7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
16/10/2023, 11:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a.msi
Size

632KB
MD5

31b8bb512a0f8c74461b4c6ae28cc5ef
SHA1

f36be96e0f28edfcc5a232e9c4dfcdad0e94c151
SHA256

7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4
SHA512

e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e
SSDEEP

12288:0s+WC8R/Mn4c6b3Diy95fP701DpHyNRAX7PaeAkCP437+8jOZy2KsGU6a4Ks:WWrBMnsO85fP701DhyHreAzgLhOE2Z39

Score

8^/10

bootkit discovery persistence

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 59 IoCs

pid	Process
4688	AteraAgent.exe
3808	AteraAgent.exe
4936	AgentPackageAgentInformation.exe
4996	AgentPackageAgentInformation.exe
4468	AgentPackageAgentInformation.exe
3736	AgentPackageHeartbeat.exe
5072	AgentPackageAgentInformation.exe
4940	AgentPackageUpgradeAgent.exe
4880	AgentPackageSTRemote.exe
960	AgentPackageRuntimeInstaller.exe
4676	AgentPackageMonitoring.exe
4128	AgentPackageInternalPoller.exe
452	AgentPackageMarketplace.exe
5064	AgentPackageUpgradeAgent.exe
4212	Agent.Package.Availability.exe
4600	AgentPackageADRemote.exe
632	AgentPackageTicketing.exe
3616	AgentPackageProgramManagement.exe
1632	AgentPackageOsUpdates.exe
5072	AgentPackageAgentInformation.exe
1612	SplashtopStreamer.exe
1956	PreVerCheck.exe
3912	6-0-13.exe
4376	6-0-13.exe
5020	dotnet-runtime-6.0.13-win-x64.exe
2280	_is10EE.exe
2148	_is10EE.exe
4596	_is10EE.exe
3904	_is10EE.exe
2504	_is10EE.exe
4768	_is10EE.exe
1196	_is10EE.exe
5144	_is10EE.exe
5176	_is10EE.exe
5208	_is10EE.exe
5136	AgentPackageHeartbeat.exe
5480	_is5981.exe
5432	_is5981.exe
5548	_is5981.exe
5760	_is5981.exe
5820	_is5981.exe
4128	_is5981.exe
5844	_is5981.exe
2444	_is5981.exe
4816	_is5981.exe
5940	_is5981.exe
2144	_isA149.exe
2352	_isA149.exe
5308	_isA149.exe
1444	_isA149.exe
2908	_isA149.exe
2860	_isA149.exe
2620	_isA149.exe
4588	_isA149.exe
5448	_isA149.exe
5468	_isA149.exe
5432	SetupUtil.exe
5716	SetupUtil.exe
5532	SetupUtil.exe

Loads dropped DLL 17 IoCs

pid	Process
1636	MsiExec.exe
4676	AgentPackageMonitoring.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
4376	6-0-13.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe
636	MsiExec.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	reg.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} = "\"C:\\ProgramData\\Package Cache\\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\\dotnet-runtime-6.0.13-win-x64.exe\" /burn.runonce"	dotnet-runtime-6.0.13-win-x64.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	4444	msiexec.exe
7	4444	msiexec.exe
9	4444	msiexec.exe
108	636	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	AgentPackageMonitoring.exe

Drops file in System32 directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log	AgentPackageInternalPoller.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log	AgentPackageTicketing.exe
File created	C:\Windows\system32\SRCB00F.tmp	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log	AgentPackageADRemote.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log	AgentPackageMarketplace.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log	AgentPackageMonitoring.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log	AgentPackageHeartbeat.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log	AgentPackageProgramManagement.exe
File opened for modification	C:\Windows\system32\SRCredentialProvider.dll	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log	AgentPackageAgentInformation.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MsiExec.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log	AgentPackageUpgradeAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.Serialization.Xml.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.FileSystem.Watcher.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVirtualUSB\SRUsb\x64\SRUsbVhciCtrl64.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libeay32.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe	AgentPackageRuntimeInstaller.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\install_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.RegularExpressions.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\log.txt	AgentPackageInternalPoller.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.EventBasedAsync.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Overlapped.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch	AgentPackageAgentInformation.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Threading.Tasks.Parallel.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdbook.gpd	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\System.Diagnostics.EventLog.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_proxyumd32.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.cat	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.ini	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\reboot.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\utils\PrnPort.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminderNotification.exe.config	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebSockets.Client.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVideoCtrl.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\32bits\xdwmark.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.ReaderWriter.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.IsolatedStorage.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.InteropServices.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt	AgentPackageMonitoring.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl.ini	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\stprintmon.dll	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.cat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.Debug.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdwmark.dll	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI4EA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID58.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e582cb8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EAD.tmp	msiexec.exe
File created	C:\Windows\Installer\e582cbb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI33FC.tmp	msiexec.exe
File created	C:\Windows\Installer\e582cb8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{91854F72-27A1-40DA-A725-D3517E127C0D}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2E9D.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	msiexec.exe
File created	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\Installer\e582cbf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582cbb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B16.tmp	msiexec.exe
File created	C:\Windows\Installer\e582cba.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AA7.tmp	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000235ed-2014.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000530b1468276ad9050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000530b14680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900530b1468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d530b1468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000530b146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
5568	taskkill.exe
5640	taskkill.exe
5720	taskkill.exe
5844	taskkill.exe
5924	taskkill.exe
5312	taskkill.exe
5392	taskkill.exe
5476	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\WOW64 = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageRuntimeInstaller.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\VTHIDSKIPOEM = "1"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	SetupUtil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	6-0-13.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageMonitoring.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SplashtopStreamer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\ProductVersion = "3.5.8.0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\UpgradeCode = "{001F085C-058A-480B-AD56-2940B857C38D}"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\TEMPFOLDER = "C:\\Windows\\TEMP\\"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SetupUtil.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\BASEDTYPE = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageHeartbeat.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageSTRemote.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AgentPackageProgramManagement.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	6-0-13.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	cscript.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Version = "17301504"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command	MsiExec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}	dotnet-runtime-6.0.13-win-x64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents	dotnet-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}	dotnet-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50659336"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Version = "6.0.13.31930"	dotnet-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}	dotnet-runtime-6.0.13-win-x64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\27F458191A72AD047A523D15E721C7D0\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRServer"	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\SourceList\PackageName = "a.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\ = "{ac916c06-1c22-495e-ae7e-b4e24fbbed14}"	dotnet-runtime-6.0.13-win-x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents	dotnet-runtime-6.0.13-win-x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\ = "URL:st-streamer Protocol"	MsiExec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell	MsiExec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\27F458191A72AD047A523D15E721C7D0\PackageCode = "55F3BED93C9708C4CBCD8D5B5BD37078"	msiexec.exe

Runs .reg file with regedit 2 IoCs

pid	Process
4756	regedit.exe
5612	regedit.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
220	msiexec.exe
220	msiexec.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
632	AgentPackageTicketing.exe
632	AgentPackageTicketing.exe
5064	AgentPackageUpgradeAgent.exe
5064	AgentPackageUpgradeAgent.exe
4128	AgentPackageInternalPoller.exe
4128	AgentPackageInternalPoller.exe
4880	AgentPackageSTRemote.exe
4880	AgentPackageSTRemote.exe
632	AgentPackageTicketing.exe
4676	AgentPackageMonitoring.exe
4676	AgentPackageMonitoring.exe
960	AgentPackageRuntimeInstaller.exe
960	AgentPackageRuntimeInstaller.exe
3808	AteraAgent.exe
3808	AteraAgent.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5432	SetupUtil.exe
5716	SetupUtil.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4444	msiexec.exe
Token: SeSecurityPrivilege	220	msiexec.exe
Token: SeCreateTokenPrivilege	4444	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4444	msiexec.exe
Token: SeLockMemoryPrivilege	4444	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4444	msiexec.exe
Token: SeMachineAccountPrivilege	4444	msiexec.exe
Token: SeTcbPrivilege	4444	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeLoadDriverPrivilege	4444	msiexec.exe
Token: SeSystemProfilePrivilege	4444	msiexec.exe
Token: SeSystemtimePrivilege	4444	msiexec.exe
Token: SeProfSingleProcessPrivilege	4444	msiexec.exe
Token: SeIncBasePriorityPrivilege	4444	msiexec.exe
Token: SeCreatePagefilePrivilege	4444	msiexec.exe
Token: SeCreatePermanentPrivilege	4444	msiexec.exe
Token: SeBackupPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeShutdownPrivilege	4444	msiexec.exe
Token: SeDebugPrivilege	4444	msiexec.exe
Token: SeAuditPrivilege	4444	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4444	msiexec.exe
Token: SeChangeNotifyPrivilege	4444	msiexec.exe
Token: SeRemoteShutdownPrivilege	4444	msiexec.exe
Token: SeUndockPrivilege	4444	msiexec.exe
Token: SeSyncAgentPrivilege	4444	msiexec.exe
Token: SeEnableDelegationPrivilege	4444	msiexec.exe
Token: SeManageVolumePrivilege	4444	msiexec.exe
Token: SeImpersonatePrivilege	4444	msiexec.exe
Token: SeCreateGlobalPrivilege	4444	msiexec.exe
Token: SeBackupPrivilege	4160	vssvc.exe
Token: SeRestorePrivilege	4160	vssvc.exe
Token: SeAuditPrivilege	4160	vssvc.exe
Token: SeBackupPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe
Token: SeTakeOwnershipPrivilege	220	msiexec.exe
Token: SeRestorePrivilege	220	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4444	msiexec.exe
4444	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1612	SplashtopStreamer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 220 wrote to memory of 1532	220	msiexec.exe	96
PID 220 wrote to memory of 1532	220	msiexec.exe	96
PID 220 wrote to memory of 1636	220	msiexec.exe	98
PID 220 wrote to memory of 1636	220	msiexec.exe	98
PID 220 wrote to memory of 1636	220	msiexec.exe	98
PID 220 wrote to memory of 4688	220	msiexec.exe	99
PID 220 wrote to memory of 4688	220	msiexec.exe	99
PID 3808 wrote to memory of 1784	3808	AteraAgent.exe	101
PID 3808 wrote to memory of 1784	3808	AteraAgent.exe	101
PID 3808 wrote to memory of 4936	3808	AteraAgent.exe	103
PID 3808 wrote to memory of 4936	3808	AteraAgent.exe	103
PID 3808 wrote to memory of 4996	3808	AteraAgent.exe	105
PID 3808 wrote to memory of 4996	3808	AteraAgent.exe	105
PID 3808 wrote to memory of 4468	3808	AteraAgent.exe	107
PID 3808 wrote to memory of 4468	3808	AteraAgent.exe	107
PID 3808 wrote to memory of 3736	3808	AteraAgent.exe	109
PID 3808 wrote to memory of 3736	3808	AteraAgent.exe	109
PID 3808 wrote to memory of 5072	3808	AteraAgent.exe	141
PID 3808 wrote to memory of 5072	3808	AteraAgent.exe	141
PID 3808 wrote to memory of 4940	3808	AteraAgent.exe	113
PID 3808 wrote to memory of 4940	3808	AteraAgent.exe	113
PID 3808 wrote to memory of 4880	3808	AteraAgent.exe	115
PID 3808 wrote to memory of 4880	3808	AteraAgent.exe	115
PID 3808 wrote to memory of 960	3808	AteraAgent.exe	118
PID 3808 wrote to memory of 960	3808	AteraAgent.exe	118
PID 3808 wrote to memory of 4676	3808	AteraAgent.exe	124
PID 3808 wrote to memory of 4676	3808	AteraAgent.exe	124
PID 3808 wrote to memory of 4128	3808	AteraAgent.exe	123
PID 3808 wrote to memory of 4128	3808	AteraAgent.exe	123
PID 3808 wrote to memory of 452	3808	AteraAgent.exe	119
PID 3808 wrote to memory of 452	3808	AteraAgent.exe	119
PID 4940 wrote to memory of 5064	4940	AgentPackageUpgradeAgent.exe	136
PID 4940 wrote to memory of 5064	4940	AgentPackageUpgradeAgent.exe	136
PID 3808 wrote to memory of 4600	3808	AteraAgent.exe	135
PID 3808 wrote to memory of 4600	3808	AteraAgent.exe	135
PID 3808 wrote to memory of 4212	3808	AteraAgent.exe	133
PID 3808 wrote to memory of 4212	3808	AteraAgent.exe	133
PID 3808 wrote to memory of 632	3808	AteraAgent.exe	125
PID 3808 wrote to memory of 632	3808	AteraAgent.exe	125
PID 3808 wrote to memory of 3616	3808	AteraAgent.exe	126
PID 3808 wrote to memory of 3616	3808	AteraAgent.exe	126
PID 3808 wrote to memory of 1632	3808	AteraAgent.exe	128
PID 3808 wrote to memory of 1632	3808	AteraAgent.exe	128
PID 960 wrote to memory of 3452	960	AgentPackageRuntimeInstaller.exe	137
PID 960 wrote to memory of 3452	960	AgentPackageRuntimeInstaller.exe	137
PID 4468 wrote to memory of 4480	4468	AgentPackageAgentInformation.exe	139
PID 4468 wrote to memory of 4480	4468	AgentPackageAgentInformation.exe	139
PID 4480 wrote to memory of 2432	4480	cmd.exe	142
PID 4480 wrote to memory of 2432	4480	cmd.exe	142
PID 3808 wrote to memory of 5072	3808	AteraAgent.exe	141
PID 3808 wrote to memory of 5072	3808	AteraAgent.exe	141
PID 4880 wrote to memory of 1612	4880	AgentPackageSTRemote.exe	145
PID 4880 wrote to memory of 1612	4880	AgentPackageSTRemote.exe	145
PID 4880 wrote to memory of 1612	4880	AgentPackageSTRemote.exe	145
PID 1612 wrote to memory of 1956	1612	SplashtopStreamer.exe	146
PID 1612 wrote to memory of 1956	1612	SplashtopStreamer.exe	146
PID 1612 wrote to memory of 1956	1612	SplashtopStreamer.exe	146
PID 1956 wrote to memory of 2724	1956	PreVerCheck.exe	147
PID 1956 wrote to memory of 2724	1956	PreVerCheck.exe	147
PID 1956 wrote to memory of 2724	1956	PreVerCheck.exe	147
PID 220 wrote to memory of 636	220	msiexec.exe	148
PID 220 wrote to memory of 636	220	msiexec.exe	148
PID 220 wrote to memory of 636	220	msiexec.exe	148
PID 960 wrote to memory of 3912	960	AgentPackageRuntimeInstaller.exe	150

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4444

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:220
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1532
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C50CD3FB286C166CBEE5901017650F20
  2⤵
  - Loads dropped DLL
  PID:1636
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002jA9QEAA0"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:4688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 923624AB4E0898A9D73E519C636C2FCF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Modifies registry class
  PID:636
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F4FB2CF-2BE0-4B64-9BB6-350F5A4369A6}
    3⤵
    - Executes dropped EXE
    PID:2280
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F94D76A4-AB48-4DF1-B619-BBCF82861648}
    3⤵
    - Executes dropped EXE
    PID:2148
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6D41DE45-8C7C-45B3-9118-4E4E4154FDCD}
    3⤵
    - Executes dropped EXE
    PID:4596
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DDBDD05C-1980-4654-A50F-3D78DEC227B0}
    3⤵
    - Executes dropped EXE
    PID:3904
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C929939-84ED-438F-9DB4-01417DC87D49}
    3⤵
    - Executes dropped EXE
    PID:2504
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{565F9E93-9FDE-4ECD-9F96-94F9629A5804}
    3⤵
    - Executes dropped EXE
    PID:4768
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{448398D6-BC45-4B47-943C-BDE48CCFB99A}
    3⤵
    - Executes dropped EXE
    PID:1196
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5171AADE-30F9-4421-95B3-A54E1C8CCE69}
    3⤵
    - Executes dropped EXE
    PID:5144
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CEBCF4AD-46BC-408D-B264-2ED1984DF126}
    3⤵
    - Executes dropped EXE
    PID:5176
- - C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe
    C:\Windows\TEMP\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_is10EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{20085FB9-7F7A-458F-8FCF-427092B59992}
    3⤵
    - Executes dropped EXE
    PID:5208
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
    3⤵
    PID:5268
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRServer.exe /T
      4⤵
      Kills process with taskkill
      PID:5312
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
    3⤵
    PID:5348
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRApp.exe /T
      4⤵
      Kills process with taskkill
      PID:5392
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
    3⤵
    PID:5424
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAppPB.exe /T
      4⤵
      Kills process with taskkill
      PID:5476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
    3⤵
    PID:5524
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeature.exe /T
      4⤵
      Kills process with taskkill
      PID:5568
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
    3⤵
    PID:5596
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeatMini.exe /T
      4⤵
      Kills process with taskkill
      PID:5640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
    3⤵
    PID:5676
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRManager.exe /T
      4⤵
      Kills process with taskkill
      PID:5720
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
    3⤵
    PID:5748
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAgent.exe /T
      4⤵
      Kills process with taskkill
      PID:5844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
    3⤵
    PID:5880
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRChat.exe /T
      4⤵
      Kills process with taskkill
      PID:5924
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C477D09-F128-4177-8380-E33982F241D5}
    3⤵
    - Executes dropped EXE
    PID:5480
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A598B5BB-A0A7-4FAF-9A49-FA01115D7F7F}
    3⤵
    - Executes dropped EXE
    PID:5432
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{253B8DDF-DC8A-42BF-B570-59F41567B099}
    3⤵
    - Executes dropped EXE
    PID:5548
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA28C7CA-AD22-41A8-856E-B24F54E5DA91}
    3⤵
    - Executes dropped EXE
    PID:5760
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{329B3917-26E4-40E4-B937-2E882B32A6BD}
    3⤵
    - Executes dropped EXE
    PID:5820
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D98A3DE-203D-40FD-918F-C24C77F0BF98}
    3⤵
    - Executes dropped EXE
    PID:4128
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{38BAB03F-2BA9-498D-9BC4-FE91A5C6DF55}
    3⤵
    - Executes dropped EXE
    PID:5844
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E6ED6DA-3DF0-49AA-81D5-562C0A4774D3}
    3⤵
    - Executes dropped EXE
    PID:2444
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{55E44906-AD9D-424C-A851-1D6F812D52DE}
    3⤵
    - Executes dropped EXE
    PID:4816
- - C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe
    C:\Windows\TEMP\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B88A967B-E439-4DD4-98FD-6150C5870962}
    3⤵
    - Executes dropped EXE
    PID:5940
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{533A8BE3-D6DE-4DBA-AB8F-5E396D6897B2}
    3⤵
    - Executes dropped EXE
    PID:2144
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4571F349-99C7-4686-8652-3941411ADED9}
    3⤵
    - Executes dropped EXE
    PID:2352
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DED6EDE2-F1C7-4926-8DEC-187423302895}
    3⤵
    - Executes dropped EXE
    PID:5308
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{020C93D4-C3E6-4DCE-8A31-23C0A2888655}
    3⤵
    - Executes dropped EXE
    PID:1444
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60D21649-26AE-489E-866C-FA7F70290252}
    3⤵
    - Executes dropped EXE
    PID:2908
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69214821-EA14-4328-820F-EAADE61E0C70}
    3⤵
    - Executes dropped EXE
    PID:2860
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30AB049C-B5B1-48AC-8B61-076EEDCB90E6}
    3⤵
    - Executes dropped EXE
    PID:2620
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8C666B0-43F2-48C7-847F-97A63A4BC82F}
    3⤵
    - Executes dropped EXE
    PID:4588
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C466125B-39F3-46B3-B50F-A99C307E7FFA}
    3⤵
    - Executes dropped EXE
    PID:5448
- - C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe
    C:\Windows\TEMP\{05998312-CD8D-4531-8B7C-B2C58FD52FBD}\_isA149.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C663545-68A8-4167-BEA9-5BCB8F11FFAB}
    3⤵
    - Executes dropped EXE
    PID:5468
- - C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe
    C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5432
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\InstRegExp.reg"
    3⤵
    - Runs .reg file with regedit
    PID:4756
- - C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe
    C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P USERSESSIONID
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5716
- - C:\Windows\SysWOW64\regedit.exe
    regedit.exe /s "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\InstRegExp.reg"
    3⤵
    - Runs .reg file with regedit
    PID:5612
- - C:\Windows\SysWOW64\reg.exe
    reg.exe import "C:\Windows\TEMP\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\CredProvider_Inst.reg" /reg:64
    3⤵
    - Registers COM server for autorun
    - Modifies registry class
    PID:5712
- - C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe
    C:\Windows\Temp\{0439D0DF-B013-4DEB-A6CD-A31E0B63C0F7}\SetupUtil.exe /P ST_EVENT
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:5532
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
      4⤵
      PID:4328
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
      4⤵
      PID:260

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4160

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:1784
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "0c0d7ffc-31ef-4fc8-a3de-97a0f821407c" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4936
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "8f905f9b-8be0-46d2-a9d5-fbc548a20dbd" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  PID:4996
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "6a5ba775-128a-47da-89d9-eb54760fcd4c" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
      4⤵
      Modifies data under HKEY_USERS
      PID:2432
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "18acc69b-831b-43da-a614-2532b9b928bd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3736
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "26bd1bdd-7735-4d97-8f45-8b0037de183f" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"
  2⤵
  PID:5072
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "f7076d17-b8e3-4856-9493-83ea3c88d1ea" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
    "C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "087fc8b7-72eb-4445-b9c8-dd13004a07f7" "f7076d17-b8e3-4856-9493-83ea3c88d1ea" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5064
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "2df1a8dd-a32d-4b8e-8ed4-f7518893a4ae" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\TEMP\SplashtopStreamer.exe
    "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\Temp\unpack\PreVerCheck.exe
      "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
        5⤵
        
        PID:2724
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "50f522a1-82a8-422f-b1eb-3d8c382472ad" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjEzIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2FhM2IzMTUwLTgwY2ItNGQzMC04N2Y4LWRjMzZmYTFkY2YyNi84ZWM5ZmY2ODM2ODI4MTc1ZjFhNmE2MGFlZmQ0ZTYzYi9kb3RuZXQtcnVudGltZS02LjAuMTMtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yZWYxMjM1Ny00OTliLTRhNWItYTQ4OC1kYTQ1YTVmMzEwZTYvZmJlMzVjMzU0YmZiNTA5MzRhOTc2ZmM5MWM2ZDhkODEvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmZTE3M2VhLTRjNTgtNGE4ZC1iOGU1LTVjN2VhN2M1OTAxMS9hMTkzNmUxMjM5ZTU5ZGM0ZGY1OGExYmMzZGI1MjdjMy9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80MzZiY2U2YS1mM2U3LTQ0OGUtOTI3OS1kNThmMWUzOWFiOGEvOWY1YzdlZDM3NzI5NGNjOGUwMjhlOTAwNTQwNjMyZDUvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmMDk1Y2JiLWFmNmMtNGQyMC05MDlkLTg3ZGI1Mzg3OTM3MC9kNGM2ZjM4MGE5YTY4ZmM4NTNiZDg5MTE4OWYzYzk3NS9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlM1WTRyU0syVmtpbWcyd01pSEVGZUI2N2U5YTBIZG9ocE13TkZ1TEVJTGpXaVNQVnpYXHUwMDJCSjNPUFJ5aUVZQmlmdkZcdTAwMkI0bnN4aTVcdTAwMkJzSG4wMGN0cU13UTZBPT0iLCJNYWNYNjRDaGVja3N1bSI6IjRqSVl1dGhzTDU4dnV0cWlkZHNGMk1pQ3NcdTAwMkJBRTBUN2FWMVgwXHUwMDJCMk1FWFNSQ0xXdGdqM0x0MklldmVxZ2l1UUVsU2VxNVF1TGJybkRjSHBRbEVpd0N3QT09IiwiV2luQVJNQ2hlY2tzdW0iOiJkLzBlWkR4L0VTSE92dUM1RURKdU4yOTFqckllYnVKTXdjdUxsV2RLOGp0Ym1kbVNYUGNhVzBpOFx1MDAyQk9kdGJwcC9SaG9TMXk3SC9mOVlTTWd6aFVPY3NBPT0iLCJXaW5YNjRDaGVja3N1bSI6InNQdmlCM3VQQVpXRG53YVZoM3YwVEpjYWRUMmNLa0d0MXVNQUM5YzBwTXNNYnduZ01IUkN3ZmxjZTlxUWNjSzJNXHUwMDJCb1BSM2t6NVpNZmh1MlA1SmdvVWc9PSIsIldpblg4NkNoZWNrc3VtIjoicTE2UjdyUzZpcjR3RW1YMTZIQVJhUThtWDByNDNhek9IODZKOXpISkNpVzlmWklhS2VYL1hvbUJrQ2xocXZxSzhIeDVuNTA2R0k4MTBPakRmbG50Y3c9PSIsIldvcmtzcGFjZUlkIjoiYmYwY2U0OWQtNzdjZi00NzIxLWJmNzAtNTc2ODYzODNjOWFiIiwiTG9nTmFtZSI6IkRvdE5ldFJ1bnRpbWVJbnN0YWxsYXRpb25SZXBvcnQiLCJTaGFyZWRLZXkiOiJqVUlTL1Q5Q1JWRGVLeFlnNFVyM2FDaGhXUXVjWTdQVnZ3ZzB6SHVxSnNjclRqalEyTHdLNlVqZnU3Y0EyTnByQVIwci9TUkFYSllZbGRQS0tGeUtLUT09In0="
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:960
- - C:\Windows\SYSTEM32\cmd.exe
    "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
    3⤵
    PID:3452
- - C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart
    3⤵
    - Executes dropped EXE
    PID:3912
  - - C:\Windows\Temp\{95467D01-FC3D-4780-BCAE-C831EA11180B}\.cr\6-0-13.exe
      "C:\Windows\Temp\{95467D01-FC3D-4780-BCAE-C831EA11180B}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /repair /quiet /norestart
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies data under HKEY_USERS
      PID:4376
    - - C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.be\dotnet-runtime-6.0.13-win-x64.exe
        
        "C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{A1463483-32B9-48D6-A8C4-AA7488730347} {5D5FDEE1-5A92-42D5-95C1-91F157896C33} 4376
        5⤵
        Executes dropped EXE
        Adds Run key to start application
        Modifies registry class
        
        PID:5020
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "ade75f9b-ba17-4d51-b79a-4f1328add6ab" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:452
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "4beff8be-65d2-47ae-af88-cc39d582b396" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:4128
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "a18df1b3-de06-4525-b587-d89431e2439b" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Writes to the Master Boot Record (MBR)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:4676
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "b3523f55-bddd-4c58-b335-d9257abf9733" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:632
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "4794a633-0c54-4510-b98b-84a47651cb43" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  PID:3616
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "471f68b9-ea6a-4900-98a5-9a5385f6378b" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"
  2⤵
  - Executes dropped EXE
  PID:1632
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "f46cafb8-7453-49c3-803b-36b6b9025bdf" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"
  2⤵
  - Executes dropped EXE
  PID:4212
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "e567fb2f-a610-4a2f-b963-0f17c51d7153" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:4600
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "0754e610-4ac8-4ad4-b14a-6abd0b4c0eac" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:5072
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 087fc8b7-72eb-4445-b9c8-dd13004a07f7 "18acc69b-831b-43da-a614-2532b9b928bd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"
  2⤵
  - Executes dropped EXE
  PID:5136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582cb9.rbs

Filesize
8KB

MD5
774016aa7437ad38ece0b32396b73960

SHA1
669833535b35a8fe3843b3e859d4154e347f10f9

SHA256
720cdf5c8d13adbdfb6059007eeb2fc793cca36aecdb5a0a45a9c6a283d8d99b

SHA512
c473fc8d367802f787d330fe4c805e981b4761a82e3ad927b956c3527fd27ad1441ad3338b011f590fcdd9df90b4ffc0b48ee438fb6ad55fe47a53c1540f514a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
305B

MD5
27c1adfa459a0d4c1a3ee1e4e92f8e0e

SHA1
e21b1152b78827c8e59d84c541c190c099297632

SHA256
8e88d3edb3da0f6dfe4dc7716ab64256fab189429a6690b129d6789f7eeca49b

SHA512
f8f66043ad65be01a11e130ccedd14a1e638950bb95999e650f62362c05e81d413d330e87cc5fdade02776fc742ebf96331a3752ab80eda9931041089563ae36

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

Filesize
753B

MD5
8298451e4dee214334dd2e22b8996bdc

SHA1
bc429029cc6b42c59c417773ea5df8ae54dbb971

SHA256
6fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25

SHA512
cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
111KB

MD5
babf570ff85fdb7339eeadfa377292bc

SHA1
86e7ae00563499b60a8b2943c409fd54b723519d

SHA256
bac5b19539d966ff008c291a1b9c7180cc543c86d46aee6b0de4509b2e5bd0b4

SHA512
f1b8e16a48a673f2a65468dced4b53ff59b4166ef4465d8fd9daa8e68412831cf808406ae86d75322d269e20b52cf36b2984803e3ffa92073b80dc3ba25ec9bd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
2KB

MD5
7ff0ac77806aed9588b143cd0fab552b

SHA1
184b62f2956b95ffe3dc98ebb31d7f45dbca83fd

SHA256
730d85d5ef4f0939154278949c126a444ed859e7718bb175ca3153ca6ed9d142

SHA512
1856bda8cc3d4161110cd75a7be4939193ed408a95f9c41e22f4cc9f85b1294584f95796bce207dd65d606ffb57760b3d2e1681efbbb7759a19a9f70fb7edac8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

Filesize
464KB

MD5
83222120c8095b8623fe827fb70faf6b

SHA1
9294136b07c36fab5523ef345fe05f03ea516b15

SHA256
eff79de319ca8941a2e62fb573230d82b79b80958e5a26ab1a4e87193eb13503

SHA512
3077e4ea7ebfd4d25b60b9727fbab183827aad5ba914e8cd3d9557fa3913fd82efe2cd20b1a193d8c7e1b81ee44f04dadfcb8f18507977c78dd5c8b071f8addb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe

Filesize
154KB

MD5
e3ca6ba742fba06522ab0fe063c620de

SHA1
58f1e87ae1ac14cf043c1af4c21d00e4197c712b

SHA256
f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079

SHA512
2de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

Filesize
46KB

MD5
1b692438393f8223bf90256abb3587d0

SHA1
5fd99d9db4757224da3fb8a8cac9d1f1632c47a8

SHA256
8296ecf5e781a1b6889ee7f278a31acdb70897f2d862a7b53e58a4edb34d71a6

SHA512
6d98fc4da030b884bf3b7fed9d7e026f8210b38cc1e4f96d36bd85067de6dd9286f0e8ac3715a187b595a8f7ae709fc19daa572ff83bc26802287292f8503bd7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

Filesize
12B

MD5
d8f9f68980c4da708195fa812519ad2f

SHA1
8f0066a77634e4108c20e226a5c6ba712e5a7fed

SHA256
dd8a6863451545d7ed0bab6e0e279968b2c0541c20b0a4ce7ab3054f03c54cf6

SHA512
7d3d15d3885ab1058efed06cb05dc8e713e71a3b70f3fb380657e802c362f222f23c44dc36af14089cf2c8a323a3ac07a172c1d8bb72de80eab78a66ef71e068

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
161KB

MD5
cdd68c74f07104e58c977bf652d0f26c

SHA1
af9da361479c19f9f943bf786f945f386f770032

SHA256
0a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7

SHA512
2d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

Filesize
546B

MD5
158fb7d9323c6ce69d4fce11486a40a1

SHA1
29ab26f5728f6ba6f0e5636bf47149bd9851f532

SHA256
5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

SHA512
7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
aa3bcb58a6c8dd0839e6b803ba1087b9

SHA1
0198a9c644d74712c34a3a67f460a02d77005321

SHA256
8dca6c1eb1557365e065931c992de88b075b4931fa574e8f1db5805e3a03388b

SHA512
620adc1a4cf614664975a8d778efd7cabdb1feb0df0074be8c182888f12d61918c8e7521735a624a5aec97f02ec973125cd5de7e03a02e15c8b87884ba4a70a1

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

Filesize
687KB

MD5
0e7f80a7f2777f811f5bf04633ca1fd1

SHA1
8d767ef46f230a99a4d59c943eb88b5b02d4cf43

SHA256
f8054be7979b255589590fa0497e242b6294752a85795c8ee775835ef22f7a18

SHA512
d19d50879cfaa0a524be1359372014f67e4f1670e9443f393082fa5fc9c0a20d4d85d812641813b621ac3489ea07a86faf0d7e317e2cbd0fb42ddebc568a9e9e

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.INI

Filesize
13B

MD5
628ca66025f77286df96177c3ebb8138

SHA1
14dba90e4c2f9b8fa7b13e9af01c5d2b6a6af6d6

SHA256
d7630e927dbb907ee379a95be9ed1cbb2a0a87fc9aed83ed6dae8340bfcf1b09

SHA512
231d3244cabcbbc811f9bc06a89517083a58ed6748a4bc6e0c1676054cd22d7cab7bc21af5a221e47fa096a5129ea908c9d09ef4b98baeec2ce78b78ebb26dc4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

Filesize
25KB

MD5
fd9e8a53114dba71999e09386fb6ff83

SHA1
8b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679

SHA256
4a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe

SHA512
4412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config

Filesize
187B

MD5
3f9b7c50015ca8be5ec84127bb37e2cb

SHA1
07fa0b2f00ba82a440bfeacafd8b0b8d1b3e4ee7

SHA256
c66e1ba36e874342cd570cf5bdd3d8b73864a4c9e9d802398be7f46fe39a8532

SHA512
db5713dda4ecac0a1201add7d5d1a55bdbfc9e373b2277661869f7de9e8ba593f44bdafa6c8dbeba09df158b2dfdd1875c26c047f50597185f1f2f5612fc87b9

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll

Filesize
81KB

MD5
ea658407265ab5ce2a1794ab9ab3339c

SHA1
1bda2624f029a30e3b89e2aeccdd32b09bb031fb

SHA256
735d255f396448ef6bc30d3b38dfda4487f4832bcc6dadeec2737fdfaa938548

SHA512
7027638a120c35f8df29e24d0e061d2657d2fac37a83150cfe14a65bc91960da0c674c442fe97cc5175eb52248bef4b4f5abb78639a7dd659ceecb02e3a14280

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Newtonsoft.Json.dll

Filesize
522KB

MD5
50bdc0231af5435fa5ad29927d7273d6

SHA1
6b9ba2ff309b30f5b3318ab0d31270ce70b94307

SHA256
5059afd9cfc492a74e230949ebb528572d228d29da767227bbea75716907ad75

SHA512
15719741cf26f5057251b8507af83dd5a8355b8cc142b6e0c85c4c0ca98e6e2ce5cbb955dfebd88ff5ca4b78471983feef66f7513d7bdd43468f47b55bc7ea4b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

Filesize
212KB

MD5
e984f3c76408989e897cd4068ed5b7d1

SHA1
4318e3da5a0b29afd848f51223612720844475e9

SHA256
934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17

SHA512
811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

Filesize
31KB

MD5
5c33b399551c1ff47d5486c6556121bb

SHA1
74d49780496b0ed524442aa95f6eb69bc83ded18

SHA256
aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9

SHA512
6f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
398KB

MD5
da72538d4032c18b769f30acb967703f

SHA1
f5b8d6268ed5fba17cf95f5f5996cb816e4359ef

SHA256
b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da

SHA512
1068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
398KB

MD5
da72538d4032c18b769f30acb967703f

SHA1
f5b8d6268ed5fba17cf95f5f5996cb816e4359ef

SHA256
b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da

SHA512
1068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
398KB

MD5
da72538d4032c18b769f30acb967703f

SHA1
f5b8d6268ed5fba17cf95f5f5996cb816e4359ef

SHA256
b18dbade3e75459c976af16eaeca5be161758b3a6098169faa66037e608474da

SHA512
1068a8f1ab937e130f20d43db4cbc9ae050306405aec696dd03bb688a3d9717e0006e0e7632c77cad1782969bfa10478a0b49a47e0115d2c72abd7621b110d09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config

Filesize
1KB

MD5
c6ecf24757926eba64e674bff8b747d1

SHA1
3a46083826c20e8e085c42bbfdfeef4f9e2b90d9

SHA256
c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc

SHA512
efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data.db

Filesize
40KB

MD5
7d3cce897912ccc212ec69f2a27a8b51

SHA1
d839c93c987200e0ce6e2f0a80486ddb9827d6d9

SHA256
e1b01c05579da3e0c6af5a589571cd80185705b63544bbfc7186553cecc15607

SHA512
c95c34814c0c06a58f7521f1397b753279152002374e0eb42cb84a2746db0f05c5ac6e120be976fdb6bd60f93db14223fb7810767a1ae91c830147bb4b7818e7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

Filesize
188KB

MD5
7122a8acddee274f03e8eff915953eae

SHA1
5be51b43c1e59459707486e4eac0668acd603420

SHA256
d534b2ad9791b4ba80141398e7aa4d0e85c4f7fa72c580ab46f096985403ddaf

SHA512
b2ab136f1cded923c70019febe1ef37386e2bbaf175d6138589375dffea11f96391e1127970ed37be83376e4936c45b66a3cfc08be5b0d704c5078c88e241bbe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

Filesize
47KB

MD5
bd468d5f91fe98ce84710a0750676064

SHA1
e213c1ee6041f6523727b3ad2449aac603f65595

SHA256
8f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5

SHA512
cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.INI

Filesize
11B

MD5
7c6c7401d4eec2934ebfb15e3e9626d1

SHA1
c2433b8fcb4a78b23ba60c3ed3f8357140f1e868

SHA256
3e0837d0c4afb315be2d0ce8748eb67de92e1ff0c16a7fee89fd252639343c16

SHA512
626427a56563093f19e1271a173ead38e3d02c77d6565b7b2a300f247f3b91d002b4379e719de1044dd0e0669cee94962f4449e7eb77b9e52bd6812b1a852cbc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

Filesize
53KB

MD5
b7aca4b1a547ca9ba8931fb2f3a8ffe4

SHA1
ade0df9aa1b3419b1f5dca663a5ba86221fca0b9

SHA256
bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80

SHA512
7344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

Filesize
53KB

MD5
b7aca4b1a547ca9ba8931fb2f3a8ffe4

SHA1
ade0df9aa1b3419b1f5dca663a5ba86221fca0b9

SHA256
bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80

SHA512
7344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

Filesize
53KB

MD5
b7aca4b1a547ca9ba8931fb2f3a8ffe4

SHA1
ade0df9aa1b3419b1f5dca663a5ba86221fca0b9

SHA256
bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80

SHA512
7344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config

Filesize
1KB

MD5
0b17b3be9b3a6f6879998d280941de55

SHA1
ede825b51ee11af7c9221dce596bb969cd068529

SHA256
1d69336e421c535cecf2e0326be39b44eec8ea39754ac8e855d8e0368e0f4619

SHA512
06d9cc03b8f7295a6e02376159ea96a83caed4b584769370c0bf365b25d29c883ba5c8359cfeb7316d13c93b49fd37cca267f6e7931220ced71435e1f4b639c8

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll

Filesize
92KB

MD5
83c274a450f71d2dae867ae2d13640ff

SHA1
dfb0d008c39af8df1d7733ccf3e8e600ec595631

SHA256
419af61576ee876878ed3551d1ea3cb90191b2e5bb18bd8987ecf8871243ad15

SHA512
f995a55f65dd7b5ad300c91ca0eba37bd57df86b7b8ac0252cd085a44bf98ffcd63f7d3931ddca25942f3261d8c2e19761ed70d678916d93e202e3d7d76b11cc

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\StructureMap.dll

Filesize
277KB

MD5
94367c721e65db3d2a6c62d52f8c176d

SHA1
b6acbe0252d46c07b3b793e70206d2d106e1243c

SHA256
4057ec13b30dcdfe167dad5a2c5043c33ab039e5a9d3be7811bd92144399d4c7

SHA512
396275139041873be8f0e0c16db6c5c847025ef2b4bd12960255f7c74275d690f0d9c88d098c85205c63bda103a07066c2b53f20969caeb4af0406c32d6b0b7f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI

Filesize
12B

MD5
20f7dee705a4f03baeffa9b658fee625

SHA1
aff7da269b24cd1c37e5b13f9395564d0fdf6d5b

SHA256
aa29d45c1bdce17624bc9a2c57f89bd7b36e1f68e44ce763879cf44d977a82d6

SHA512
56068a5026fcbed08eb8d0c4fb82198d7b3eef4857aae0ca3dbb9b1fa0fe8772a930bb544bdac435c47fd612d5bcaade4bc7ba8360575769abdb3aa818bf98b3

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
65KB

MD5
15133bbe13e21b1c50d447c64463f772

SHA1
3dd21da8e2efd3e448fa336477700f733875cdae

SHA256
433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec

SHA512
54c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

Filesize
541B

MD5
d0efb0a6d260dbe5d8c91d94b77d7acd

SHA1
e33a8c642d2a4b3af77e0c79671eab5200a45613

SHA256
7d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102

SHA512
a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
e182b5896e44abee3a33adf7faef38dd

SHA1
d30d7146e03035da47dd3b7b50c08cdfa022aa35

SHA256
0d335ea84f9295e7882c358a923d265b6e0bc536a5fdd22da5931d9204b06467

SHA512
e467f383f576daf785dd728add510fa5d604a954ca4a2d7cee5bb6b8f14be8ea89219d181ae8da81510defb778b23c5c500e3d8c738f9b26d63bac8122036ef5

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll

Filesize
693KB

MD5
b11c285aeb968434de2031c5451a267d

SHA1
92942073ae71b2d287767bf678a33db5718c603f

SHA256
f599fbd82e65a0feda9c19bca49f0db3324dcd4aa6251d40e1729765fecf9000

SHA512
bcccec3a4d2b26b02db11d2f6e4bfef9c9aa4153a7a5dcfc62b2276af50ccba3e060a5501d2aa9833c23f3821639d9715012925026e8ce53922f8a5452f83413

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.INI

Filesize
12B

MD5
7ee83499fea6848679d28edc872e7215

SHA1
240baad2aeb0c81851da18e356409c78e2cef5a7

SHA256
158f2ff9e592d4679a7471299f2f3a7aa6968d6779b81655ad1a7ae811948105

SHA512
ed3f4e8726ef683e88f04c6937e82f27e2f67c9316781478b07e5d0c90b061a09a0a5f90ba5a2da65732e9b54654cda4d39556dcbd18dd78bf61cc20c43193fe

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

Filesize
43KB

MD5
f0c3af895ad50d448c4746353896d1ca

SHA1
c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6

SHA256
214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929

SHA512
3132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config

Filesize
498B

MD5
1819851a638eb6d98a3cc80ac4ad6894

SHA1
b74a8c6c5152c4463e487b88e534afe7144eb832

SHA256
f1d85574d2849984bf608191a519a98b1dd830b023e9430571ea6ea9fb62b981

SHA512
fa6638ea1e921da96a39e31e85ff757e6c9bad92bd997b7a516be5f34d00158bd2fe1367d6d13e22e79e703a1c590286de409c45f28b0c75ded3284a1fcfeb0d

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
6f95c167da211416fa221a8926c64532

SHA1
10aed65d1a5e3563eb561a485e0fefd531c8574e

SHA256
b88c77e60b8ae3d9b0a067218eedd2d82deea2dd4cae60b8f41c53a05101c650

SHA512
7590157b138d95c149a0a893e1355567a55bdbe82ae9806f071b8ead3a6f5ce8b122b311fd3bae34d044c436baa405cfd98ff1c27eec1b60b647265a0feb6984

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\Newtonsoft.Json.dll

Filesize
693KB

MD5
99ad695930272a0d5db6be802f0966f9

SHA1
916811188b414c84bd299ba086c1b68eafd6c487

SHA256
c00d2c7ddf4e5b45682e27d3dc60568b47e109b715b2638540d3108e98104a78

SHA512
2574553b62491635524937d8b56abd8591632f237acc86b3ccf21ac7a59811cac94015003a622fd40de0a15cb967c2b1bdbab5c5b7601dd19dac5ff45292365b

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

Filesize
30KB

MD5
ee564070a011f3cc31f846040d93c5ca

SHA1
b498078df5739008d80a6e7624352313439546ed

SHA256
0f631801a8ee3bf167fc76b50ca05aae4cb6533cdbe7b2f1261e8c590bc80c57

SHA512
ec2b86564326d112f37cec79f4809f655d4074dab596c79820d1f186b0ab020b178815b986bd957475fbd129e3ea932d77fb1ad19804baf34d6ca45923ad9b6c

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingSettings.config

Filesize
162B

MD5
5c78fe97ee3475b53db8b00ef78e4a8f

SHA1
07ef7446942563ac6db9fa5de8734831bcfca8e9

SHA256
74cedcfab23fd143fc690c8431eff92ea69e8633f318ca33fdb259aaf1757102

SHA512
18324927b0f7c95a03b0be8ddce18b54db8467dbf351da8d6559bf5b87acedb36cbb5bace31be4f7cf0e7f6b8a5be9553d16e514f7d41f8913212de0a19dcad7

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\rjuxyaxx.newcfg

Filesize
228B

MD5
f2a3653dd8e6f24fd200cc76c3b29ad7

SHA1
e5101d7fd9b7f52430262a8075f7a3589187596b

SHA256
96c4c998d361d18b9f4054caee12606cdd9eaf0711d55b3c9f5f0e20b6c174a4

SHA512
ac395783bc96d9005a1d741fb07cd8583139bf3d2a981948d070b1137666be6d8cb88229064c6f828273e352ef2c56adda03f4b046feda40f5096fe6784a6102

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\zg5zkoui.newcfg

Filesize
316B

MD5
abc68d054dcbbac9f180f938943b8b3e

SHA1
e8d08d58cb8b2f88f60d953a0dae1899aff73e24

SHA256
b01d14a5e46767b7917fd550d749c21d7b8f4eb3f5fa582965c0b128088a6bf6

SHA512
38ac492c0f65e7c79eaeb6bbd7152dfcf1dfac25e656e110159d4bae1d9a7005f28f69f24a6dc2d836a226a3946d1a3fa0ce263f778488384d4f9f442ff27d6a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.INI

Filesize
12B

MD5
39b44ca42c8612a5930265aeb5b57d01

SHA1
bcdb0725dac93ff166f3720fb857044b34d30915

SHA256
88ba4bc3ed257a32c86d2300ef9bb15b5737e94530ba27a806cbf5240302e64b

SHA512
8eb7df51281cda144dc77175cb2bde02294184de60db93c80a166acf37e64c3508dfc0f82ec1511aa2d5a72828b2e7f78d6ccee0015924fc15df52abe4f1268a

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

Filesize
50KB

MD5
953e52ff73e83b5b07a6c4a89a281ee6

SHA1
9a2a24d55926ca9739c8aee411d3d23e290191bf

SHA256
71b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a

SHA512
fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config

Filesize
535B

MD5
d505e3de03f172fa2b246e210054c5f7

SHA1
f5a480f56f760eeba3b29108387e54d70a721127

SHA256
a568f933f09b1ad1ee5e88ddcffa1fe5921d18b73477136e1faee55f2bef399a

SHA512
80f01447b43525dbdf5b283522fe14d9aecef16e55ea3fe36dc0a94b53c49e03bb56136f0911c348fb78fb5af6112b1de7c38cbffbd73acb2971655ef1b2b859

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Atera.AgentPackage.Common.dll

Filesize
94KB

MD5
a46fde4c53c84fec49864375d3a0bf58

SHA1
244a459a06354c234f9d1eb144b37a1a38881802

SHA256
21681a41bd53bf8e94a173c01c2f38466f93df92cdf0d61989ef1d41d50c5f21

SHA512
b7202c8734cf42bdf8c86f31d83f06496d01c0f0be84812a5bd7e2fdeec004bac66ad897c1fd0eb46b731ffb170f3c9439fca23d336fc9ac64fcb56b50217281

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Deployment.WindowsInstaller.dll

Filesize
181KB

MD5
66057a0e46da3924670862efe243640f

SHA1
a2cd8abcb3c2ee7e77559b81166eb180f61fabbc

SHA256
30e435fe1dc8dc5c8f8823b1fdcb6ba9c61bbb820f2a363c115ec3a31b47a6a1

SHA512
bf4070f82716f2695a77f52be7387f2ca1e8c3260d63fb4f93007b3c6b21f0842d4663f75be89088b13388504dd5dec721bd44b4f625ca6ac0c9c9b33e517ea4

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll

Filesize
323KB

MD5
716387d1960415fd3618db9b1557ae2f

SHA1
252fa9344c0a834a3ecbb8da7541e9fcc5df76d7

SHA256
c8f269b3aed910f85d05f92c8751c19cc353627928b248c3e56190f40d54e544

SHA512
6c2e72ffb40289839cf11709cf947a0e4a3247bce88d2d353d61a9c090cc75473487cb065d8e504ac69437fc8c47e14fad98906ab004f1190b3a3b1464001b91

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Newtonsoft.Json.dll

Filesize
693KB

MD5
17250c84c362f1b036449bd5f5ac2ffa

SHA1
cdfb112668b13b378b7dc553e9a93a6980e7be9c

SHA256
65fd00cdd3e0f88f40c0dfb3b585234548fdd6eb084bc98086fb1bd58d060d6c

SHA512
d4ab803657b5362546be26b419fd7024720c78d370cc4730c364d630952d52d612c8c71d3a6cf786701f823d48f1f713deef846f3abe059f558420ca58e7af03

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\PubNub-Messaging.dll

Filesize
167KB

MD5
e8458b60d4f251de071b765287c5661e

SHA1
b4a4d91483f658b79204ec4be2c2012efefd5a63

SHA256
52c29826c96e35373f05fefbd0f92ac9ec377cd65e8f58a945f3a86b41c3ddc6

SHA512
57b3b9cd3a47a6543e0e81a4606e7a90e4a459fe827c01ec6a21d1a64503fe6267079fa89e3120519079a1e9a0eb925f3b794d9b39f03d7eba524393dc564bea

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

Filesize
168B

MD5
d1cb885060e2c02583dd326cac584628

SHA1
2acc83cbf06dd0aff210af2f7310ee038671cac2

SHA256
2d63a9a1d8add3b0e4e5823849a6fe81cf087967ebdecf255bc2faa29b53b118

SHA512
ccba93ce2f07856cfd013998b2cf8bedc3bfe4ce79f4e8a96f3af1d7b78cbbdbdb7a1bc8cf52bc94d8bea795d8d2a6c3097ae028a77cabdd7278f94ad54cc054

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

Filesize
9KB

MD5
1ef7574bc4d8b6034935d99ad884f15b

SHA1
110709ab33f893737f4b0567f9495ac60c37667c

SHA256
0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

SHA512
947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

Filesize
10KB

MD5
f512536173e386121b3ebd22aac41a4e

SHA1
74ae133215345beaebb7a95f969f34a40dda922a

SHA256
a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

SHA512
1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

Filesize
76KB

MD5
b40fe65431b18a52e6452279b88954af

SHA1
c25de80f00014e129ff290bf84ddf25a23fdfc30

SHA256
800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

SHA512
e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\ProgramData\Splashtop\Common\Event\stevt_srs.dll

Filesize
27KB

MD5
29f288f751fbcea5cd75ea9774882787

SHA1
5a4c30382c63e29e848b681d39cc213c2198e12e

SHA256
711702eb24803788ce601996f90b7ef57eef1f764f7aaf3a96e2196ed4a9533e

SHA512
b7fc0a739b33e79232ef506393cf90297f4d41f165f34b5be50648d8a1967419e1f0ee369e809d5c142898824e8b5a3784106d33a2d1d72cd811d5352f4bbd60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
471B

MD5
30cdbf3159adc4f820d2356c3abca7a1

SHA1
51aa0ce2ecd878ad5a7108487507f3a1c32ea57f

SHA256
5127a5bab21ffe9382bcf17989de2c896d3d4fb2e5a4e2125d16c358209999b0

SHA512
bc97b561a77d61d4a5e73f53fc009d2100e596ae897a8c435fd50058d4571020560ee8f37c235756e46ff3387e7ad4941b186efc0aff47fe7d468038c9918cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A

Filesize
471B

MD5
c1863ad297487389788ea71598af9c27

SHA1
c56e429202aa215878dbd4db4585a7e4381de35e

SHA256
0b04f709db9c017f4755d695f0380b6ec2f1491eec76f2265b862c1cdcff9667

SHA512
fb1231313af5a9da17636b3960578ad15d5107ebc44e6c95e15c548fbdc2b944eb225adb5c0a761b2f0d49dd236537980da8debb684557ba486b37dc44e6069d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8890A77645B73478F5B1DED18ACBF795_C090A8C88B266C6FF99A97210E92B44D

Filesize
396B

MD5
a18219a65731e0e77d01c876b7b89d8d

SHA1
e882a6d577f6f185c092c38878d36a0710ba2d91

SHA256
81c05881688d5cbed9139e4ec641aaa881946ad73c65461b6651532591914e60

SHA512
8177d8d2ef851a1be42895d13de6506113f655c1ce6bd524dab298685ef7645c52c0859ce90c36b2e3fed182db9ae6c827cc17410be6be03e4df5d9d5e35a977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DA3B6E45325D5FFF28CF6BAD6065C907_45127723BB4D97FE8AFE9AA61205741A

Filesize
408B

MD5
913b9487a9e5e6c444dd5c26db6c026f

SHA1
e3e6cce9ee8b47f9fbd4c89ce30d573319980516

SHA256
54ea3775515eecc575e4cfa22a2d77b2605e7b022c14e2485b011ef02d2efcb5

SHA512
338ca6766a787c8bd6eb4179e27d88a013c1360886590a0be0135f4324e2fcad181fc72eeb2337d20490c0084ce88c5d953d83a55c9bc01f863be2edfaf056bc

Download Submit
C:\Windows\Installer\MSI2EAD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI2EAD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Installer\MSI9C0F.tmp

Filesize
4.5MB

MD5
dcf1c5be73edef9f4969109f9ba5147d

SHA1
8ce70c29fffd8ecd54fab1ab5d021f4be7960a3e

SHA256
3b26989d2114f3f21ded0a4838643c629c550bc2fe01fa9147fced0ac5223e74

SHA512
cd72ee30040f84fe6c7077de2697a2ff1ccf787f434eaf33cfca10c39ceb1534b869c69496cd168c50c7cd348e1b36743dd305757dd2bd2eba09a02a132d07e1

Download Submit
C:\Windows\Installer\e582cb8.msi

Filesize
632KB

MD5
31b8bb512a0f8c74461b4c6ae28cc5ef

SHA1
f36be96e0f28edfcc5a232e9c4dfcdad0e94c151

SHA256
7ff41b06ca3f24829baf4f67bc669be8421f70895dc1734b24948bd5f74beaf4

SHA512
e2e86f0985016c44e347990166d7038829cc4593289d0fe8db1402bd039433243229b1dd4639f5aa81106a0fa9e1944163d001e114b11ef156bde3917304392e

Download Submit
C:\Windows\Installer\e582cbf.msi

Filesize
47.3MB

MD5
92a47f95f326cd152a37d645de986a70

SHA1
af1a584c076549e102a7d6680dc87659c107bbc0

SHA256
3a63472cab8a7d175db712bf8c52ef0c472f050137331daddba3e886634348b2

SHA512
b061bac51428d48416dd634c2f1fae2e89ecb419300283a56ff9585ffcaa9a64274444262ebca3b8d26d02246c49c79020e95961979cc2ff0c85091c0151cc26

Download Submit
C:\Windows\Temp\InstallUtil.log

Filesize
4KB

MD5
feeb0c072eafe62c35a208958d8a92e8

SHA1
806748ec5da06c95fb8cd9c60fe1829d59f4ff24

SHA256
f450e0074aee6f6937ae096565ee16caf571e4d14ef63845d553e59a3f8d6641

SHA512
e8c9f6c73a25b9f59e6f269dfcf1dfc3fe0ed777699e3485c7719cdef7d3da7862faba2de92b680e4def4ef082c248cf78d40cb40d4709bd9d2fad0fa61c2b7b

Download Submit
C:\Windows\Temp\PreVer.log

Filesize
2KB

MD5
aabbdd7d32b5b972ff4ab3c9b04a2093

SHA1
29fbf926642b98c00bd7f7eb74b759e697141394

SHA256
69dcb9948a7c1648bbf2399a25acd58f7e849382943bc557447319d181784298

SHA512
36b86099f1f1564fd1ca1a7b9bb317b88cb6d90b25b3b47a0bf49ef71ace2171e98a89fd476523895438b2e2b407f844a56532f5a6deaa6eac495879eb19e172

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
33e7a6b07a6040a97f127bf7d8b54dc9

SHA1
21871ca3c24f6cb62d0e4a79110ae011eccb2b24

SHA256
7716425011e6d160aeb14daa90f1bf6a857b8dc9d90d89be97ec7a25ec68afca

SHA512
c9fcb1bb31d19b3e35c6bcf5506953c16dbe34f83c02ec359e22cd3c4c494f2e55279d3b5f41a99a68f673feb10415b6ce0820967952fd47c1c086060092589d

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
33e7a6b07a6040a97f127bf7d8b54dc9

SHA1
21871ca3c24f6cb62d0e4a79110ae011eccb2b24

SHA256
7716425011e6d160aeb14daa90f1bf6a857b8dc9d90d89be97ec7a25ec68afca

SHA512
c9fcb1bb31d19b3e35c6bcf5506953c16dbe34f83c02ec359e22cd3c4c494f2e55279d3b5f41a99a68f673feb10415b6ce0820967952fd47c1c086060092589d

Download Submit
C:\Windows\Temp\unpack\PreVerCheck.exe

Filesize
1.7MB

MD5
351e3a4ec04587153ecb8884dfec5a3d

SHA1
17fb16e611e681420617220233d4accc63fbd68e

SHA256
220141e9aaa99808db4451f4dc3a81aa659811cc2e9d637e458749fc98bf89f3

SHA512
5d19efdda526ac9be9f68d195461e63d73eaa76be2908a9d6e1da396c25141cba8e8ba0d369ad240351ea0195d3aa839789610f7f855b7f76cbf3c401b00d42b

Download Submit
C:\Windows\Temp\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Windows\Temp\{7FCB97AC-70B9-4902-BE8B-52ECAA2AA334}\_isres_0x0409.dll

Filesize
1.8MB

MD5
befe2ef369d12f83c72c5f2f7069dd87

SHA1
b89c7f6da1241ed98015dc347e70322832bcbe50

SHA256
9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

SHA512
760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

Download Submit
C:\Windows\Temp\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\IsConfig.ini

Filesize
538B

MD5
86fb4a915929524f76a887a37490a470

SHA1
95c2d8d4879c0ecef89f377be83c25d5f2ea992c

SHA256
26be6365339c243b58c20f942fee384ecd0897cf8a89e787410bc8927fff3e09

SHA512
90457e5728c9467dbe1e57112674d944c0fa0a77099fbd3dc487a949c74c154a9342231c999bf93bde33054801fbfccd1cb0bc81dd7a40012a67297d334e5f76

Download Submit
C:\Windows\Temp\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\String1033.txt

Filesize
181KB

MD5
f6e8b3a854b72500091ea75e6fabfabc

SHA1
8302691f421300d09ecaa527bb0eafe142efbb86

SHA256
78f8dde46e879f7692af0d4ecef489e621fc0ed061baa6ad7d72f17863368087

SHA512
900ef19d5db93afee5297b00dc230a9faf3c4bd3657f2ec39203422cd285799957cc86a63a348da59b0a99fb60e71395e8923a8d32b9ee60a7129c6017cdcd17

Download Submit
C:\Windows\Temp\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\_is5981.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
C:\Windows\Temp\{A6904970-CBA6-4DBD-B9C6-3D0FB68CF3D3}\setup.inx

Filesize
343KB

MD5
e1bfed7bf9459e0df6522b6b794ebea4

SHA1
88da94524f008b3ba838dea3cffc63d472dfebec

SHA256
4f3e5c1b593c01a0bb49159deb17fb82a883e55104f8f323cc29bea9e7163023

SHA512
ea181f4041e183b8c3ca6fdb5a554a75d611be2f723cde220ffb8913024da5bdb4ee08b8aeeb606c52223e4b6e384192067d7eebc78f745fc63cb9481e3951d5

Download Submit
C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.ba\bg.png

Filesize
4KB

MD5
9eb0320dfbf2bd541e6a55c01ddc9f20

SHA1
eb282a66d29594346531b1ff886d455e1dcd6d99

SHA256
9095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79

SHA512
9ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d

Download Submit
C:\Windows\Temp\{C9251022-5ED0-4E52-BEA7-0CA4749D2419}\.be\dotnet-runtime-6.0.13-win-x64.exe

Filesize
609KB

MD5
7fc7feff419ae763ddee6799c273f627

SHA1
95a73d59edd7bf46a188675c27dfc6706a978c8a

SHA256
d40e53e227fd65afd42c5178ea75737b6082763773a48fd4ce79a296c366a288

SHA512
f3514ceee0b72c00ebd13f28bb4db5e7db231153cb894cd04039857d30ff04ad6934c1ecc26c872af55951588b27f5a4e71139c479a659ea5516213ba0613f04

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

Filesize
1KB

MD5
13a7fdad59a18467731ffd4f239243da

SHA1
654ca1623613632cd90265d16ee06a5b9ac7e143

SHA256
ec17a221f0cce9c92441d57c92c77ea10296a2bbf7fd2947c63cb68f0fba3313

SHA512
fa8dedf0488eee2e66bee62ac437164042b9599484981342214f61840ba7abae860647318535f030fc7d26addf331bd32e58242e310bc6b87d44d3cdc959c1d7

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
3e0320a94b4f74a63668d97cfd7e0d9e

SHA1
af2addefdd94b9d8a897f49a3e8fde4412dab8a4

SHA256
c6355a1d6f8e356d7fa7b3ab37ddc78de72afb958c0f6a0823484af037622f27

SHA512
a86315c2535a29f443bb221b8964eb7d434d7158d63416b2cf1aa27b8dff9cd9af41d6f7f770a407db33b60ef3ae815b6569bda53cbbe161eb4ee52589260d12

Download Submit
\??\Volume{68140b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{94122afc-cb8b-4c4f-a711-b17dfc493b96}_OnDiskSnapshotProp

Filesize
5KB

MD5
87894873cfb2547f49b164bd21cdb0d5

SHA1
87bf65767346e751e4340e67dfadb1de0bda1740

SHA256
0ad9ba3fdde605cc4bac9a64971b819e6d15e6cda4babdb3d4ad341a08fa2f04

SHA512
7d68dc23accd37558ba3cf7753aa17d4f45d33a9a296811472170aa41f13c7f762fd54148709b5c99bacbc96b237cc4d7a95dea6c3eade8792de4ad2360a8dcb

Download Submit
memory/452-1149-0x000001DE66D00000-0x000001DE66D4A000-memory.dmp

Filesize
296KB

Download
memory/452-1153-0x000001DE66B50000-0x000001DE66B6C000-memory.dmp

Filesize
112KB

Download
memory/452-1159-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/452-1001-0x000001DE66310000-0x000001DE6631C000-memory.dmp

Filesize
48KB

Download
memory/632-1150-0x0000028626120000-0x000002862612C000-memory.dmp

Filesize
48KB

Download
memory/636-1496-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/636-1476-0x0000000003E40000-0x0000000004007000-memory.dmp

Filesize
1.8MB

Download
memory/636-2039-0x0000000003E80000-0x0000000004047000-memory.dmp

Filesize
1.8MB

Download
memory/960-908-0x0000020F3BD70000-0x0000020F3BDBA000-memory.dmp

Filesize
296KB

Download
memory/960-902-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/960-877-0x0000020F3B4E0000-0x0000020F3B4F2000-memory.dmp

Filesize
72KB

Download
memory/960-930-0x0000020F3BD30000-0x0000020F3BD4C000-memory.dmp

Filesize
112KB

Download
memory/3736-315-0x00000283F9BE0000-0x00000283F9BEA000-memory.dmp

Filesize
40KB

Download
memory/3736-439-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/3736-731-0x00000283FAD90000-0x00000283FADA0000-memory.dmp

Filesize
64KB

Download
memory/3736-1024-0x00000283FB7B0000-0x00000283FBCD8000-memory.dmp

Filesize
5.2MB

Download
memory/3736-661-0x00000283FADA0000-0x00000283FAE26000-memory.dmp

Filesize
536KB

Download
memory/3736-574-0x00000283FA440000-0x00000283FA458000-memory.dmp

Filesize
96KB

Download
memory/3808-93-0x000001AADC3B0000-0x000001AADC3E4000-memory.dmp

Filesize
208KB

Download
memory/3808-75-0x000001AADC360000-0x000001AADC370000-memory.dmp

Filesize
64KB

Download
memory/3808-79-0x000001AADC3F0000-0x000001AADC46A000-memory.dmp

Filesize
488KB

Download
memory/3808-126-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/3808-72-0x000001AAC3950000-0x000001AAC3980000-memory.dmp

Filesize
192KB

Download
memory/3808-73-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/3808-129-0x000001AADC360000-0x000001AADC370000-memory.dmp

Filesize
64KB

Download
memory/4128-1136-0x00000115C61F0000-0x00000115C6228000-memory.dmp

Filesize
224KB

Download
memory/4128-1033-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4468-1000-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4468-145-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4468-183-0x000001E8E3890000-0x000001E8E38A0000-memory.dmp

Filesize
64KB

Download
memory/4600-1147-0x000002B007C50000-0x000002B007C60000-memory.dmp

Filesize
64KB

Download
memory/4676-1152-0x000001D74C460000-0x000001D74C47C000-memory.dmp

Filesize
112KB

Download
memory/4676-1144-0x000001D74C490000-0x000001D74C4DA000-memory.dmp

Filesize
296KB

Download
memory/4676-1028-0x000001D74BBC0000-0x000001D74BC28000-memory.dmp

Filesize
416KB

Download
memory/4676-1148-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4688-40-0x00000254CB270000-0x00000254CB292000-memory.dmp

Filesize
136KB

Download
memory/4688-51-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4688-57-0x00000254CB6F0000-0x00000254CB72C000-memory.dmp

Filesize
240KB

Download
memory/4688-56-0x00000254CB680000-0x00000254CB692000-memory.dmp

Filesize
72KB

Download
memory/4688-52-0x00000254CB670000-0x00000254CB680000-memory.dmp

Filesize
64KB

Download
memory/4688-80-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4880-974-0x0000024BF5C90000-0x0000024BF5CAC000-memory.dmp

Filesize
112KB

Download
memory/4880-1151-0x0000024BF5F60000-0x0000024BF5F70000-memory.dmp

Filesize
64KB

Download
memory/4880-911-0x0000024BF5D50000-0x0000024BF5E02000-memory.dmp

Filesize
712KB

Download
memory/4880-899-0x0000024BF4C40000-0x0000024BF4C54000-memory.dmp

Filesize
80KB

Download
memory/4880-905-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4936-117-0x00000263D08E0000-0x00000263D090C000-memory.dmp

Filesize
176KB

Download
memory/4936-124-0x00000263D1280000-0x00000263D129C000-memory.dmp

Filesize
112KB

Download
memory/4936-120-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4936-121-0x00000263E9A10000-0x00000263E9AC0000-memory.dmp

Filesize
704KB

Download
memory/4936-125-0x00000263D12E0000-0x00000263D1302000-memory.dmp

Filesize
136KB

Download
memory/4936-133-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4936-127-0x00000263E9C20000-0x00000263E9C30000-memory.dmp

Filesize
64KB

Download
memory/4940-932-0x0000026FA0E10000-0x0000026FA0EC2000-memory.dmp

Filesize
712KB

Download
memory/4940-685-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4940-623-0x0000026F87C00000-0x0000026F87C10000-memory.dmp

Filesize
64KB

Download
memory/4940-906-0x0000026F88440000-0x0000026F8845C000-memory.dmp

Filesize
112KB

Download
memory/4940-954-0x0000026FA1040000-0x0000026FA1050000-memory.dmp

Filesize
64KB

Download
memory/4940-1026-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4996-128-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/4996-135-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/5072-953-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download
memory/5072-525-0x0000014AB7A10000-0x0000014AB7A1E000-memory.dmp

Filesize
56KB

Download
memory/5072-777-0x0000014AD0B80000-0x0000014AD0C32000-memory.dmp

Filesize
712KB

Download
memory/5072-864-0x0000014AB8280000-0x0000014AB8290000-memory.dmp

Filesize
64KB

Download
memory/5072-642-0x0000014AB8250000-0x0000014AB826C000-memory.dmp

Filesize
112KB

Download
memory/5072-608-0x00007FFDC8DB0000-0x00007FFDC9871000-memory.dmp

Filesize
10.8MB

Download