1e59459707486e4eac0668acd603420
SHA256d534b2ad9791b4ba80141398e7aa4d0e85c4f7fa72c580ab46f096985403ddaf
SHA512b2ab136f1cded923c70019febe1ef37386e2bbaf175d6138589375dffea11f96391e1127970ed37be83376e4936c45b66a3cfc08be5b0d704c5078c88e241bbe
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize47KB
MD5bd468d5f91fe98ce84710a0750676064
SHA1e213c1ee6041f6523727b3ad2449aac603f65595
SHA2568f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5
SHA512cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.INI
Filesize11B
MD57c6c7401d4eec2934ebfb15e3e9626d1
SHA1c2433b8fcb4a78b23ba60c3ed3f8357140f1e868
SHA2563e0837d0c4afb315be2d0ce8748eb67de92e1ff0c16a7fee89fd252639343c16
SHA512626427a56563093f19e1271a173ead38e3d02c77d6565b7b2a300f247f3b91d002b4379e719de1044dd0e0669cee94962f4449e7eb77b9e52bd6812b1a852cbc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize53KB
MD5b7aca4b1a547ca9ba8931fb2f3a8ffe4
SHA1ade0df9aa1b3419b1f5dca663a5ba86221fca0b9
SHA256bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80
SHA5127344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize53KB
MD5b7aca4b1a547ca9ba8931fb2f3a8ffe4
SHA1ade0df9aa1b3419b1f5dca663a5ba86221fca0b9
SHA256bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80
SHA5127344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize53KB
MD5b7aca4b1a547ca9ba8931fb2f3a8ffe4
SHA1ade0df9aa1b3419b1f5dca663a5ba86221fca0b9
SHA256bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80
SHA5127344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config
Filesize1KB
MD50b17b3be9b3a6f6879998d280941de55
SHA1ede825b51ee11af7c9221dce596bb969cd068529
SHA2561d69336e421c535cecf2e0326be39b44eec8ea39754ac8e855d8e0368e0f4619
SHA51206d9cc03b8f7295a6e02376159ea96a83caed4b584769370c0bf365b25d29c883ba5c8359cfeb7316d13c93b49fd37cca267f6e7931220ced71435e1f4b639c8
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll
Filesize92KB
MD583c274a450f71d2dae867ae2d13640ff
SHA1dfb0d008c39af8df1d7733ccf3e8e600ec595631
SHA256419af61576ee876878ed3551d1ea3cb90191b2e5bb18bd8987ecf8871243ad15
SHA512f995a55f65dd7b5ad300c91ca0eba37bd57df86b7b8ac0252cd085a44bf98ffcd63f7d3931ddca25942f3261d8c2e19761ed70d678916d93e202e3d7d76b11cc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll
Filesize277KB
MD594367c721e65db3d2a6c62d52f8c176d
SHA1b6acbe0252d46c07b3b793e70206d2d106e1243c
SHA2564057ec13b30dcdfe167dad5a2c5043c33ab039e5a9d3be7811bd92144399d4c7
SHA512396275139041873be8f0e0c16db6c5c847025ef2b4bd12960255f7c74275d690f0d9c88d098c85205c63bda103a07066c2b53f20969caeb4af0406c32d6b0b7f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI
Filesize12B
MD520f7dee705a4f03baeffa9b658fee625
SHA1aff7da269b24cd1c37e5b13f9395564d0fdf6d5b
SHA256aa29d45c1bdce17624bc9a2c57f89bd7b36e1f68e44ce763879cf44d977a82d6
SHA51256068a5026fcbed08eb8d0c4fb82198d7b3eef4857aae0ca3dbb9b1fa0fe8772a930bb544bdac435c47fd612d5bcaade4bc7ba8360575769abdb3aa818bf98b3
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize65KB
MD515133bbe13e21b1c50d447c64463f772
SHA13dd21da8e2efd3e448fa336477700f733875cdae
SHA256433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec
SHA51254c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize65KB
MD515133bbe13e21b1c50d447c64463f772
SHA13dd21da8e2efd3e448fa336477700f733875cdae
SHA256433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec
SHA51254c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize65KB
MD515133bbe13e21b1c50d447c64463f772
SHA13dd21da8e2efd3e448fa336477700f733875cdae
SHA256433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec
SHA51254c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll
Filesize94KB
MD5e182b5896e44abee3a33adf7faef38dd
SHA1d30d7146e03035da47dd3b7b50c08cdfa022aa35
SHA2560d335ea84f9295e7882c358a923d265b6e0bc536a5fdd22da5931d9204b06467
SHA512e467f383f576daf785dd728add510fa5d604a954ca4a2d7cee5bb6b8f14be8ea89219d181ae8da81510defb778b23c5c500e3d8c738f9b26d63bac8122036ef5
-
Filesize
693KB
MD5b11c285aeb968434de2031c5451a267d
SHA192942073ae71b2d287767bf678a33db5718c603f
SHA256f599fbd82e65a0feda9c19bca49f0db3324dcd4aa6251d40e1729765fecf9000
SHA512bcccec3a4d2b26b02db11d2f6e4bfef9c9aa4153a7a5dcfc62b2276af50ccba3e060a5501d2aa9833c23f3821639d9715012925026e8ce53922f8a5452f83413
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.INI
Filesize12B
MD57ee83499fea6848679d28edc872e7215
SHA1240baad2aeb0c81851da18e356409c78e2cef5a7
SHA256158f2ff9e592d4679a7471299f2f3a7aa6968d6779b81655ad1a7ae811948105
SHA512ed3f4e8726ef683e88f04c6937e82f27e2f67c9316781478b07e5d0c90b061a09a0a5f90ba5a2da65732e9b54654cda4d39556dcbd18dd78bf61cc20c43193fe
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize43KB
MD5f0c3af895ad50d448c4746353896d1ca
SHA1c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6
SHA256214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929
SHA5123132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize43KB
MD5f0c3af895ad50d448c4746353896d1ca
SHA1c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6
SHA256214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929
SHA5123132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize43KB
MD5f0c3af895ad50d448c4746353896d1ca
SHA1c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6
SHA256214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929
SHA5123132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config
Filesize498B
MD51819851a638eb6d98a3cc80ac4ad6894
SHA1b74a8c6c5152c4463e487b88e534afe7144eb832
SHA256f1d85574d2849984bf608191a519a98b1dd830b023e9430571ea6ea9fb62b981
SHA512fa6638ea1e921da96a39e31e85ff757e6c9bad92bd997b7a516be5f34d00158bd2fe1367d6d13e22e79e703a1c590286de409c45f28b0c75ded3284a1fcfeb0d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll
Filesize94KB
MD56f95c167da211416fa221a8926c64532
SHA110aed65d1a5e3563eb561a485e0fefd531c8574e
SHA256b88c77e60b8ae3d9b0a067218eedd2d82deea2dd4cae60b8f41c53a05101c650
SHA5127590157b138d95c149a0a893e1355567a55bdbe82ae9806f071b8ead3a6f5ce8b122b311fd3bae34d044c436baa405cfd98ff1c27eec1b60b647265a0feb6984
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll
Filesize693KB
MD599ad695930272a0d5db6be802f0966f9
SHA1916811188b414c84bd299ba086c1b68eafd6c487
SHA256c00d2c7ddf4e5b45682e27d3dc60568b47e109b715b2638540d3108e98104a78
SHA5122574553b62491635524937d8b56abd8591632f237acc86b3ccf21ac7a59811cac94015003a622fd40de0a15cb967c2b1bdbab5c5b7601dd19dac5ff45292365b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize30KB
MD5ee564070a011f3cc31f846040d93c5ca
SHA1b498078df5739008d80a6e7624352313439546ed
SHA2560f631801a8ee3bf167fc76b50ca05aae4cb6533cdbe7b2f1261e8c590bc80c57
SHA512ec2b86564326d112f37cec79f4809f655d4074dab596c79820d1f186b0ab020b178815b986bd957475fbd129e3ea932d77fb1ad19804baf34d6ca45923ad9b6c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingSettings.config
Filesize162B
MD55c78fe97ee3475b53db8b00ef78e4a8f
SHA107ef7446942563ac6db9fa5de8734831bcfca8e9
SHA25674cedcfab23fd143fc690c8431eff92ea69e8633f318ca33fdb259aaf1757102
SHA51218324927b0f7c95a03b0be8ddce18b54db8467dbf351da8d6559bf5b87acedb36cbb5bace31be4f7cf0e7f6b8a5be9553d16e514f7d41f8913212de0a19dcad7
-
Filesize
228B
MD5f2a3653dd8e6f24fd200cc76c3b29ad7
SHA1e5101d7fd9b7f52430262a8075f7a3589187596b
SHA25696c4c998d361d18b9f4054caee12606cdd9eaf0711d55b3c9f5f0e20b6c174a4
SHA512ac395783bc96d9005a1d741fb07cd8583139bf3d2a981948d070b1137666be6d8cb88229064c6f828273e352ef2c56adda03f4b046feda40f5096fe6784a6102
-
Filesize
316B
MD5abc68d054dcbbac9f180f938943b8b3e
SHA1e8d08d58cb8b2f88f60d953a0dae1899aff73e24
SHA256b01d14a5e46767b7917fd550d749c21d7b8f4eb3f5fa582965c0b128088a6bf6
SHA51238ac492c0f65e7c79eaeb6bbd7152dfcf1dfac25e656e110159d4bae1d9a7005f28f69f24a6dc2d836a226a3946d1a3fa0ce263f778488384d4f9f442ff27d6a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.INI
Filesize12B
MD539b44ca42c8612a5930265aeb5b57d01
SHA1bcdb0725dac93ff166f3720fb857044b34d30915
SHA25688ba4bc3ed257a32c86d2300ef9bb15b5737e94530ba27a806cbf5240302e64b
SHA5128eb7df51281cda144dc77175cb2bde02294184de60db93c80a166acf37e64c3508dfc0f82ec1511aa2d5a72828b2e7f78d6ccee0015924fc15df52abe4f1268a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize50KB
MD5953e52ff73e83b5b07a6c4a89a281ee6
SHA19a2a24d55926ca9739c8aee411d3d23e290191bf
SHA25671b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a
SHA512fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize50KB
MD5953e52ff73e83b5b07a6c4a89a281ee6
SHA19a2a24d55926ca9739c8aee411d3d23e290191bf
SHA25671b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a
SHA512fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize50KB
MD5953e52ff73e83b5b07a6c4a89a281ee6
SHA19a2a24d55926ca9739c8aee411d3d23e290191bf
SHA25671b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a
SHA512fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config
Filesize535B
MD5d505e3de03f172fa2b246e210054c5f7
SHA1f5a480f56f760eeba3b29108387e54d70a721127
SHA256a568f933f09b1ad1ee5e88ddcffa1fe5921d18b73477136e1faee55f2bef399a
SHA51280f01447b43525dbdf5b283522fe14d9aecef16e55ea3fe36dc0a94b53c49e03bb56136f0911c348fb78fb5af6112b1de7c38cbffbd73acb2971655ef1b2b859
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll
Filesize94KB
MD5a46fde4c53c84fec49864375d3a0bf58
SHA1244a459a06354c234f9d1eb144b37a1a38881802
SHA25621681a41bd53bf8e94a173c01c2f38466f93df92cdf0d61989ef1d41d50c5f21
SHA512b7202c8734cf42bdf8c86f31d83f06496d01c0f0be84812a5bd7e2fdeec004bac66ad897c1fd0eb46b731ffb170f3c9439fca23d336fc9ac64fcb56b50217281
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll
Filesize181KB
MD566057a0e46da3924670862efe243640f
SHA1a2cd8abcb3c2ee7e77559b81166eb180f61fabbc
SHA25630e435fe1dc8dc5c8f8823b1fdcb6ba9c61bbb820f2a363c115ec3a31b47a6a1
SHA512bf4070f82716f2695a77f52be7387f2ca1e8c3260d63fb4f93007b3c6b21f0842d4663f75be89088b13388504dd5dec721bd44b4f625ca6ac0c9c9b33e517ea4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll
Filesize323KB
MD5716387d1960415fd3618db9b1557ae2f
SHA1252fa9344c0a834a3ecbb8da7541e9fcc5df76d7
SHA256c8f269b3aed910f85d05f92c8751c19cc353627928b248c3e56190f40d54e544
SHA5126c2e72ffb40289839cf11709cf947a0e4a3247bce88d2d353d61a9c090cc75473487cb065d8e504ac69437fc8c47e14fad98906ab004f1190b3a3b1464001b91
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll
Filesize693KB
MD517250c84c362f1b036449bd5f5ac2ffa
SHA1cdfb112668b13b378b7dc553e9a93a6980e7be9c
SHA25665fd00cdd3e0f88f40c0dfb3b585234548fdd6eb084bc98086fb1bd58d060d6c
SHA512d4ab803657b5362546be26b419fd7024720c78d370cc4730c364d630952d52d612c8c71d3a6cf786701f823d48f1f713deef846f3abe059f558420ca58e7af03
-
Filesize
167KB
MD5e8458b60d4f251de071b765287c5661e
SHA1b4a4d91483f658b79204ec4be2c2012efefd5a63
SHA25652c29826c96e35373f05fefbd0f92ac9ec377cd65e8f58a945f3a86b41c3ddc6
SHA51257b3b9cd3a47a6543e0e81a4606e7a90e4a459fe827c01ec6a21d1a64503fe6267079fa89e3120519079a1e9a0eb925f3b794d9b39f03d7eba524393dc564bea
-
Filesize
168B
MD5d1cb885060e2c02583dd326cac584628
SHA12acc83cbf06dd0aff210af2f7310ee038671cac2
SHA2562d63a9a1d8add3b0e4e5823849a6fe81cf087967ebdecf255bc2faa29b53b118
SHA512ccba93ce2f07856cfd013998b2cf8bedc3bfe4ce79f4e8a96f3af1d7b78cbbdbdb7a1bc8cf52bc94d8bea795d8d2a6c3097ae028a77cabdd7278f94ad54cc054
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
27KB
MD529f288f751fbcea5cd75ea9774882787
SHA15a4c30382c63e29e848b681d39cc213c2198e12e
SHA256711702eb24803788ce601996f90b7ef57eef1f764f7aaf3a96e2196ed4a9533e
SHA512b7fc0a739b33e79232ef506393cf90297f4d41f165f34b5be50648d8a1967419e1f0ee369e809d5c142898824e8b5a3784106d33a2d1d72cd811d5352f4bbd60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize471B
MD530cdbf3159adc4f820d2356c3abca7a1
SHA151aa0ce2ecd878ad5a7108487507f3a1c32ea57f
SHA2565127a5bab21ffe9382bcf17989de2c896d3d4fb2e5a4e2125d16c358209999b0
SHA512bc97b561a77d61d4a5e73f53fc009d2100e596ae897a8c435fd50058d4571020560ee8f37c235756e46ff3387e7ad4941b186efc0aff47fe7d468038c9918cfd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
Filesize471B
MD5c1863ad297487389788ea71598af9c27
SHA1c56e429202aa215878dbd4db4585a7e4381de35e
SHA2560b04f709db9c017f4755d695f0380b6ec2f1491eec76f2265b862c1cdcff9667
SHA512fb1231313af5a9da17636b3960578ad15d5107ebc44e6c95e15c548fbdc2b944eb225adb5c0a761b2f0d49dd236537980da8debb684557ba486b37dc44e6069d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D
Filesize396B
MD5a18219a65731e0e77d01c876b7b89d8d
SHA1e882a6d577f6f185c092c38878d36a0710ba2d91
SHA25681c05881688d5cbed9139e4ec641aaa881946ad73c65461b6651532591914e60
SHA5128177d8d2ef851a1be42895d13de6506113f655c1ce6bd524dab298685ef7645c52c0859ce90c36b2e3fed182db9ae6c827cc17410be6be03e4df5d9d5e35a977
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A
Filesize408B
MD5913b9487a9e5e6c444dd5c26db6c026f
SHA1e3e6cce9ee8b47f9fbd4c89ce30d573319980516
SHA25654ea3775515eecc575e4cfa22a2d77b2605e7b022c14e2485b011ef02d2efcb5
SHA512338ca6766a787c8bd6eb4179e27d88a013c1360886590a0be0135f4324e2fcad181fc72eeb2337d20490c0084ce88c5d953d83a55c9bc01f863be2edfaf056bc
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
4.5MB
MD5dcf1c5be73edef9f4969109f9ba5147d
SHA18ce70c29fffd8ecd54fab1ab5d021f4be7960a3e
SHA2563b26989d2114f3f21ded0a4838643c629c550bc2fe01fa9147fced0ac5223e74
SHA512cd72ee30040f84fe6c7077de2697a2ff1ccf787f434eaf33cfca10c39ceb1534b869c69496cd168c50c7cd348e1b36743dd305757dd2bd2eba09a02a132d07e1
-
Filesize
632KB
MD531b8bb512a0f8c74461b4c6ae28cc5ef
SHA1f36be96e0f28edfcc5a232e9c4dfcdad0e94c151
SHA2567ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4
SHA512e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e
-
Filesize
47.3MB
MD592a47f95f326cd152a37d645de986a70
SHA1af1a584c076549e102a7d6680dc87659c107bbc0
SHA2563a63472cab8a7d175db712bf8c52ef0c472f050137331daddba3e886634348b2
SHA512b061bac51428d48416dd634c2f1fae2e89ecb419300283a56ff9585ffcaa9a64274444262ebca3b8d26d02246c49c79020e95961979cc2ff0c85091c0151cc26
-
Filesize
4KB
MD5feeb0c072eafe62c35a208958d8a92e8
SHA1806748ec5da06c95fb8cd9c60fe1829d59f4ff24
SHA256f450e0074aee6f6937ae096565ee16caf571e4d14ef63845d553e59a3f8d6641
SHA512e8c9f6c73a25b9f59e6f269dfcf1dfc3fe0ed777699e3485c7719cdef7d3da7862faba2de92b680e4def4ef082c248cf78d40cb40d4709bd9d2fad0fa61c2b7b
-
Filesize
2KB
MD5aabbdd7d32b5b972ff4ab3c9b04a2093
SHA129fbf926642b98c00bd7f7eb74b759e697141394
SHA25669dcb9948a7c1648bbf2399a25acd58f7e849382943bc557447319d181784298
SHA51236b86099f1f1564fd1ca1a7b9bb317b88cb6d90b25b3b47a0bf49ef71ace2171e98a89fd476523895438b2e2b407f844a56532f5a6deaa6eac495879eb19e172
-
Filesize
4KB
MD533e7a6b07a6040a97f127bf7d8b54dc9
SHA121871ca3c24f6cb62d0e4a79110ae011eccb2b24
SHA2567716425011e6d160aeb14daa90f1bf6a857b8dc9d90d89be97ec7a25ec68afca
SHA512c9fcb1bb31d19b3e35c6bcf5506953c16dbe34f83c02ec359e22cd3c4c494f2e55279d3b5f41a99a68f673feb10415b6ce0820967952fd47c1c086060092589d
-
Filesize
4KB
MD533e7a6b07a6040a97f127bf7d8b54dc9
SHA121871ca3c24f6cb62d0e4a79110ae011eccb2b24
SHA2567716425011e6d160aeb14daa90f1bf6a857b8dc9d90d89be97ec7a25ec68afca
SHA512c9fcb1bb31d19b3e35c6bcf5506953c16dbe34f83c02ec359e22cd3c4c494f2e55279d3b5f41a99a68f673feb10415b6ce0820967952fd47c1c086060092589d
-
Filesize
1.7MB
MD5351e3a4ec04587153ecb8884dfec5a3d
SHA117fb16e611e681420617220233d4accc63fbd68e
SHA256220141e9aaa99808db4451f4dc3a81aa659811cc2e9d637e458749fc98bf89f3
SHA5125d19efdda526ac9be9f68d195461e63d73eaa76be2908a9d6e1da396c25141cba8e8ba0d369ad240351ea0195d3aa839789610f7f855b7f76cbf3c401b00d42b
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
Filesize
538B
MD586fb4a915929524f76a887a37490a470
SHA195c2d8d4879c0ecef89f377be83c25d5f2ea992c
SHA25626be6365339c243b58c20f942fee384ecd0897cf8a89e787410bc8927fff3e09
SHA51290457e5728c9467dbe1e57112674d944c0fa0a77099fbd3dc487a949c74c154a9342231c999bf93bde33054801fbfccd1cb0bc81dd7a40012a67297d334e5f76
-
Filesize
181KB
MD5f6e8b3a854b72500091ea75e6fabfabc
SHA18302691f421300d09ecaa527bb0eafe142efbb86
SHA25678f8dde46e879f7692af0d4ecef489e621fc0ed061baa6ad7d72f17863368087
SHA512900ef19d5db93afee5297b00dc230a9faf3c4bd3657f2ec39203422cd285799957cc86a63a348da59b0a99fb60e71395e8923a8d32b9ee60a7129c6017cdcd17
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
343KB
MD5e1bfed7bf9459e0df6522b6b794ebea4
SHA188da94524f008b3ba838dea3cffc63d472dfebec
SHA2564f3e5c1b593c01a0bb49159deb17fb82a883e55104f8f323cc29bea9e7163023
SHA512ea181f4041e183b8c3ca6fdb5a554a75d611be2f723cde220ffb8913024da5bdb4ee08b8aeeb606c52223e4b6e384192067d7eebc78f745fc63cb9481e3951d5
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
609KB
MD57fc7feff419ae763ddee6799c273f627
SHA195a73d59edd7bf46a188675c27dfc6706a978c8a
SHA256d40e53e227fd65afd42c5178ea75737b6082763773a48fd4ce79a296c366a288
SHA512f3514ceee0b72c00ebd13f28bb4db5e7db231153cb894cd04039857d30ff04ad6934c1ecc26c872af55951588b27f5a4e71139c479a659ea5516213ba0613f04
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Filesize1KB
MD513a7fdad59a18467731ffd4f239243da
SHA1654ca1623613632cd90265d16ee06a5b9ac7e143
SHA256ec17a221f0cce9c92441d57c92c77ea10296a2bbf7fd2947c63cb68f0fba3313
SHA512fa8dedf0488eee2e66bee62ac437164042b9599484981342214f61840ba7abae860647318535f030fc7d26addf331bd32e58242e310bc6b87d44d3cdc959c1d7
-
Filesize
23.0MB
MD53e0320a94b4f74a63668d97cfd7e0d9e
SHA1af2addefdd94b9d8a897f49a3e8fde4412dab8a4
SHA256c6355a1d6f8e356d7fa7b3ab37ddc78de72afb958c0f6a0823484af037622f27
SHA512a86315c2535a29f443bb221b8964eb7d434d7158d63416b2cf1aa27b8dff9cd9af41d6f7f770a407db33b60ef3ae815b6569bda53cbbe161eb4ee52589260d12
-
\??\Volume{68140b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{94122afc-cb8b-4c4f-a711-b17dfc493b96}_OnDiskSnapshotProp
Filesize5KB
MD587894873cfb2547f49b164bd21cdb0d5
SHA187bf65767346e751e4340e67dfadb1de0bda1740
SHA2560ad9ba3fdde605cc4bac9a64971b819e6d15e6cda4babdb3d4ad341a08fa2f04
SHA5127d68dc23accd37558ba3cf7753aa17d4f45d33a9a296811472170aa41f13c7f762fd54148709b5c99bacbc96b237cc4d7a95dea6c3eade8792de4ad2360a8dcb