Analysis
-
max time kernel
144s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231020-en -
resource tags
arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system -
submitted
22-10-2023 12:08
Static task
static1
Behavioral task
behavioral1
Sample
setup_madison_windows.msi
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
setup_madison_windows.msi
Resource
win10v2004-20231020-en
General
-
Target
setup_madison_windows.msi
-
Size
2.6MB
-
MD5
60c20160ce9aaf007bab367ca7fc3a16
-
SHA1
21aba7bf178ff5df590e61a66e21b2241d8f1e57
-
SHA256
6f91d1278cf86d976c8800a6ae122e8154bb8d7fd71f975fb3894975d1ade18f
-
SHA512
108ee6d8db6456a637bc43181ecdbd98c5c48dcbf670cea4706f509c45a235afad7ca02c98b8a94673255e9af86f7cd0176ce156f6ba02cf3ea8b26cb625fab4
-
SSDEEP
49152:g51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TlOFNOnUI:gPCMr2NMRmk/XeM9TEeRvx+ch/TlAr
Malware Config
Signatures
-
Downloads MZ/PE file
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SSUService\ImagePath = "\"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe\"" SRManager.exe -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 64 IoCs
pid Process 1960 AteraAgent.exe 2404 AteraAgent.exe 4348 AgentPackageAgentInformation.exe 1300 AgentPackageAgentInformation.exe 60 AgentPackageAgentInformation.exe 4576 AgentPackageAgentInformation.exe 2324 AgentPackageAgentInformation.exe 448 AgentPackageAgentInformation.exe 2172 AgentPackageMonitoring.exe 412 AgentPackageMonitoring.exe 4372 AgentPackageMonitoring.exe 6020 AgentPackageMonitoring.exe 3288 AgentPackageSTRemote.exe 5536 AgentPackageUpgradeAgent.exe 4364 PreVerCheck.exe 4504 AgentPackageADRemote.exe 2320 AgentPackageHeartbeat.exe 6012 AgentPackageRuntimeInstaller.exe 5620 AgentPackageMarketplace.exe 3004 AgentPackageInternalPoller.exe 2432 AgentPackageProgramManagement.exe 3816 AgentPackageTicketing.exe 5212 Agent.Package.Availability.exe 5400 AgentPackageOsUpdates.exe 5608 AgentPackageUpgradeAgent.exe 5628 SplashtopStreamer.exe 4364 PreVerCheck.exe 3920 6-0-13.exe 5832 6-0-13.exe 6132 dotnet-runtime-6.0.13-win-x64.exe 3076 _isE2BA.exe 4992 _is2F5.exe 2640 _isE2BA.exe 5288 Conhost.exe 3504 _is2F5.exe 4064 _isE2BA.exe 1876 _isE2BA.exe 2572 _isE2BA.exe 5568 _isE2BA.exe 5340 _isE2BA.exe 5828 AgentPackageAgentInformation.exe 4768 _is2F5.exe 4368 _is2F5.exe 4340 _is2F5.exe 5036 _is2F5.exe 5556 _is2F5.exe 3824 _is2F5.exe 2600 _is2F5.exe 4992 _is2F5.exe 5500 _is2F5.exe 3504 _is2F5.exe 5128 AgentPackageHeartbeat.exe 3148 _is7305.exe 1600 _is7305.exe 1668 _is7305.exe 3248 _is7305.exe 4180 _is7305.exe 5660 _is7305.exe 2324 _is7305.exe 3920 _is7305.exe 5484 _is7305.exe 456 _is7305.exe 2808 SetupUtil.exe 5492 SetupUtil.exe -
Loads dropped DLL 64 IoCs
pid Process 2268 MsiExec.exe 752 rundll32.exe 752 rundll32.exe 752 rundll32.exe 752 rundll32.exe 752 rundll32.exe 2268 MsiExec.exe 4268 MsiExec.exe 4268 MsiExec.exe 412 AgentPackageMonitoring.exe 4372 AgentPackageMonitoring.exe 2172 AgentPackageMonitoring.exe 6020 AgentPackageMonitoring.exe 5416 MsiExec.exe 5416 MsiExec.exe 5832 6-0-13.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5836 Splashtop_Software_Updater.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 1792 SRManager.exe 5416 MsiExec.exe 5416 MsiExec.exe 1792 SRManager.exe 1792 SRManager.exe 1792 SRManager.exe 5416 MsiExec.exe 5416 MsiExec.exe 5416 MsiExec.exe 5308 SRServer.exe 5308 SRServer.exe 5308 SRServer.exe 5308 SRServer.exe 4328 SRAgent.exe 4328 SRAgent.exe 4328 SRAgent.exe 4328 SRAgent.exe 1792 SRManager.exe 1792 SRManager.exe 3424 SRFeature.exe 3424 SRFeature.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll" reg.exe -
resource yara_rule behavioral2/memory/440-2205-0x0000000074030000-0x0000000074117000-memory.dmp upx behavioral2/memory/440-2206-0x0000000073160000-0x0000000073273000-memory.dmp upx behavioral2/memory/440-2207-0x0000000072BB0000-0x0000000072F71000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} = "\"C:\\ProgramData\\Package Cache\\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\\dotnet-runtime-6.0.13-win-x64.exe\" /burn.runonce" dotnet-runtime-6.0.13-win-x64.exe -
Blocklisted process makes network request 2 IoCs
flow pid Process 8 2688 msiexec.exe 115 5416 MsiExec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 38 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log PreVerCheck.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File created C:\Windows\system32\SRC7E90.tmp MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db AgentPackageMonitoring.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LiteDB.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppCam.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db AgentPackageMonitoring.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Xml.XmlSerializer.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\64bits\stgamepad.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.EnvironmentVariables.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebEngine.dll AgentPackageTicketing.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\uninstall.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe Splashtop_Software_Updater.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver.bat msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Data-log.db AgentPackageMonitoring.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Sockets.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdbook.gpd msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdscale.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Net.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Software Updater\WCXInst.exe Splashtop_Software_Updater.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ToastNotification.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\PkgHelper.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.EventSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Options.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Linq.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdbook.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Reflection.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK_x86.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdwmark.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver.bat msiexec.exe File opened for modification C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUClient.dll Au_.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Net.WebSockets.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.DependencyInjection.Abstractions.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdscale.dll msiexec.exe -
Drops file in Windows directory 34 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFDEB.tmp msiexec.exe File created C:\Windows\Installer\e580d97.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE72.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1A99.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D0D.tmp msiexec.exe File created C:\Windows\Installer\e580d99.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID968.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBACA.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE72.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE11B.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIB27C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE72.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1BE3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDD90.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE72.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File opened for modification C:\Windows\Installer\MSIDEA.tmp msiexec.exe File opened for modification C:\Windows\Installer\e580d97.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1AE8.tmp msiexec.exe File opened for modification C:\Windows\Installer\e580d9a.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI67E2.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI6C67.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI924F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAB95.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C5F5A288-85FF-4257-AF69-D5910E6268B5} msiexec.exe File created C:\Windows\Installer\e580d9a.msi msiexec.exe File created C:\Windows\Installer\e580d9e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBAEA.tmp msiexec.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 5100 sc.exe 6092 sc.exe 4952 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 3 IoCs
resource yara_rule behavioral2/files/0x0007000000023276-1807.dat nsis_installer_2 behavioral2/files/0x00070000000230d2-2167.dat nsis_installer_1 behavioral2/files/0x00070000000230d2-2167.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ce060165ac6eec080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ce0601650000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ce060165000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dce060165000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ce06016500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Kills process with taskkill 9 IoCs
pid Process 4748 taskkill.exe 2688 taskkill.exe 4024 taskkill.exe 3596 TaskKill.exe 1308 taskkill.exe 1992 taskkill.exe 5580 taskkill.exe 4544 taskkill.exe 4284 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "0" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1d\52C64B7E SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\TEMPFOLDER = "C:\\Windows\\TEMP\\" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1c msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageADRemote.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageHeartbeat.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageProgramManagement.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\ISUPGRADE = "0" MsiExec.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll" reg.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\ = "{ac916c06-1c22-495e-ae7e-b4e24fbbed14}" dotnet-runtime-6.0.13-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\DisplayName = "Microsoft .NET Runtime - 6.0.13 (x64)" dotnet-runtime-6.0.13-win-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents dotnet-runtime-6.0.13-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\ProductName = "AteraAgent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\PackageName = "setup_madison_windows.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50724864" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRServer" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\PackageCode = "8461E24D8232BC14CB270C3BD27759E8" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\ = "URL:st-streamer Protocol" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B\INSTALLFOLDER_files_Feature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Version = "6.0.13.31930" dotnet-runtime-6.0.13-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ac916c06-1c22-495e-ae7e-b4e24fbbed14}\Dependents\{ac916c06-1c22-495e-ae7e-b4e24fbbed14} dotnet-runtime-6.0.13-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Version = "17301510" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\DeploymentFlags = "3" msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs .reg file with regedit 2 IoCs
pid Process 2688 regedit.exe 3816 regedit.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1036 msiexec.exe 1036 msiexec.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 3816 AgentPackageTicketing.exe 3816 AgentPackageTicketing.exe 6020 AgentPackageMonitoring.exe 6020 AgentPackageMonitoring.exe 3004 AgentPackageInternalPoller.exe 3004 AgentPackageInternalPoller.exe 5608 AgentPackageUpgradeAgent.exe 5608 AgentPackageUpgradeAgent.exe 3288 AgentPackageSTRemote.exe 3288 AgentPackageSTRemote.exe 3816 AgentPackageTicketing.exe 2404 AteraAgent.exe 6012 AgentPackageRuntimeInstaller.exe 6012 AgentPackageRuntimeInstaller.exe 2404 AteraAgent.exe 2404 AteraAgent.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe 2808 SetupUtil.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 1036 msiexec.exe Token: SeCreateTokenPrivilege 2688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2688 msiexec.exe Token: SeLockMemoryPrivilege 2688 msiexec.exe Token: SeIncreaseQuotaPrivilege 2688 msiexec.exe Token: SeMachineAccountPrivilege 2688 msiexec.exe Token: SeTcbPrivilege 2688 msiexec.exe Token: SeSecurityPrivilege 2688 msiexec.exe Token: SeTakeOwnershipPrivilege 2688 msiexec.exe Token: SeLoadDriverPrivilege 2688 msiexec.exe Token: SeSystemProfilePrivilege 2688 msiexec.exe Token: SeSystemtimePrivilege 2688 msiexec.exe Token: SeProfSingleProcessPrivilege 2688 msiexec.exe Token: SeIncBasePriorityPrivilege 2688 msiexec.exe Token: SeCreatePagefilePrivilege 2688 msiexec.exe Token: SeCreatePermanentPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 2688 msiexec.exe Token: SeRestorePrivilege 2688 msiexec.exe Token: SeShutdownPrivilege 2688 msiexec.exe Token: SeDebugPrivilege 2688 msiexec.exe Token: SeAuditPrivilege 2688 msiexec.exe Token: SeSystemEnvironmentPrivilege 2688 msiexec.exe Token: SeChangeNotifyPrivilege 2688 msiexec.exe Token: SeRemoteShutdownPrivilege 2688 msiexec.exe Token: SeUndockPrivilege 2688 msiexec.exe Token: SeSyncAgentPrivilege 2688 msiexec.exe Token: SeEnableDelegationPrivilege 2688 msiexec.exe Token: SeManageVolumePrivilege 2688 msiexec.exe Token: SeImpersonatePrivilege 2688 msiexec.exe Token: SeCreateGlobalPrivilege 2688 msiexec.exe Token: SeBackupPrivilege 3104 vssvc.exe Token: SeRestorePrivilege 3104 vssvc.exe Token: SeAuditPrivilege 3104 vssvc.exe Token: SeBackupPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeDebugPrivilege 3596 TaskKill.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe Token: SeRestorePrivilege 1036 msiexec.exe Token: SeTakeOwnershipPrivilege 1036 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2688 msiexec.exe 2688 msiexec.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 5628 SplashtopStreamer.exe 5308 SRServer.exe 5044 SRAppPB.exe 5044 SRAppPB.exe 4616 SRDetect.exe 5308 SRServer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1036 wrote to memory of 2696 1036 msiexec.exe 96 PID 1036 wrote to memory of 2696 1036 msiexec.exe 96 PID 1036 wrote to memory of 2268 1036 msiexec.exe 99 PID 1036 wrote to memory of 2268 1036 msiexec.exe 99 PID 1036 wrote to memory of 2268 1036 msiexec.exe 99 PID 2268 wrote to memory of 752 2268 MsiExec.exe 100 PID 2268 wrote to memory of 752 2268 MsiExec.exe 100 PID 2268 wrote to memory of 752 2268 MsiExec.exe 100 PID 1036 wrote to memory of 4268 1036 msiexec.exe 101 PID 1036 wrote to memory of 4268 1036 msiexec.exe 101 PID 1036 wrote to memory of 4268 1036 msiexec.exe 101 PID 4268 wrote to memory of 840 4268 MsiExec.exe 102 PID 4268 wrote to memory of 840 4268 MsiExec.exe 102 PID 4268 wrote to memory of 840 4268 MsiExec.exe 102 PID 840 wrote to memory of 4712 840 NET.exe 104 PID 840 wrote to memory of 4712 840 NET.exe 104 PID 840 wrote to memory of 4712 840 NET.exe 104 PID 4268 wrote to memory of 3596 4268 MsiExec.exe 105 PID 4268 wrote to memory of 3596 4268 MsiExec.exe 105 PID 4268 wrote to memory of 3596 4268 MsiExec.exe 105 PID 1036 wrote to memory of 1960 1036 msiexec.exe 107 PID 1036 wrote to memory of 1960 1036 msiexec.exe 107 PID 2404 wrote to memory of 5100 2404 AteraAgent.exe 110 PID 2404 wrote to memory of 5100 2404 AteraAgent.exe 110 PID 2404 wrote to memory of 4348 2404 AteraAgent.exe 111 PID 2404 wrote to memory of 4348 2404 AteraAgent.exe 111 PID 2404 wrote to memory of 1300 2404 AteraAgent.exe 116 PID 2404 wrote to memory of 1300 2404 AteraAgent.exe 116 PID 2404 wrote to memory of 60 2404 AteraAgent.exe 112 PID 2404 wrote to memory of 60 2404 AteraAgent.exe 112 PID 2404 wrote to memory of 4576 2404 AteraAgent.exe 118 PID 2404 wrote to memory of 4576 2404 AteraAgent.exe 118 PID 2404 wrote to memory of 2324 2404 AteraAgent.exe 121 PID 2404 wrote to memory of 2324 2404 AteraAgent.exe 121 PID 2404 wrote to memory of 448 2404 AteraAgent.exe 122 PID 2404 wrote to memory of 448 2404 AteraAgent.exe 122 PID 2404 wrote to memory of 2172 2404 AteraAgent.exe 130 PID 2404 wrote to memory of 2172 2404 AteraAgent.exe 130 PID 2404 wrote to memory of 412 2404 AteraAgent.exe 124 PID 2404 wrote to memory of 412 2404 AteraAgent.exe 124 PID 2404 wrote to memory of 4372 2404 AteraAgent.exe 125 PID 2404 wrote to memory of 4372 2404 AteraAgent.exe 125 PID 2324 wrote to memory of 4268 2324 AgentPackageAgentInformation.exe 128 PID 2324 wrote to memory of 4268 2324 AgentPackageAgentInformation.exe 128 PID 4576 wrote to memory of 4284 4576 AgentPackageAgentInformation.exe 132 PID 4576 wrote to memory of 4284 4576 AgentPackageAgentInformation.exe 132 PID 4268 wrote to memory of 1964 4268 cmd.exe 133 PID 4268 wrote to memory of 1964 4268 cmd.exe 133 PID 448 wrote to memory of 2664 448 AgentPackageAgentInformation.exe 134 PID 448 wrote to memory of 2664 448 AgentPackageAgentInformation.exe 134 PID 4284 wrote to memory of 4972 4284 cmd.exe 137 PID 4284 wrote to memory of 4972 4284 cmd.exe 137 PID 2664 wrote to memory of 2480 2664 cmd.exe 138 PID 2664 wrote to memory of 2480 2664 cmd.exe 138 PID 2324 wrote to memory of 5704 2324 AgentPackageAgentInformation.exe 140 PID 2324 wrote to memory of 5704 2324 AgentPackageAgentInformation.exe 140 PID 5704 wrote to memory of 5748 5704 cmd.exe 142 PID 5704 wrote to memory of 5748 5704 cmd.exe 142 PID 448 wrote to memory of 5764 448 AgentPackageAgentInformation.exe 143 PID 448 wrote to memory of 5764 448 AgentPackageAgentInformation.exe 143 PID 5764 wrote to memory of 5812 5764 cmd.exe 145 PID 5764 wrote to memory of 5812 5764 cmd.exe 145 PID 4576 wrote to memory of 5884 4576 AgentPackageAgentInformation.exe 146 PID 4576 wrote to memory of 5884 4576 AgentPackageAgentInformation.exe 146 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup_madison_windows.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2688
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2696
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 6F77B95AB525630FBF270AA3A3F386C32⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2268 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE72.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240652343 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:752
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B2D9A9887123F684FC6957ADBD3D292 E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- Suspicious use of WriteProcessMemory
PID:840 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵PID:4712
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3596
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="33" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002TrmjNAAR"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1960
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 916D0DF3C2ED61D30111D439BC931C8D E Global\MSI00002⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Modifies registry class
PID:5416 -
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE8F8832-FCAA-4377-A8F6-90CAD0A9D657}3⤵
- Executes dropped EXE
PID:3076
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69D27013-583A-44A4-B042-17F6BD906015}3⤵PID:4992
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FEBFEC7-AEFC-4EAF-AB24-589C05970878}3⤵
- Executes dropped EXE
PID:2640
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9E70A8F7-A3E4-4151-A707-3A05AD97B50D}3⤵PID:5288
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB80294C-D82E-436D-ABFA-0BD3DAF064D9}3⤵PID:3504
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98B7FBCE-E5E7-495A-93DB-AE232F6565DE}3⤵
- Executes dropped EXE
PID:4064
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C99D5FEC-BFD7-4F3E-B2F7-2D2BF2CE15AE}3⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3547647-8664-41C0-BED1-113520D3153C}3⤵
- Executes dropped EXE
PID:2572
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{285F1198-9284-4BBE-8CB9-3F15D8960843}3⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exeC:\Windows\TEMP\{BC16AC2B-D916-45EB-AFA6-B50D38B385D9}\_isE2BA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{322E37F1-FCAE-4C78-9399-C7E4CF13B253}3⤵
- Executes dropped EXE
PID:5340
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵PID:1568
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- Kills process with taskkill
PID:1308
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵PID:5848
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- Kills process with taskkill
PID:1992
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵PID:1596
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- Kills process with taskkill
PID:5580
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵PID:3876
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- Kills process with taskkill
PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵PID:5204
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- Kills process with taskkill
PID:2688
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵PID:3376
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- Kills process with taskkill
PID:4544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵PID:2872
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- Kills process with taskkill
PID:4284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵PID:5324
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Executes dropped EXE
PID:5288
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- Kills process with taskkill
PID:4024
-
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C1225EA0-D747-4500-B82E-819849F43C1F}3⤵
- Executes dropped EXE
PID:4768
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7741A82D-BD68-4D3A-962C-73CC57ECB7E6}3⤵
- Executes dropped EXE
PID:4368
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22594145-58CB-4AC0-AF30-B2874D271FFF}3⤵
- Executes dropped EXE
PID:4340
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CA86887A-1499-4A02-A085-59A33633AD8D}3⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB5AD49C-B31D-418F-BDA8-DD812C049FE1}3⤵
- Executes dropped EXE
PID:5556
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60F3D3EB-7361-4319-9A34-F0F24D040956}3⤵
- Executes dropped EXE
PID:3824
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54D0B886-84F0-4D88-BEA1-489C8740C595}3⤵
- Executes dropped EXE
PID:2600
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CD3D4A5-7971-4BD1-83C7-558AAD5E53F0}3⤵
- Executes dropped EXE
PID:4992
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D576E7C-6FF6-46DE-B283-3CB8B985B1BB}3⤵
- Executes dropped EXE
PID:5500
-
-
C:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exeC:\Windows\TEMP\{8B8A157B-13C8-424C-8F9D-4E3047C2D7DF}\_is2F5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C13AD21-D664-4BF9-880E-0C14F30DEC3F}3⤵
- Executes dropped EXE
PID:3504
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D4FF023D-2C5D-4545-874F-675F3A937B92}3⤵
- Executes dropped EXE
PID:3148
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F5FC9A98-628A-4EB2-A58C-F15D540C359B}3⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A5CA0CA6-F08B-44CD-8031-3F138E607DA6}3⤵
- Executes dropped EXE
PID:1668
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D1CE828-35AF-4425-A28B-5A055F6F367C}3⤵
- Executes dropped EXE
PID:3248
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C2DDF73-10D3-4455-B1F4-4899CD404708}3⤵
- Executes dropped EXE
PID:4180
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4ADCA49D-6650-4237-A092-FB4E022576FF}3⤵
- Executes dropped EXE
PID:5660
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7964B629-BDE2-4958-ADC6-70DA9DF17897}3⤵
- Executes dropped EXE
PID:2324
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0EE3D7BE-01CB-4D90-BD3A-84FD9EC2E057}3⤵
- Executes dropped EXE
PID:3920
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E5CDFEE8-C61C-4BDA-AE87-6AD24649BFFD}3⤵
- Executes dropped EXE
PID:5484
-
-
C:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exeC:\Windows\TEMP\{8618FD35-4BA4-41BB-B013-2A4A889F308B}\_is7305.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C96607F1-2301-4FF2-9561-EDE29E62F203}3⤵
- Executes dropped EXE
PID:456
-
-
C:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exeC:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2808
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Windows\TEMP\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\InstRegExp.reg"3⤵
- Runs .reg file with regedit
PID:2688
-
-
C:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exeC:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exe /P USERSESSIONID3⤵
- Executes dropped EXE
PID:5492
-
-
C:\Windows\SysWOW64\regedit.exeregedit.exe /s "C:\Windows\TEMP\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\InstRegExp.reg"3⤵
- Runs .reg file with regedit
PID:3816
-
-
C:\Windows\SysWOW64\reg.exereg.exe import "C:\Windows\TEMP\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\CredProvider_Inst.reg" /reg:643⤵
- Registers COM server for autorun
- Modifies registry class
PID:4284
-
-
C:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exeC:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\SetupUtil.exe /P ST_EVENT3⤵
- Modifies data under HKEY_USERS
PID:6048 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:2600
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5640
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵PID:2860
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BB74A0EF-0E85-47F7-94EC-5911C7186E1D}3⤵PID:5092
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8F355A8-0E45-433B-96D7-F19F81EDBF0F}3⤵PID:5560
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BCF1B955-71AA-433C-9FF9-6605F2740970}3⤵PID:5528
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE25E6B0-6175-41E7-B55D-6680C61A34F6}3⤵PID:2304
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9C54E51-8EC1-4D24-9B1D-2912AC3F05F5}3⤵PID:4924
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F86FFE67-D561-4B6C-AE77-F7D3407C69FF}3⤵PID:336
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02DFCABE-34CD-4B88-9F3D-419624914B38}3⤵PID:5780
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63F51D93-717C-4593-9A88-82625F48033E}3⤵PID:5772
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3770CD08-FC4D-488B-8693-7581DC43ECB3}3⤵PID:2232
-
-
C:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exeC:\Windows\TEMP\{61FAA3BB-6081-42F7-BD5B-6003599684B5}\_is9361.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2D2B625-DF96-47D6-8002-23E5B02FDB71}3⤵PID:3148
-
-
C:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\Splashtop_Software_Updater.exeC:\Windows\Temp\{FCD8E8E5-1CDE-463B-A5D9-E4DACA13F7BD}\Splashtop_Software_Updater.exe /S /Caller=SVR3⤵
- Loads dropped DLL
- Drops file in Program Files directory
PID:5836
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E8ADC73-69EF-4480-8C28-3161FFA65BD5}3⤵PID:3008
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDDCA40F-D76A-487C-ABC2-38AACC24E8F0}3⤵PID:5980
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE15C1A0-54C8-497B-AA74-E30B146F78A3}3⤵PID:3888
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7ED4CBF3-5DBB-4724-828B-3A5CE2819E98}3⤵PID:3972
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{93DECB24-F470-49C9-97A3-1DE2704FF157}3⤵PID:3828
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B27067EB-5A69-46D9-9D4B-3AE9E40DEAF6}3⤵PID:1256
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5F7E4752-ED57-49D8-BEDD-7C0D227A0F88}3⤵PID:4904
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C3A35AF8-AE95-4C95-803D-CF9AF4067C2E}3⤵PID:5656
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5F6E63F-E0F3-4AC1-93C7-7A01A9553920}3⤵PID:5896
-
-
C:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exeC:\Windows\TEMP\{19174D7A-1814-4EE3-9B2F-F68CA4ACE6DF}\_isAC87.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{26E5AFE1-9B06-4041-9380-2E2B30883180}3⤵PID:3276
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Registers COM server for autorun
- Modifies registry class
PID:5664
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DEC38288-2905-4812-B896-B78D030EE989}3⤵PID:5348
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{198AC493-32A8-4F24-89A3-060E0CF6B6E5}3⤵PID:5916
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBF20603-51DF-4AD9-8170-6491A8B9A952}3⤵PID:2320
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F09798E-B7E7-4E51-9C1F-0A4E81E4593A}3⤵PID:3364
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02177519-825F-4760-A8DD-EB8FEB87574D}3⤵PID:5192
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{512D7425-9016-4C37-BB6D-3BA391E7AD95}3⤵PID:5576
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2748FEBB-137D-49D4-8EB2-3E40AF5B2FD2}3⤵PID:2796
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B49F3934-73AE-45A6-A0F1-25889BAA029B}3⤵PID:5792
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7CC536A-00CA-4B9C-81B4-C90EC43302CE}3⤵PID:1852
-
-
C:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exeC:\Windows\TEMP\{AAD328E3-9E5C-4213-B5EF-AB3702643DC3}\_isB33F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AB0795F-44C8-49D2-812B-0EFDD212F776}3⤵PID:5068
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵PID:1584
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA3FB258-B914-4F48-B33B-8B32B7CF9867}3⤵PID:3920
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CBA38BD7-1115-434F-9945-D82B5C44311D}3⤵PID:5484
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EFC0A666-7DB4-4BDE-91A2-8C3E285851BC}3⤵PID:2764
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C60B310-8FCF-477C-AFD4-AC285CFF29A2}3⤵PID:5824
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F2C0FB4-E31A-47BA-8BC0-7FA236230BDC}3⤵PID:4712
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A655859A-9E4A-468C-9727-CF16563A6B19}3⤵PID:4076
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9FFA572C-B741-4389-BF65-30B609233597}3⤵PID:2000
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{86C559A1-5F4C-4C53-9362-2DB06E354CA0}3⤵PID:3012
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9564E1C-A9AB-4AC2-884E-3121EE7CD8EE}3⤵PID:5480
-
-
C:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exeC:\Windows\TEMP\{3B46BE47-E2A3-4E4B-9A6C-20D89117D9B5}\_isBBDB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E528226-A99B-4575-A817-E912768D419A}3⤵PID:3372
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3104
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:5100
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "749973df-9cbb-4f3d-ac82-bc0bc05cb2a6" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4348
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "712ca891-3dfa-4405-8179-50ef453ce829" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:60
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "c5db58b4-0a3e-4950-8087-e4eb91742aed" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1300
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "8d02a7a8-c8a1-4943-8cc1-8b0bd16b839f" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4576 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:4284 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:4972
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5884
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5932
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "9efa8214-5912-4088-b4ce-5b5834394e2a" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:4268 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:1964
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:5704 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5748
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "b845ea71-8306-40e7-b9b8-1f8018bd26ee" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:2664 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:2480
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:5764 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5812
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "87df4921-e5d3-4599-9b20-21e2f6a4e19a" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:412
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "a1750b75-6db5-41ee-8e3c-d62d4a55106f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4372
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "89f9257a-a672-47ab-ad38-cac70c8f7a84" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
PID:2172
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "a57f9a9f-c8df-4c08-aaa4-92175eb79cf8" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:6020
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "b0cd52f9-dc3d-41ba-a3fd-c38b6b00d1eb" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5536 -
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "2dd9de50-5c51-49a2-bf5f-f9f3ebabd028" "b0cd52f9-dc3d-41ba-a3fd-c38b6b00d1eb" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5608
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "613f6c02-110e-435a-8fef-d62ec620fb4b" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3288 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5628 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4364 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵PID:8
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_session_pwd=112781f0f53a84079b1c68add677e7ed&rmm_session_pwd_ttl=86400"3⤵PID:440
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "f16a0547-0897-4e66-925a-ca118bcfee73" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"2⤵PID:4364
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "f8fc08ed-8203-4797-ad62-80fc35c16bb7" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2320
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "e8f96012-db8a-4ae9-b719-0268d519dfb0" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4504
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "73109b9a-d3cb-442b-9e2d-ad914189048e" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjEzIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2FhM2IzMTUwLTgwY2ItNGQzMC04N2Y4LWRjMzZmYTFkY2YyNi84ZWM5ZmY2ODM2ODI4MTc1ZjFhNmE2MGFlZmQ0ZTYzYi9kb3RuZXQtcnVudGltZS02LjAuMTMtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yZWYxMjM1Ny00OTliLTRhNWItYTQ4OC1kYTQ1YTVmMzEwZTYvZmJlMzVjMzU0YmZiNTA5MzRhOTc2ZmM5MWM2ZDhkODEvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmZTE3M2VhLTRjNTgtNGE4ZC1iOGU1LTVjN2VhN2M1OTAxMS9hMTkzNmUxMjM5ZTU5ZGM0ZGY1OGExYmMzZGI1MjdjMy9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci80MzZiY2U2YS1mM2U3LTQ0OGUtOTI3OS1kNThmMWUzOWFiOGEvOWY1YzdlZDM3NzI5NGNjOGUwMjhlOTAwNTQwNjMyZDUvZG90bmV0LXJ1bnRpbWUtNi4wLjEzLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzVmMDk1Y2JiLWFmNmMtNGQyMC05MDlkLTg3ZGI1Mzg3OTM3MC9kNGM2ZjM4MGE5YTY4ZmM4NTNiZDg5MTE4OWYzYzk3NS9kb3RuZXQtcnVudGltZS02LjAuMTMtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlM1WTRyU0syVmtpbWcyd01pSEVGZUI2N2U5YTBIZG9ocE13TkZ1TEVJTGpXaVNQVnpYXHUwMDJCSjNPUFJ5aUVZQmlmdkZcdTAwMkI0bnN4aTVcdTAwMkJzSG4wMGN0cU13UTZBPT0iLCJNYWNYNjRDaGVja3N1bSI6IjRqSVl1dGhzTDU4dnV0cWlkZHNGMk1pQ3NcdTAwMkJBRTBUN2FWMVgwXHUwMDJCMk1FWFNSQ0xXdGdqM0x0MklldmVxZ2l1UUVsU2VxNVF1TGJybkRjSHBRbEVpd0N3QT09IiwiV2luQVJNQ2hlY2tzdW0iOiJkLzBlWkR4L0VTSE92dUM1RURKdU4yOTFqckllYnVKTXdjdUxsV2RLOGp0Ym1kbVNYUGNhVzBpOFx1MDAyQk9kdGJwcC9SaG9TMXk3SC9mOVlTTWd6aFVPY3NBPT0iLCJXaW5YNjRDaGVja3N1bSI6InNQdmlCM3VQQVpXRG53YVZoM3YwVEpjYWRUMmNLa0d0MXVNQUM5YzBwTXNNYnduZ01IUkN3ZmxjZTlxUWNjSzJNXHUwMDJCb1BSM2t6NVpNZmh1MlA1SmdvVWc9PSIsIldpblg4NkNoZWNrc3VtIjoicTE2UjdyUzZpcjR3RW1YMTZIQVJhUThtWDByNDNhek9IODZKOXpISkNpVzlmWklhS2VYL1hvbUJrQ2xocXZxSzhIeDVuNTA2R0k4MTBPakRmbG50Y3c9PSIsIldvcmtzcGFjZUlkIjoiYmYwY2U0OWQtNzdjZi00NzIxLWJmNzAtNTc2ODYzODNjOWFiIiwiTG9nTmFtZSI6IkRvdE5ldFJ1bnRpbWVJbnN0YWxsYXRpb25SZXBvcnQiLCJTaGFyZWRLZXkiOiJqVUlTL1Q5Q1JWRGVLeFlnNFVyM2FDaGhXUXVjWTdQVnZ3ZzB6SHVxSnNjclRqalEyTHdLNlVqZnU3Y0EyTnByQVIwci9TUkFYSllZbGRQS0tGeUtLUT09In0="2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6012 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵PID:5456
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart3⤵
- Executes dropped EXE
PID:3920 -
C:\Windows\Temp\{F5C3D3EA-F77E-4F74-A998-89A8DC7AEAB2}\.cr\6-0-13.exe"C:\Windows\Temp\{F5C3D3EA-F77E-4F74-A998-89A8DC7AEAB2}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=720 -burn.filehandle.self=724 /repair /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5832 -
C:\Windows\Temp\{E77D0468-D42D-422D-95F0-8A9D585D9188}\.be\dotnet-runtime-6.0.13-win-x64.exe"C:\Windows\Temp\{E77D0468-D42D-422D-95F0-8A9D585D9188}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{FAB5E244-ED7A-4DBC-9FCB-90EAD785D171} {2C576A9A-6FE0-48DE-AE93-36ECDBA1088B} 58325⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
PID:6132
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵PID:3448
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" /repair /quiet /norestart3⤵PID:5236
-
C:\Windows\Temp\{BCC60158-29BB-457A-8263-C40573B128C9}\.cr\6-0-13.exe"C:\Windows\Temp\{BCC60158-29BB-457A-8263-C40573B128C9}\.cr\6-0-13.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\6-0-13.exe" -burn.filehandle.attached=552 -burn.filehandle.self=560 /repair /quiet /norestart4⤵PID:4052
-
C:\Windows\Temp\{BB74C936-D91A-400F-8EA5-A6921793D8FE}\.be\dotnet-runtime-6.0.13-win-x64.exe"C:\Windows\Temp\{BB74C936-D91A-400F-8EA5-A6921793D8FE}\.be\dotnet-runtime-6.0.13-win-x64.exe" -q -burn.elevated BurnPipe.{D046F1E4-3CAC-4178-9DC8-6BF3F80216DE} {C13643CB-27C1-41E6-A856-D273F24F7B81} 40525⤵PID:3076
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "f5602837-c7eb-41b5-8941-2bdadcf26508" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5620
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "4e5bd9fb-1929-41a6-8201-ab01a4550397" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3004
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "0bf8d214-26e3-47b2-be1a-7f1777e0eebe" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"2⤵
- Executes dropped EXE
PID:5212
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "e9c388ec-d700-44cb-8afa-012d52a218b8" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3816
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "dff1d44b-41ec-4881-a5c5-46bbacfbfd16" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2432
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "489b50e4-b609-46a4-88ce-6fc56e2caab1" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:5400
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "cf65a741-b203-40dc-b23d-b8f9a982975a" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"2⤵
- Executes dropped EXE
PID:5828 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:1960
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5640
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "f8fc08ed-8203-4797-ad62-80fc35c16bb7" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Executes dropped EXE
PID:5128
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "f8fc08ed-8203-4797-ad62-80fc35c16bb7" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵PID:5676
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "0bf8d214-26e3-47b2-be1a-7f1777e0eebe" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"2⤵PID:5588
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 2dd9de50-5c51-49a2-bf5f-f9f3ebabd028 "613f6c02-110e-435a-8fef-d62ec620fb4b" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵PID:6072
-
-
C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"1⤵PID:5936
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵PID:1184
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Sets service image path in registry
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1792 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5308 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c sc stop SSUService4⤵PID:5316
-
C:\Windows\system32\sc.exesc stop SSUService5⤵
- Launches sc.exe
PID:6092
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c sc config SSUService start=demand4⤵PID:4120
-
C:\Windows\system32\sc.exesc config SSUService start=demand5⤵
- Launches sc.exe
PID:4952
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S4⤵PID:2796
-
C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S5⤵PID:5772
-
C:\Windows\TEMP\~nsuA.tmp\Au_.exe"C:\Windows\TEMP\~nsuA.tmp\Au_.exe" /S _?=C:\Program Files (x86)\Splashtop\Splashtop Software Updater\6⤵
- Drops file in Program Files directory
PID:4924
-
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Loads dropped DLL
PID:4328
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:5044
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- Loads dropped DLL
PID:3424 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵PID:5260
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:4616
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
3Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
3Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51be87bae966063920efe850d94336696
SHA1282e4c9ee02546d54811e8a0185f98ce58182d40
SHA25629cdd577e7838011d32aac1c19840a985461a342e0927584c26d1742c5cfa085
SHA5122bf8c3c4d8eb437c5673986f0268a5f896b5570bc2c8f989942d32afe02bc80b2fa51c78bd31ad70e43916fcd1d8d61916b8475bce44182acf75e0f676bb3e2d
-
Filesize
75KB
MD5dee82f7d2f9f750ed35c2a1f6784a2f2
SHA15db581d77beba255e722137c6fbc171ba82b04cd
SHA25669ec17860d00888a6d64ee98b3ff21d9a55d9662d1f560ab9f885b79c39c2e32
SHA512a9558fb4f6e786112e0626b20c412af35fcf3ce3974b62b3c2200bd69a79e170119610806f8e758431a5c3da127d443e75b257f957744ccb2468ada1f3318dbb
-
Filesize
480B
MD545b9b420939bce137f04fc1c3abd04b2
SHA1f271ec0f01e52e9d2112963859dedfb12973a414
SHA256619544401046ab6988f100cf25112031d0033433b1d5bce7276b537833edabe7
SHA5127a514b611b23642a62f4bb0663cf1fa3ae89c1329c986ae2ce392a92ba677247e35a8400159626ba1d0999799af95f94e8999fb8a776dfb8bc3831175050aa8b
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
209KB
MD5a41c23558b3c07f8c749844bb553d545
SHA18473013cf5f2be8158c13f1056675d1cbd10586f
SHA256a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766
SHA5125930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f
-
Filesize
693KB
MD564e122b28a1e548c1cca376e32cdd248
SHA14506de40b8422c9be58333f35325a86674ca650c
SHA2560ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215
SHA51236fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize154KB
MD5e3ca6ba742fba06522ab0fe063c620de
SHA158f1e87ae1ac14cf043c1af4c21d00e4197c712b
SHA256f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079
SHA5122de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize46KB
MD51b692438393f8223bf90256abb3587d0
SHA15fd99d9db4757224da3fb8a8cac9d1f1632c47a8
SHA2568296ecf5e781a1b6889ee7f278a31acdb70897f2d862a7b53e58a4edb34d71a6
SHA5126d98fc4da030b884bf3b7fed9d7e026f8210b38cc1e4f96d36bd85067de6dd9286f0e8ac3715a187b595a8f7ae709fc19daa572ff83bc26802287292f8503bd7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5d8f9f68980c4da708195fa812519ad2f
SHA18f0066a77634e4108c20e226a5c6ba712e5a7fed
SHA256dd8a6863451545d7ed0bab6e0e279968b2c0541c20b0a4ce7ab3054f03c54cf6
SHA5127d3d15d3885ab1058efed06cb05dc8e713e71a3b70f3fb380657e802c362f222f23c44dc36af14089cf2c8a323a3ac07a172c1d8bb72de80eab78a66ef71e068
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize161KB
MD5cdd68c74f07104e58c977bf652d0f26c
SHA1af9da361479c19f9f943bf786f945f386f770032
SHA2560a1e649d900d89ca206b946b28d111d0abb3db3e2f17c1913d5918fa21ebd7f7
SHA5122d135a12f8325e1db334172c4c6e8f05d9a03b94a2eee72f8ee09dabd07a9c7eb173de176725be2ba0beac52b5895d7901a38649d92da3edc82a7da4430d79c9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
Filesize12B
MD5d8f9f68980c4da708195fa812519ad2f
SHA18f0066a77634e4108c20e226a5c6ba712e5a7fed
SHA256dd8a6863451545d7ed0bab6e0e279968b2c0541c20b0a4ce7ab3054f03c54cf6
SHA5127d3d15d3885ab1058efed06cb05dc8e713e71a3b70f3fb380657e802c362f222f23c44dc36af14089cf2c8a323a3ac07a172c1d8bb72de80eab78a66ef71e068
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD5aa3bcb58a6c8dd0839e6b803ba1087b9
SHA10198a9c644d74712c34a3a67f460a02d77005321
SHA2568dca6c1eb1557365e065931c992de88b075b4931fa574e8f1db5805e3a03388b
SHA512620adc1a4cf614664975a8d778efd7cabdb1feb0df0074be8c182888f12d61918c8e7521735a624a5aec97f02ec973125cd5de7e03a02e15c8b87884ba4a70a1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize687KB
MD50e7f80a7f2777f811f5bf04633ca1fd1
SHA18d767ef46f230a99a4d59c943eb88b5b02d4cf43
SHA256f8054be7979b255589590fa0497e242b6294752a85795c8ee775835ef22f7a18
SHA512d19d50879cfaa0a524be1359372014f67e4f1670e9443f393082fa5fc9c0a20d4d85d812641813b621ac3489ea07a86faf0d7e317e2cbd0fb42ddebc568a9e9e
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize25KB
MD5fd9e8a53114dba71999e09386fb6ff83
SHA18b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679
SHA2564a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe
SHA5124412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize212KB
MD5e984f3c76408989e897cd4068ed5b7d1
SHA14318e3da5a0b29afd848f51223612720844475e9
SHA256934c361171019fa200b2687de918dc842eb4967f76a5055e17352158f0d6ce17
SHA512811b51b2deb2b5ce8fb8e49cc82e3625c6508c94773273e27b5385e86ec5317fad1f42bb1753c104d125ed647461e9d9902d5648ed64e4199f1c3839b6117ddd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize31KB
MD55c33b399551c1ff47d5486c6556121bb
SHA174d49780496b0ed524442aa95f6eb69bc83ded18
SHA256aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9
SHA5126f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.INI
Filesize12B
MD52ac603632d63084b620ed0d20b9644e4
SHA1512f4351b0dd00cf8c42b092bd5831ab518e0a04
SHA2562aa0848587e15d854e70a79fcc4fb53cdef784d01ae5f4bb469bc03a68adbae5
SHA5127cb05c224dce8254d8d44ef4f4597dcc420fc2515f167a0fd208fe2be2579fd8b9f4837edcd419d0b874f686f39767fb51c44d6b25e94f91ecc185891f6ca878
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5afc3ae9a606716f85a6ed31ffaf1ae60
SHA1c5e334c0f2d3e1abe5759a3108b0c437ff90d632
SHA256707240901c7399eb1c849f3e36c6d2056df33a3d7f846c748320d629c44e7b61
SHA512400e28455d31eddd1b4baca9c5ccb754e5596b7937b06447360438fb1eb07322d4dbdda893c259411f138249cc3454ac20e076791231200a25dbe35bc0d802bd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5afc3ae9a606716f85a6ed31ffaf1ae60
SHA1c5e334c0f2d3e1abe5759a3108b0c437ff90d632
SHA256707240901c7399eb1c849f3e36c6d2056df33a3d7f846c748320d629c44e7b61
SHA512400e28455d31eddd1b4baca9c5ccb754e5596b7937b06447360438fb1eb07322d4dbdda893c259411f138249cc3454ac20e076791231200a25dbe35bc0d802bd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5afc3ae9a606716f85a6ed31ffaf1ae60
SHA1c5e334c0f2d3e1abe5759a3108b0c437ff90d632
SHA256707240901c7399eb1c849f3e36c6d2056df33a3d7f846c748320d629c44e7b61
SHA512400e28455d31eddd1b4baca9c5ccb754e5596b7937b06447360438fb1eb07322d4dbdda893c259411f138249cc3454ac20e076791231200a25dbe35bc0d802bd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5afc3ae9a606716f85a6ed31ffaf1ae60
SHA1c5e334c0f2d3e1abe5759a3108b0c437ff90d632
SHA256707240901c7399eb1c849f3e36c6d2056df33a3d7f846c748320d629c44e7b61
SHA512400e28455d31eddd1b4baca9c5ccb754e5596b7937b06447360438fb1eb07322d4dbdda893c259411f138249cc3454ac20e076791231200a25dbe35bc0d802bd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize398KB
MD5afc3ae9a606716f85a6ed31ffaf1ae60
SHA1c5e334c0f2d3e1abe5759a3108b0c437ff90d632
SHA256707240901c7399eb1c849f3e36c6d2056df33a3d7f846c748320d629c44e7b61
SHA512400e28455d31eddd1b4baca9c5ccb754e5596b7937b06447360438fb1eb07322d4dbdda893c259411f138249cc3454ac20e076791231200a25dbe35bc0d802bd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config
Filesize1KB
MD5c6ecf24757926eba64e674bff8b747d1
SHA13a46083826c20e8e085c42bbfdfeef4f9e2b90d9
SHA256c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc
SHA512efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini
Filesize12B
MD52ac603632d63084b620ed0d20b9644e4
SHA1512f4351b0dd00cf8c42b092bd5831ab518e0a04
SHA2562aa0848587e15d854e70a79fcc4fb53cdef784d01ae5f4bb469bc03a68adbae5
SHA5127cb05c224dce8254d8d44ef4f4597dcc420fc2515f167a0fd208fe2be2579fd8b9f4837edcd419d0b874f686f39767fb51c44d6b25e94f91ecc185891f6ca878
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll
Filesize92KB
MD5e8aec68514a9da7c4f45e9c6923fee16
SHA18c7064c90455939d28d964f55226115f9c469d46
SHA2568f898d59d3bac46f9fecc64be8cbe5c95c20a83b5b0650dac4d11d5ce280c566
SHA5122854e5619018413a922f2788a5c9b9dc040de39b82bf5e07ae20d542fee881f0b899a49f1d67fcb22fb24e8e94501fa94fb0d96c3f3048ff69da093a4a6b1193
-
Filesize
151KB
MD58374648179aac70c96d2687dab10251b
SHA1b219d48d19b564acb40b3b3e89abf95bd18539b2
SHA2564dbc5f7d8d55730f56d8cf511744c759f585166bc37443b38a06933b6b316425
SHA512bc66282ee7c148288f8e1c499a3b348f3b53afd190bedbf0be1d90866c8273c609f6ef6c5f15bd82fdac7f2387ef85f5e441730626ccf1ecd9e056997a122829
-
Filesize
40KB
MD5df9ce745c0792c0fb49bfb6bdf4bb7a7
SHA108872d3fc614cd549267c408a7006401930b4837
SHA25684c1737becc7e0b101af38b85fb1c8a58d0e75e3ed30e5043fe6064f25783a39
SHA512b31101d4ee8ef6f6ced14fb7dd2c6a226255d6c1a9b1b92c280c1889237d0ee77028f9a86e4326baa4adcc0ba02ba1284263dbed7567e18ea864112927723dcc
-
Filesize
484KB
MD58e2e3aa42a0118fbf137cca90138674d
SHA19aa8295c40263f5c83d49d26e22b6d91dee2841a
SHA25630068aa5ac74f2b52321ce1bced62d57c4626364795868c79fef0cce80a4f892
SHA51213dc084cb712537b77baef7ced5dbca070479bf494ab622ed3cc693bc8a36a4392ace0e7c7dcdb6dfdf0ad923ab895c64b002a27de5fcabb56fa4b76190fa6c2
-
Filesize
862KB
MD598012e051dc0be69a36b09015194c9d9
SHA12198595169a6eb5229369b80cf6744595597904c
SHA2569ad3a0da80975de4b9910000d5a3ed6c3e6d5f093e1b0abb3abc4ad6a6b11277
SHA512e2dd224caec0aea4eb1d1013e88e1d2b9580e9486cd66931daa7b53ddd8ed552c7968224dec9516fc0dc1f0c2c4e5a86fb211c727f8be91b1dafccfa6bb4be01
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll
Filesize693KB
MD5a3eec40b8c60fc340af128694a295a25
SHA1d1831616f92f2764c91e4616af376b2ccf7f3305
SHA256b0096d572a48181b11b581f661f39494c62aa70ec1b19204e8aaea78a6505b0b
SHA512bc0acc2da7b3da7df6ec48677ce7fa0135f8ef85533160284fb353dc6baefad086c761c91cabd6382075f62590a07d4daa22400f45bed1dc78e0343e678d51d1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll
Filesize286KB
MD59af0c528119c170fbfa6524412f9c92a
SHA1728953f0b47702132625f9d9dcd2ef44151a5f1d
SHA2562fb6b43181e2198d2ebe9a7aa7e74efb3a73a854912178f67bd7c4097aaec961
SHA5124628b2bf878c82f3948f05904aee9808151383696642b8259e3e95b4f82db034c42cb8e647f27987e537c91024fa0e3263529d6ac5e783ca24b89bd9faa03760
-
Filesize
270KB
MD59e0e2757020e2c97e432f8af43d6892c
SHA10cf64f560df99680dc1fef13e89eda83382d3987
SHA256fdac3ba71e775db0d3bcfcb60e30c3d9a698dcd456c41dfa2131cc21002f2bb0
SHA5127cdbe49638278e4681133381d0c9d6feff606fdf2151ff53e99e19965386686b3431f5d2086aa8ae688be9787bf1e1eeeee7d08e2070ac09a318f8b790f0b1fc
-
Filesize
277KB
MD5af5167da2d151444a04c92006f10cab5
SHA18b5ff7524f2552521651719187220cbb19f26f8e
SHA2562fd46dc44f2ec231f1d6a658e606b69466cc0c864e169cbba2456ab2d90b4b06
SHA51223e190e24494b19ea452989431ca32f1962cb8391ba0c2515ef279c7377f34ed70d7fe2a98f924bd03b75ea6acf873db92160d5afeaf2ddf3e1209c3e3552576
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll
Filesize399KB
MD52c000d3f0d4fd7d2eddf2353a0d8cde4
SHA172aa05192d7f178d930fef81f1fcc983b5bca557
SHA2561cc902827c6c062ed94931affc177174a084e607be331f4cc8ad4ce30d62c393
SHA5122ae85b3bb23733f0ed68cae7247b1503db175d6bf67bc72a3edcf730c1d0a0c478006be3f30b8febbac78063f6c4a616df90491912e5780c77393ef6baa63449
-
Filesize
556B
MD51ec5be8e7f9818d1c141e61f668ec671
SHA1b029a8ad3fd30d4130602e1cab456fc0ce888a2d
SHA25649d5625e4f25f49b9720d37b610ef308f3cc94ae41a0edd58cf74bf5ec0ad884
SHA512c53bda4acd8f0c0db0cfad6595dcd0a21077e5b42f9c9a9e91ac632c4e0beb9585545666440736f0ed6b4cac54cf015c0f2156b510366929b0b3d9f2e485a11d
-
Filesize
12KB
MD5c9b87584e5f3bcd8f699cb5650a9134d
SHA1cc46ea3b6c157d6b69339b6b414cfd58f55b16a3
SHA256a2483d75918821b3202babe42896554a326b22f23cd8ed9d50c85323bef8eb5b
SHA5126298c004991061e0c7ea8341a0df900f89bf5729cc61dfd4d59331dcf7fe0efa2ef637523f3e96a276736d880f6fa3786deedcdec1890ba6a7b7832b1111f2fe
-
Filesize
40KB
MD5cb4ca6302fa3ccfa66a91498cfa7ff98
SHA19c47257accc18a39da37fe78478e275d8bf9235c
SHA256dea9dd43df0b16ed3e898edb7e8fc53f0ab73fb3b6340937a9e87d342c386d32
SHA512477bef46287477fb0635e31e4318dda547d287c4435218e3394fd7eb5af0c4d2a3fad3ca291ea33a5903551f20cbc55387eb4b622d64c85c83569820edf08d89
-
Filesize
48KB
MD5e05ce7c739f2a0d137679675ff4faade
SHA18bbd3c086c53bc09f6b1cdf178d91da7e45de410
SHA256eb6f2bc3e856941357ad0c767d4a6dc5956eca652b89be9f265b7d98577da9f6
SHA512775ddaf166580eb5cd4089e93a5975dd8203d18c08bc9ce54c4ce24cc7d170b364c2dcbc866ce3bfe1073e930f6106829296f67128a746c07600c37fb85f0fb2
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD51114cce4371541b5efa3152cb5cb5bc5
SHA18187bd09fd7826e5e4ffe570131b86104beef912
SHA256d12baff5f0e7d1fb0b3f956ff17d5d1f281f7ca6c45b3195280ad09389b0a35d
SHA51245d8128eee8cdfb4586285116083480ff66de81f23f69823655006b904647aae15da40ce31be8118e27c72c14aa4a9de512ccfcd09a0572423e8433fa74e4ed7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD51114cce4371541b5efa3152cb5cb5bc5
SHA18187bd09fd7826e5e4ffe570131b86104beef912
SHA256d12baff5f0e7d1fb0b3f956ff17d5d1f281f7ca6c45b3195280ad09389b0a35d
SHA51245d8128eee8cdfb4586285116083480ff66de81f23f69823655006b904647aae15da40ce31be8118e27c72c14aa4a9de512ccfcd09a0572423e8433fa74e4ed7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD51114cce4371541b5efa3152cb5cb5bc5
SHA18187bd09fd7826e5e4ffe570131b86104beef912
SHA256d12baff5f0e7d1fb0b3f956ff17d5d1f281f7ca6c45b3195280ad09389b0a35d
SHA51245d8128eee8cdfb4586285116083480ff66de81f23f69823655006b904647aae15da40ce31be8118e27c72c14aa4a9de512ccfcd09a0572423e8433fa74e4ed7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD51114cce4371541b5efa3152cb5cb5bc5
SHA18187bd09fd7826e5e4ffe570131b86104beef912
SHA256d12baff5f0e7d1fb0b3f956ff17d5d1f281f7ca6c45b3195280ad09389b0a35d
SHA51245d8128eee8cdfb4586285116083480ff66de81f23f69823655006b904647aae15da40ce31be8118e27c72c14aa4a9de512ccfcd09a0572423e8433fa74e4ed7
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize188KB
MD57122a8acddee274f03e8eff915953eae
SHA15be51b43c1e59459707486e4eac0668acd603420
SHA256d534b2ad9791b4ba80141398e7aa4d0e85c4f7fa72c580ab46f096985403ddaf
SHA512b2ab136f1cded923c70019febe1ef37386e2bbaf175d6138589375dffea11f96391e1127970ed37be83376e4936c45b66a3cfc08be5b0d704c5078c88e241bbe
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize47KB
MD5bd468d5f91fe98ce84710a0750676064
SHA1e213c1ee6041f6523727b3ad2449aac603f65595
SHA2568f1069fd3fcbe1f9abcac5667a0d2099ec79a7a611ac74e09d687aecb18e07b5
SHA512cd6c484d71d3f6f4a92ca85d4c26ed71f861d26fd3b5bd700e596833f80705ffde03d4d9b247634ebfd56d4ccc84f374c9ff4ae2beaa216642f15e1a702b9e63
-
Filesize
26.7MB
MD57cbdcb7e0ad6c186b7129497cf32d70b
SHA1a23e134bb0b145f96353b40a0423d59fc76ae8d6
SHA25659f853f718cb9d089e28393443d0db303934822290af4bf4023a0bf419cb0f9c
SHA512b0fbe2077b8f0195839f0695877bf44c971a753d9c2a41add6e3000bd734a4cb0c6f09e0307442c1f95c7bda9071c2b633ea0f477933e5931f86ed8fe4982852
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize53KB
MD5b7aca4b1a547ca9ba8931fb2f3a8ffe4
SHA1ade0df9aa1b3419b1f5dca663a5ba86221fca0b9
SHA256bec6398691bd7290f2b504fffe3271275816af6cb4a481dcecb8325f497a4d80
SHA5127344734e229ab95bd5764523ab8db72760f71c50e947547daa4dc5668a97f257022f8f864fda38e26f922df3ef16856979bab3785164dc4a3a661e25a2706735
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize65KB
MD515133bbe13e21b1c50d447c64463f772
SHA13dd21da8e2efd3e448fa336477700f733875cdae
SHA256433e39d42fda59df6107cb02895950cdcf3bb96325a72e081dbba0cd79e6fdec
SHA51254c3e5ebf34ce2b117ac88272fc40c712248df9aa11682f48b3d930dcf8b669ff8220fbcd203230a46722f5643f8a61f3ea6bf4dbc0d7a51c0355cc209dc44db
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize43KB
MD5f0c3af895ad50d448c4746353896d1ca
SHA1c55513edf0c17c0bb4be4c3e09e5f8752eeddbd6
SHA256214ff5144ef7a275a74b431de78c80f3c27d234dbeccf1931540cefa99a93929
SHA5123132347381689b34faf9a7b6230cddfa3310b15764a3f2a1828ff588cba42b557904daf0cb857863d4b1c2856195aa8bf15c9e75b5bcbf73317c5e3e2251bb2a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize30KB
MD5ee564070a011f3cc31f846040d93c5ca
SHA1b498078df5739008d80a6e7624352313439546ed
SHA2560f631801a8ee3bf167fc76b50ca05aae4cb6533cdbe7b2f1261e8c590bc80c57
SHA512ec2b86564326d112f37cec79f4809f655d4074dab596c79820d1f186b0ab020b178815b986bd957475fbd129e3ea932d77fb1ad19804baf34d6ca45923ad9b6c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingSettings.config
Filesize366B
MD526e7faae0a4aa19676807c7c61b3d039
SHA17162da207e9c164b1e3229c6b219b634743ee210
SHA256bbaa2125f9a5e49418ad7b23e0d4a182c551f0314111464aa61fca9537933471
SHA5128b125cadcaa6fed50caf3862d5e71709fb259a66c7aa6c7045a7375e7d85157089e4a5e70ed973277ae95f7e9bb40cf66b6024f5d18f234d5b579ca5b8cebda3
-
Filesize
520B
MD5f9f232d18968a0fef61e7ea40d18cfc5
SHA11b60dd49ccccde584c0bbdf9a2ccec074f848bcc
SHA256d33e0b54f22572fbf0d3e20f030336da00a6a5ac1d1650762c98c17fc8c262be
SHA512726f88bc9ee54fa01d86bff29d9f3cab9b653601e82ebe754d19ec36d2185bd2923610d512d359ea8c4241cd37dd486520b5c11da448663881361226eed73ae1
-
Filesize
432B
MD5abe613693b6ea7f2cd9e0b2cebbeb0ee
SHA16cdbb9f525afadecd7804c1bb8927db1eb66e812
SHA2566cc5c480401492842d9820e2c8a35220e9cafc9b9ed2bf7a84098c90c0bb57d7
SHA5121a2eac9a94bce975ad49edfc07ff781abf0e84545f5e6ab5f7db56a87d4c66bf5efab59ec1fd0f595ed48a34ea9e64411aedfa543a47246063860416dcee6e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize50KB
MD5953e52ff73e83b5b07a6c4a89a281ee6
SHA19a2a24d55926ca9739c8aee411d3d23e290191bf
SHA25671b287bb826d8abf546a647825532f6a2dee8e32fec04a1c5d766d497e02025a
SHA512fd4a48921667b1039af4f3d74a4525cbd42a02af8e3fefe5e24102c9576dddf4ecb08f7beabb546fe8f5210007abbe69ce31acc9ee86bec48bd308c56ca3de09
-
Filesize
588KB
MD582b17dc9838e1e21e5c6f53d2867e94a
SHA1a09bfe6582bff9193337cc7dbab79d0b6b723205
SHA2568e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00
SHA512c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430
-
Filesize
168B
MD5f38e72b9767c4e69fefcdc4e7f58b294
SHA1a8ff43de8e9a689f5d59e01f947e59463c1421de
SHA256be9a1f2922d493caf14d715eeec6af20d21e7a83a31d0914c0b7328f79533a81
SHA512167ba4eed87739908bc0e02f5e5376f4ccaa3922278ba55182d5d4d943a043a2315914938fe1f392ceb2a97849d67183c96900be31d1f0421094a0f1ac2db983
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
76KB
MD5977eb28f08ca13c9d2cb2ae5edecc01c
SHA1400217f0acf5b15f873c3c7a6fe6588d9a25be18
SHA25615cd16999ae4fc472cfe260178147d6ac7dc9a73a5adaf51f051282a6fa7c93d
SHA512e21f8902c0ba1ffe857536ad7049bc01eeb0ac9d7b91f52566fb122c20eb53a1c54ac614449f354002ebee5dd29318ca6fd2cda82876978ce299a2a35b91d654
-
Filesize
60KB
MD5634bc0c41fd7861545ea4d020be2ff20
SHA15b1b7c7f0ce0fd93caf8a0b6f2efe0fe4446b762
SHA256c3f2c7c91127cf7deabd262c7167399c81a8440db61290f293818b458633895b
SHA512478806bdb21984c709886094c155bfcd83dbcb57b5b8c1417555355f76681c7c8c0f63fa02349b5f6bdf7788a8b5e7efacfa0b5417d8222145cb0e9b8ed36d27
-
Filesize
27KB
MD529f288f751fbcea5cd75ea9774882787
SHA15a4c30382c63e29e848b681d39cc213c2198e12e
SHA256711702eb24803788ce601996f90b7ef57eef1f764f7aaf3a96e2196ed4a9533e
SHA512b7fc0a739b33e79232ef506393cf90297f4d41f165f34b5be50648d8a1967419e1f0ee369e809d5c142898824e8b5a3784106d33a2d1d72cd811d5352f4bbd60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize727B
MD537dd90c2d9505f80dbb219767e8b046d
SHA1a724a38fb9fa27397a93b8793046e5b98718f5c5
SHA256919facb27dd032f276e4dfac472b39eb5f18fd999985d8accfa7d7ba1ee35fd5
SHA5126e3078f9647ab03703cbeac84dbb060d802b28cafe8cf6c7695a44f2f5995c0bf23f236928186c9a61431f239d3bcff9cee0b558887c9c5f39156f8a09b2fa18
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize408B
MD52dff5336823c8b14dd1e64792a38c436
SHA1d7ee187618f8772f259ed20ec0724b97167d8948
SHA256772331294aae3e6575117ca64bd06a3c9528dba140395554fc982e1843be85b4
SHA512d69b560adbfe04826f1d6520946c29b78c05b3e0d5b47844cd0b75e562c0f5f08bd43b95301e586b80d926a5fcc0d42a5d981f81745757341f4078334a977adc
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
4.5MB
MD5e1aec662576081ee2de150d01ee4af79
SHA16a12d05a3578bbed0935b07955e220f6a5c3f9b1
SHA256717d0f0a96c81a06201c9d01c354f9d199b5e5b0f48127fa3545fef5ff8f54c2
SHA51216201d3b26330ce487cc0af7532ee3ac1126c5726009418f74020be65db676bb8101d99933a75057b9a356afc47bd0ac8ffa3d5d908841c92297b98e953a829c
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
2.6MB
MD560c20160ce9aaf007bab367ca7fc3a16
SHA121aba7bf178ff5df590e61a66e21b2241d8f1e57
SHA2566f91d1278cf86d976c8800a6ae122e8154bb8d7fd71f975fb3894975d1ade18f
SHA512108ee6d8db6456a637bc43181ecdbd98c5c48dcbf670cea4706f509c45a235afad7ca02c98b8a94673255e9af86f7cd0176ce156f6ba02cf3ea8b26cb625fab4
-
Filesize
51.0MB
MD55f735c726c47c9c9baa4999b28134200
SHA140a6f5c038f7753ac1bc02e779ad3ac045bd0dc9
SHA256e56d9aeec560ee40bef62b124cdcf0b587c54750b6c8d0957136d6940a5270c4
SHA512d930414197c5e45e84fda17b925202d228cd14d010c35b77d0b862118e9d09259881e4174b7c32efe6cc0c01c8779dcecb28b4fe7de34952c2b7c3d4496d3b1e
-
Filesize
2KB
MD5463b4b28c7742bd7e6986265293eab86
SHA17c97a76cfbfcd61a7ecf7f5ede083f6eada87f65
SHA256e76ff5cd172bc6af7ddcefd49a8e364ccd6288fc9399b75a593d2427a3c2a38d
SHA5125ba11312fc9ae98fa36f1f78a4b074c881a90f4ec77f91cb4a6d02b4389150d976045ad0e2c8590e90b43b16ac225dccb031d319ab22e504e65a72c67dd579ab
-
Filesize
4KB
MD560221ecd6535612c2e15f32f6d7b4649
SHA1f485d0f28a0afa06cb639f23ec437b70e7a10cdc
SHA25612fbbf7c18cc96157050b500a58de9d42860d63dabf4cc935dd448dd125afdab
SHA512536f250dbaa004e881a2f5124aa06033effd18e37ebcfadd345e635d8830d58712f630f0b43abf82f60d35770d46742f73933d33070096c9c6c7471b5c6aaabe
-
Filesize
2KB
MD5e15dda10a949935b42322b5c1ef0a46b
SHA1ebda18360e859196fe8cbe73842d17728fd47da4
SHA256c5efdb8e60baee8ebfbb3569eec1bfe26c5fe69312fe5f2c8ff3356be1621da3
SHA512ce80c38803382187a7b963b9e6765d4fafab365b964c7daf28695a80192825b4dd2710ee9f034fd61d214fd8409c092e895d8f079fdf2624a3868cbdf0917c49
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
4KB
MD5fbd7f36ac346d3036497236aff9d9e78
SHA1537eda0f9e3aeb6e500511511a9bb0680713ea42
SHA2569020a21142494110276858118b395be31aae5945e167b4de899a9634a22d1232
SHA512436807e28e7b0eecb1037e62741b057f793f063d85ca9e8a00ec0b0c5512ec6c710442195d5844c384f90fb39529c1d90af58ee7e9b04f91723456b598075608
-
Filesize
2.6MB
MD52c1da423b2b103d4282b8d309d6b19d7
SHA1024c7efefd7082ca17220ebacb0d6902cb052999
SHA256971936160034e895a6b3df9559bd93a73f380dac22df3992596277c126238d40
SHA5120612228ceae648cc8849d14f94409c26852e3c17bd7585f16b6770c834383931b9da02bf616db6a5ab3e09a2ba2762b5e331e719e88b926731c232ae42442485
-
Filesize
538B
MD54fc78ce9b7de2cd92629ebef9ce80dd2
SHA1e337f09dc08b7112cbdcb7cd63a9e328f16875ff
SHA256d4d6d96b94b847b77da0cbd571b6b8973726a34bad2cc9f57432f06bef7dc56b
SHA5122cd6147fd81ba467940356dcdfe076f649d39d9d0648198d49660a32f99198df7bd54e226d2dfa42774fc456be035fc223077ad1af6b9f3ade1e4ffc169b80cf
-
Filesize
181KB
MD5ea9030a3db63f92b892d84790d25274a
SHA1bdd708181e9f580b980cb9720c480be4b440db24
SHA2565109fa509f74956ab3489760b6a5b9786d7fb6f9eccf53ad0dc9d728d285d88d
SHA5127cb051e8dd5331ffc15c0db09bf9dfdd7e70890ecbd5de60b33b2412b42375777fe455786d7c6aba158ac420da58dd8f32f6ed57374a937de91a6c5df259a6d0
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
343KB
MD5cd39d2528e0d5c9e5ef82cbc2a71e9b9
SHA17341d518fe6f43291d0644f21bc0258a3f0396c4
SHA25602a31b61103b80ce91c2e07038a2316cc8f9cbbd240c807b8a5ff90ff499ca9d
SHA512becfc403c84da256d015ea8da4b1981d46ef70632e06192023d2e122855e600cfb82eb1547dec281ef4953f7b75ec4da2a142ec614fd3e1b2b13012f5f58ceed
-
Filesize
5KB
MD5f44c2959eeeff784d8aca917a909d906
SHA16eb702ff663a96eb915c31402345fab970d389d6
SHA256835aa38b22480e84ccdf9f925ef2cd640e015bc2077674a6313c5175ea3db5be
SHA5125ce766ad44454efd56f05461cb2ba019da0eacbdf938e8e803bd9296a48dd8eb7dc47d602a4ca9b210839a6e58fc19ea7ae1d9ef5f1f07b4cc6297214733496e
-
Filesize
197KB
MD54356ee50f0b1a878e270614780ddf095
SHA1b5c0915f023b2e4ed3e122322abc40c4437909af
SHA25641a8787fdc9467f563438daba4131191aa1eb588a81beb9a89fe8bd886c16104
SHA512b9e482efe9189683dabfc9feff8b386d7eba4ecf070f42a1eebee6052cfb181a19497f831f1ea6429cfcce1d4865a5d279b24bd738d702902e9887bb9f0c4691
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
609KB
MD57fc7feff419ae763ddee6799c273f627
SHA195a73d59edd7bf46a188675c27dfc6706a978c8a
SHA256d40e53e227fd65afd42c5178ea75737b6082763773a48fd4ce79a296c366a288
SHA512f3514ceee0b72c00ebd13f28bb4db5e7db231153cb894cd04039857d30ff04ad6934c1ecc26c872af55951588b27f5a4e71139c479a659ea5516213ba0613f04
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize727B
MD537dd90c2d9505f80dbb219767e8b046d
SHA1a724a38fb9fa27397a93b8793046e5b98718f5c5
SHA256919facb27dd032f276e4dfac472b39eb5f18fd999985d8accfa7d7ba1ee35fd5
SHA5126e3078f9647ab03703cbeac84dbb060d802b28cafe8cf6c7695a44f2f5995c0bf23f236928186c9a61431f239d3bcff9cee0b558887c9c5f39156f8a09b2fa18
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5d27bd216a97d88e036de0611db096ed0
SHA1673333c7819386d77b478a669704dbeb50600930
SHA256e7b868496dbca103ba27c3ee69b6f4cc4c11c8b0f8eb6995e629c96f3c3ab127
SHA512f8342c496d469bf4ffbef68453822a746775656dcae84eafd29398b75715591262f28f1a5a7a95511b38fe8fac91593c505ec8e856ecd39380dd1f5abef2b940
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize408B
MD50fbf5263d69b1e3a1396c806bf2a0dc0
SHA113077bb219c94b0bd45c47a94473dc77af230a3e
SHA256c61b5b3aa49a112f30616a6f92010724e107df34a83890878abd73163cae7504
SHA512a1c7dbb4e543386c2f548914bd57ab5f64c69da26886421effff8df86b651c30ed44c4c19a2a6a0fcc4bf769213e912bbd7d3e06027424c9ca5a16031e872d11
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD560dc4bb7788394fb1771ec7200f94a4c
SHA11dfae4b2a127c4ec1d7c2bd757080bf1daceafdf
SHA25642dbe36453013e14b39554c0fb23dc0e5bd1a8f1dff5a46f95e31cc9facea1de
SHA5122f65a25d4facb99a3344430d9558b7c415ca72059ca8ec3388fac2f6f5fc686823178025c67a42fb498374a2880ca90fbeb641e4781564d32724b71cfc5dfb35
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Filesize1KB
MD513a7fdad59a18467731ffd4f239243da
SHA1654ca1623613632cd90265d16ee06a5b9ac7e143
SHA256ec17a221f0cce9c92441d57c92c77ea10296a2bbf7fd2947c63cb68f0fba3313
SHA512fa8dedf0488eee2e66bee62ac437164042b9599484981342214f61840ba7abae860647318535f030fc7d26addf331bd32e58242e310bc6b87d44d3cdc959c1d7
-
Filesize
23.0MB
MD5d09a07ef98fdbf8a69f0f5c79626143d
SHA10bf9909dd85b73fb533d7ebe414c16c6d80a712d
SHA256259faa7eb47d4d223c3f3d626623c6819bfcf504741dedf0393c5032f5fd12c8
SHA51205518e9c9e52959feac45e937e0978ea4968cd11645a874cce426b02ee856c41e547538e353bf39582f98979099773790d6d9b29f312b5bc1ceb7afb28316cde
-
\??\Volume{650106ce-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f782f39b-3c0b-43b8-8a35-08b22e661e21}_OnDiskSnapshotProp
Filesize5KB
MD561485f57d48b69f2072889d5d6cdf830
SHA1376347527ac54b229b1025307b92fe9ad4cbeec9
SHA256a07327001b56423d6f8efc58cd904ea8055de9b230cfe20187b813b6f0b4a2cd
SHA512f2cc460575e67d3ddc949711fae40220304acc44b5dc2f8dbc5faf92a8719cf53d8dfc319d3aecab660b844cef009030c965b94042fa0e5f82403e72c4e57c17