Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
11/03/2024, 11:43
Static task
static1
Behavioral task
behavioral1
Sample
setup.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
setup.msi
Resource
win10v2004-20231215-en
General
-
Target
setup.msi
-
Size
2.6MB
-
MD5
959a8c7e22f65f450f54d1b4f81ec7f8
-
SHA1
01b0d9739bdda255096c1e12d52fa0f8bc0ca8cf
-
SHA256
435e9543dd0cbcac3848ecdc102ccf54f393faed95f7374ff4591e5427ca00b8
-
SHA512
1bfc3bb943a9af604d46023e6a392928d079557a004e68e74f0b5815952d8ecae8bbe63312955ae70d01cdf6a5d35a9f440f0bfaf919b1aea7d45a71dfb63978
-
SSDEEP
49152:L51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TlOFNOnUI:LPCMr2NMRmk/XeM9TEeRvx+ch/TlAr
Malware Config
Signatures
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SSUService\ImagePath = "\"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe\"" SRManager.exe -
Stops running service(s) 3 TTPs
-
resource yara_rule behavioral2/memory/5512-2828-0x0000000072F10000-0x000000007300C000-memory.dmp upx behavioral2/memory/5512-2829-0x0000000072DF0000-0x0000000072F0C000-memory.dmp upx behavioral2/memory/5512-2830-0x0000000072A20000-0x0000000072DE4000-memory.dmp upx behavioral2/memory/5896-2957-0x0000000072F10000-0x000000007300C000-memory.dmp upx behavioral2/memory/5896-2958-0x0000000072DF0000-0x0000000072F0C000-memory.dmp upx behavioral2/memory/5896-2959-0x0000000072A20000-0x0000000072DE4000-memory.dmp upx behavioral2/memory/6116-2961-0x0000000072DF0000-0x0000000072F0C000-memory.dmp upx behavioral2/memory/6116-2962-0x0000000072A20000-0x0000000072DE4000-memory.dmp upx behavioral2/memory/6116-2960-0x0000000072F10000-0x000000007300C000-memory.dmp upx behavioral2/memory/6016-2963-0x0000000072F10000-0x000000007300C000-memory.dmp upx behavioral2/memory/6016-2964-0x0000000072DF0000-0x0000000072F0C000-memory.dmp upx behavioral2/memory/6016-2965-0x0000000072A20000-0x0000000072DE4000-memory.dmp upx -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 2244 msiexec.exe 7 2244 msiexec.exe 169 3964 MsiExec.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 53 IoCs
description ioc Process File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 Agent.Package.Availability.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62 Agent.Package.Availability.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8 Agent.Package.Availability.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_B5D3A17E5BEDD2EDA793611A0A74E1E8 Agent.Package.Availability.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D03E46CD585BBE111C712E6577BC5F07_EF103B60D5635F362C373B524B661A1C Agent.Package.Availability.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 Agent.Package.Availability.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D03E46CD585BBE111C712E6577BC5F07_EF103B60D5635F362C373B524B661A1C Agent.Package.Availability.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log AgentPackageSTRemote.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\SRC405E.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894 Agent.Package.Availability.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Microsoft.ApplicationInsights.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon64.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.Utils.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Calendars.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\runtimes\win\lib\net6.0\System.ServiceProcess.ServiceController.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingTrayTMP.exe.config AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdpgscl.gpd msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Sinks.File.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\cwwsaily.newcfg AgentPackageTicketing.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Atera.AgentPackages.ModelsV3.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_mount.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Parallel.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcelt-0.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\lci_iddcx.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRClient.pem SRSelfSignCertUtil.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.EventLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Memory.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\XDColMan.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\servers.cfg AgentPackageInternalPoller.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Xml.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdcolman.gpd msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TextWriterTraceListener.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.ResourceManager.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\enum64.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_iddcx.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\generic.cfg AgentPackageInternalPoller.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt AgentPackageSTRemote.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\utils\devcon64.exe msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxywddm.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUACCheck.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe msiexec.exe -
Drops file in Windows directory 52 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSI85BA.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI5719.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI73ED.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI394B.tmp msiexec.exe File created C:\Windows\Installer\e578550.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5E51.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1F44.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI209D.tmp msiexec.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\e57854d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI85BA.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8B0D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI585E.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{C5F5A288-85FF-4257-AF69-D5910E6268B5} msiexec.exe File opened for modification C:\Windows\Installer\MSI5DD2.tmp msiexec.exe File created C:\Windows\Installer\e57855e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI31F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI85BA.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI85BA.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8A8E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2198.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI4DAE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5719.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\e57855f.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e57854d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5E21.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI741E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3850.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File opened for modification C:\Windows\Installer\MSI5719.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5719.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5DB1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2E2C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{19372515-C074-47FF-8D34-2030BF338E2E} msiexec.exe File created C:\Windows\Installer\e57855f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5D71.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5719.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI8A8F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8B9A.tmp msiexec.exe File created C:\Windows\Installer\e57854f.msi msiexec.exe File opened for modification C:\Windows\Installer\e578550.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5AC0.tmp msiexec.exe File created C:\Windows\Installer\e578563.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI85BA.tmp msiexec.exe File opened for modification C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI73EE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI745D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5D91.tmp msiexec.exe -
Executes dropped EXE 64 IoCs
pid Process 4220 AteraAgent.exe 4996 AteraAgent.exe 2268 AgentPackageAgentInformation.exe 4480 AgentPackageAgentInformation.exe 1360 AgentPackageAgentInformation.exe 4276 AgentPackageAgentInformation.exe 3852 AteraAgent.exe 1068 AgentPackageAgentInformation.exe 324 AgentPackageMonitoring.exe 4404 AgentPackageAgentInformation.exe 4724 AgentPackageSTRemote.exe 5008 AgentPackageUpgradeAgent.exe 4052 AgentPackageTicketing.exe 2812 AgentPackageSystemTools.exe 3712 AgentPackageADRemote.exe 4076 AgentPackageMonitoring.exe 1708 Agent.Package.Availability.exe 4400 AgentPackageInternalPoller.exe 3328 AgentPackageHeartbeat.exe 1512 AgentPackageOsUpdates.exe 4900 AgentPackageMarketplace.exe 3408 AgentPackageRuntimeInstaller.exe 3516 AgentPackageProgramManagement.exe 212 Agent.Package.Watchdog.exe 5792 SplashtopStreamer.exe 2512 PreVerCheck.exe 5564 AteraAgent.exe 5648 Agent.Package.Availability.exe 4648 AteraAgent.exe 5668 AteraAgent.exe 4640 AgentPackageADRemote.exe 4420 AgentPackageHeartbeat.exe 5432 AgentPackageAgentInformation.exe 2164 Agent.Package.Watchdog.exe 5040 AgentPackageInternalPoller.exe 5428 AgentPackageMarketplace.exe 1200 AgentPackageRuntimeInstaller.exe 2932 AgentPackageSTRemote.exe 912 AgentPackageOsUpdates.exe 4748 AgentPackageProgramManagement.exe 5836 AgentPackageSystemTools.exe 1140 AgentPackageMonitoring.exe 5968 SplashtopStreamer.exe 876 PreVerCheck.exe 3920 _is2224.exe 5904 _is2224.exe 6004 _is2224.exe 3328 _is2224.exe 1744 _is2224.exe 796 _is2224.exe 4208 _is2224.exe 4348 _is2224.exe 5168 _is2224.exe 5012 _is2224.exe 1204 _is2E5A.exe 6068 _is2E5A.exe 5612 _is2E5A.exe 3064 _is2E5A.exe 1744 _is2E5A.exe 4208 _is2E5A.exe 4348 _is2E5A.exe 5600 _is2E5A.exe 2904 _is2E5A.exe 5708 _is2E5A.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 1596 sc.exe 4212 sc.exe 3548 sc.exe 3776 sc.exe 4700 sc.exe -
Loads dropped DLL 64 IoCs
pid Process 1604 MsiExec.exe 4880 rundll32.exe 4880 rundll32.exe 4880 rundll32.exe 4880 rundll32.exe 4880 rundll32.exe 1604 MsiExec.exe 3564 MsiExec.exe 3564 MsiExec.exe 324 AgentPackageMonitoring.exe 4076 AgentPackageMonitoring.exe 2052 MsiExec.exe 5924 rundll32.exe 5924 rundll32.exe 5924 rundll32.exe 5924 rundll32.exe 5924 rundll32.exe 2052 MsiExec.exe 2052 MsiExec.exe 2052 MsiExec.exe 2052 MsiExec.exe 2052 MsiExec.exe 2052 MsiExec.exe 1140 AgentPackageMonitoring.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 868 Splashtop_Software_Updater.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 5896 SRManager.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 3964 MsiExec.exe 5896 SRManager.exe 5896 SRManager.exe 5896 SRManager.exe 6116 SRServer.exe 6116 SRServer.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider.dll" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" reg.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
NSIS installer 4 IoCs
resource yara_rule behavioral2/files/0x0006000000023369-1954.dat nsis_installer_2 behavioral2/files/0x00070000000233b7-2452.dat nsis_installer_2 behavioral2/files/0x0008000000023462-2835.dat nsis_installer_1 behavioral2/files/0x0008000000023462-2835.dat nsis_installer_2 -
Checks SCSI registry key(s) 3 TTPs 11 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 SRAgent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg SRAgent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID SRAgent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName SRAgent.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 SRAgent.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc SRAgent.exe -
Kills process with taskkill 11 IoCs
pid Process 4612 taskkill.exe 3776 TaskKill.exe 3488 TaskKill.exe 2884 taskkill.exe 864 taskkill.exe 5604 taskkill.exe 4012 taskkill.exe 1764 taskkill.exe 4488 TaskKill.exe 5932 taskkill.exe 2236 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\SessionHash = 20bef3986d48a40dab780f2b45acb61f8760cd602abfc0c9ab1c688b3ced760f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" SplashtopStreamer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\WOW64 = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SplashtopStreamer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates SRManager.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\INSTVD = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\INSTALLDIR = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Splashtop Inc.\Installation\AUTOUPGRADE = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs SRManager.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\ProductName = "AteraAgent" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\51527391470CFF74D8430203FB33E8E2 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\PackageName = "setup.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRServer" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51527391470CFF74D8430203FB33E8E2\INSTALLFOLDER_files_Feature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\URL Protocol AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50724868" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\PackageCode = "8461E24D8232BC14CB270C3BD27759E8" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\SourceList\PackageName = "ateraAgentSetup64_1_8_6_7.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\51527391470CFF74D8430203FB33E8E2 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\SourceList\Net\1 = "C:\\Windows\\TEMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\882A5F5CFF587524FA965D19E026865B\INSTALLFOLDER_files_Feature msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\882A5F5CFF587524FA965D19E026865B\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\51527391470CFF74D8430203FB33E8E2\PackageCode = "D1F5D35E7470A9A469FEA8E7B98CD36C" msiexec.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3588 msiexec.exe 3588 msiexec.exe 4996 AteraAgent.exe 4996 AteraAgent.exe 4996 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 3852 AteraAgent.exe 4052 AgentPackageTicketing.exe 4052 AgentPackageTicketing.exe 4724 AgentPackageSTRemote.exe 4724 AgentPackageSTRemote.exe 5008 AgentPackageUpgradeAgent.exe 5008 AgentPackageUpgradeAgent.exe 4400 AgentPackageInternalPoller.exe 4400 AgentPackageInternalPoller.exe 4076 AgentPackageMonitoring.exe 4076 AgentPackageMonitoring.exe 1708 Agent.Package.Availability.exe 1708 Agent.Package.Availability.exe 4052 AgentPackageTicketing.exe 4052 AgentPackageTicketing.exe 4052 AgentPackageTicketing.exe 5008 AgentPackageUpgradeAgent.exe 5008 AgentPackageUpgradeAgent.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 3588 msiexec.exe 2132 msiexec.exe 2132 msiexec.exe 2132 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2244 msiexec.exe Token: SeIncreaseQuotaPrivilege 2244 msiexec.exe Token: SeSecurityPrivilege 3588 msiexec.exe Token: SeCreateTokenPrivilege 2244 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2244 msiexec.exe Token: SeLockMemoryPrivilege 2244 msiexec.exe Token: SeIncreaseQuotaPrivilege 2244 msiexec.exe Token: SeMachineAccountPrivilege 2244 msiexec.exe Token: SeTcbPrivilege 2244 msiexec.exe Token: SeSecurityPrivilege 2244 msiexec.exe Token: SeTakeOwnershipPrivilege 2244 msiexec.exe Token: SeLoadDriverPrivilege 2244 msiexec.exe Token: SeSystemProfilePrivilege 2244 msiexec.exe Token: SeSystemtimePrivilege 2244 msiexec.exe Token: SeProfSingleProcessPrivilege 2244 msiexec.exe Token: SeIncBasePriorityPrivilege 2244 msiexec.exe Token: SeCreatePagefilePrivilege 2244 msiexec.exe Token: SeCreatePermanentPrivilege 2244 msiexec.exe Token: SeBackupPrivilege 2244 msiexec.exe Token: SeRestorePrivilege 2244 msiexec.exe Token: SeShutdownPrivilege 2244 msiexec.exe Token: SeDebugPrivilege 2244 msiexec.exe Token: SeAuditPrivilege 2244 msiexec.exe Token: SeSystemEnvironmentPrivilege 2244 msiexec.exe Token: SeChangeNotifyPrivilege 2244 msiexec.exe Token: SeRemoteShutdownPrivilege 2244 msiexec.exe Token: SeUndockPrivilege 2244 msiexec.exe Token: SeSyncAgentPrivilege 2244 msiexec.exe Token: SeEnableDelegationPrivilege 2244 msiexec.exe Token: SeManageVolumePrivilege 2244 msiexec.exe Token: SeImpersonatePrivilege 2244 msiexec.exe Token: SeCreateGlobalPrivilege 2244 msiexec.exe Token: SeBackupPrivilege 2604 vssvc.exe Token: SeRestorePrivilege 2604 vssvc.exe Token: SeAuditPrivilege 2604 vssvc.exe Token: SeBackupPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeDebugPrivilege 3776 TaskKill.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe Token: SeRestorePrivilege 3588 msiexec.exe Token: SeTakeOwnershipPrivilege 3588 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2244 msiexec.exe 2244 msiexec.exe 6116 SRServer.exe 6116 SRServer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 5792 SplashtopStreamer.exe 5968 SplashtopStreamer.exe 6116 SRServer.exe 2800 SRAppPB.exe 2800 SRAppPB.exe 752 SRDetect.exe 6116 SRServer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3588 wrote to memory of 2976 3588 msiexec.exe 93 PID 3588 wrote to memory of 2976 3588 msiexec.exe 93 PID 3588 wrote to memory of 1604 3588 msiexec.exe 95 PID 3588 wrote to memory of 1604 3588 msiexec.exe 95 PID 3588 wrote to memory of 1604 3588 msiexec.exe 95 PID 1604 wrote to memory of 4880 1604 MsiExec.exe 96 PID 1604 wrote to memory of 4880 1604 MsiExec.exe 96 PID 1604 wrote to memory of 4880 1604 MsiExec.exe 96 PID 3588 wrote to memory of 3564 3588 msiexec.exe 97 PID 3588 wrote to memory of 3564 3588 msiexec.exe 97 PID 3588 wrote to memory of 3564 3588 msiexec.exe 97 PID 3564 wrote to memory of 5076 3564 MsiExec.exe 98 PID 3564 wrote to memory of 5076 3564 MsiExec.exe 98 PID 3564 wrote to memory of 5076 3564 MsiExec.exe 98 PID 5076 wrote to memory of 2488 5076 NET.exe 100 PID 5076 wrote to memory of 2488 5076 NET.exe 100 PID 5076 wrote to memory of 2488 5076 NET.exe 100 PID 3564 wrote to memory of 3776 3564 MsiExec.exe 101 PID 3564 wrote to memory of 3776 3564 MsiExec.exe 101 PID 3564 wrote to memory of 3776 3564 MsiExec.exe 101 PID 3588 wrote to memory of 4220 3588 msiexec.exe 103 PID 3588 wrote to memory of 4220 3588 msiexec.exe 103 PID 4996 wrote to memory of 3548 4996 AteraAgent.exe 106 PID 4996 wrote to memory of 3548 4996 AteraAgent.exe 106 PID 4996 wrote to memory of 2268 4996 AteraAgent.exe 109 PID 4996 wrote to memory of 2268 4996 AteraAgent.exe 109 PID 4996 wrote to memory of 4480 4996 AteraAgent.exe 110 PID 4996 wrote to memory of 4480 4996 AteraAgent.exe 110 PID 4996 wrote to memory of 1360 4996 AteraAgent.exe 112 PID 4996 wrote to memory of 1360 4996 AteraAgent.exe 112 PID 4996 wrote to memory of 4276 4996 AteraAgent.exe 115 PID 4996 wrote to memory of 4276 4996 AteraAgent.exe 115 PID 4996 wrote to memory of 1068 4996 AteraAgent.exe 117 PID 4996 wrote to memory of 1068 4996 AteraAgent.exe 117 PID 3852 wrote to memory of 3776 3852 AteraAgent.exe 120 PID 3852 wrote to memory of 3776 3852 AteraAgent.exe 120 PID 4996 wrote to memory of 324 4996 AteraAgent.exe 121 PID 4996 wrote to memory of 324 4996 AteraAgent.exe 121 PID 1068 wrote to memory of 4152 1068 AgentPackageAgentInformation.exe 124 PID 1068 wrote to memory of 4152 1068 AgentPackageAgentInformation.exe 124 PID 4152 wrote to memory of 1936 4152 cmd.exe 126 PID 4152 wrote to memory of 1936 4152 cmd.exe 126 PID 1068 wrote to memory of 2356 1068 AgentPackageAgentInformation.exe 129 PID 1068 wrote to memory of 2356 1068 AgentPackageAgentInformation.exe 129 PID 2356 wrote to memory of 4748 2356 cmd.exe 131 PID 2356 wrote to memory of 4748 2356 cmd.exe 131 PID 3852 wrote to memory of 4404 3852 AteraAgent.exe 132 PID 3852 wrote to memory of 4404 3852 AteraAgent.exe 132 PID 4404 wrote to memory of 5116 4404 AgentPackageAgentInformation.exe 134 PID 4404 wrote to memory of 5116 4404 AgentPackageAgentInformation.exe 134 PID 5116 wrote to memory of 4152 5116 cmd.exe 136 PID 5116 wrote to memory of 4152 5116 cmd.exe 136 PID 3852 wrote to memory of 4724 3852 AteraAgent.exe 137 PID 3852 wrote to memory of 4724 3852 AteraAgent.exe 137 PID 3852 wrote to memory of 5008 3852 AteraAgent.exe 139 PID 3852 wrote to memory of 5008 3852 AteraAgent.exe 139 PID 3852 wrote to memory of 4052 3852 AteraAgent.exe 141 PID 3852 wrote to memory of 4052 3852 AteraAgent.exe 141 PID 3852 wrote to memory of 2812 3852 AteraAgent.exe 143 PID 3852 wrote to memory of 2812 3852 AteraAgent.exe 143 PID 3852 wrote to memory of 3712 3852 AteraAgent.exe 145 PID 3852 wrote to memory of 3712 3852 AteraAgent.exe 145 PID 3852 wrote to memory of 4076 3852 AteraAgent.exe 147 PID 3852 wrote to memory of 4076 3852 AteraAgent.exe 147 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2244
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2976
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0D28ACA26F99002C73F96C74407B40AF2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI85BA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240617125 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
PID:4880
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 13D11C6961755CB81475DD8CD1E74E1F E Global\MSI00002⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵PID:2488
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3776
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000007gaJEIAY"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4220
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 24A8BE7E3B96151D90E8A4A630EC5768 E Global\MSI00002⤵
- Loads dropped DLL
PID:2052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5719.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240670531 25 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Loads dropped DLL
PID:5924
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵PID:5944
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵PID:5540
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
PID:4488
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵PID:4916
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵PID:4244
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
PID:3488
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:5564
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId=""2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4648
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 148C10A0CEB02C9A162E807078345110 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3964 -
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{78271AD1-953C-4772-B93F-5AB403A7692F}3⤵
- Executes dropped EXE
PID:3920
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B410D2C0-3E75-485B-B595-FE6A9A5BAC44}3⤵
- Executes dropped EXE
PID:5904
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E04E67C3-B49C-4E80-A29E-667A330EC173}3⤵
- Executes dropped EXE
PID:6004
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FFA44FC5-AF06-4303-A1DB-1488560FDBF8}3⤵
- Executes dropped EXE
PID:3328
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{817B94DA-5249-4B83-82D1-03DD45FC02D5}3⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1628EA76-959B-495B-990E-75CADAA57FCF}3⤵
- Executes dropped EXE
PID:796
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6C87F469-B0F5-4B56-B8B8-D59918E47ED9}3⤵
- Executes dropped EXE
PID:4208
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{628499EF-5E15-4953-91E7-62F74238325F}3⤵
- Executes dropped EXE
PID:4348
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C9B0DBC-CA6D-4F3D-9A13-D6D98A59EB26}3⤵
- Executes dropped EXE
PID:5168
-
-
C:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exeC:\Windows\TEMP\{9C57A21E-20F1-4EAE-AFFC-C9EF60C6183D}\_is2224.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7655AB39-A88A-4CBB-AAF5-6ABC688F4A11}3⤵
- Executes dropped EXE
PID:5012
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵PID:5428
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- Kills process with taskkill
PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵PID:3308
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- Kills process with taskkill
PID:5932
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵PID:4488
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- Kills process with taskkill
PID:864
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵PID:4888
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- Kills process with taskkill
PID:5604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵PID:1060
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- Kills process with taskkill
PID:4012
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵PID:3164
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- Kills process with taskkill
PID:2236
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵PID:4072
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- Kills process with taskkill
PID:1764
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵PID:4648
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- Kills process with taskkill
PID:4612
-
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BDF8EF0-1C66-437B-A0F1-D0EE7DFB92B8}3⤵
- Executes dropped EXE
PID:1204
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4E16D40-B8B7-4963-ABD4-D1F3DCCDDEE8}3⤵
- Executes dropped EXE
PID:6068
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{301614F3-A2C5-4368-BA28-19CBDF6C85C0}3⤵
- Executes dropped EXE
PID:5612
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A1798D16-18E5-45EB-9E86-936EA6EB2A9D}3⤵
- Executes dropped EXE
PID:3064
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B3DD75BF-684E-477B-93F5-0A662F0AA416}3⤵
- Executes dropped EXE
PID:1744
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06AA72F6-8D8D-4715-92E0-BA8448C1541A}3⤵
- Executes dropped EXE
PID:4208
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0C236EC7-FAD9-4A72-9CAC-9C1B5F9BB2EA}3⤵
- Executes dropped EXE
PID:4348
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{24FABA84-7931-4785-8FF1-41A0BE1B88EF}3⤵
- Executes dropped EXE
PID:5600
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2B9CC60F-CE15-4732-B414-7434B124B986}3⤵
- Executes dropped EXE
PID:2904
-
-
C:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exeC:\Windows\TEMP\{5ADB3997-1072-4D7D-B0B3-3B33EE65ABAF}\_is2E5A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91AA21E8-AE81-4598-8642-83ECD625BA9B}3⤵
- Executes dropped EXE
PID:5708
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A89A711D-203D-48B0-9BCB-A27A813AD489}3⤵PID:3296
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A30BA51B-7AF3-48A3-8779-887942B8D511}3⤵PID:2828
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2B830B4-BBF6-4D7E-BDB8-EE4EE99E5C5C}3⤵PID:5412
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{061AAD0D-22D8-4C5A-A930-7A9FC9248F98}3⤵PID:868
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4EFE14C9-EC55-44FE-B13F-A66C4EF5224A}3⤵PID:2144
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB9FA5A8-74E2-45C6-A956-A070B0F0D15C}3⤵PID:2884
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62C1A806-5869-4005-9158-6E1AB967D9A7}3⤵PID:972
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4B4D2E86-094F-45EB-9106-3531F014AB0C}3⤵PID:3500
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{18A1A2A0-E49C-4546-A465-D27009FA52ED}3⤵PID:5888
-
-
C:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exeC:\Windows\TEMP\{4A710DAF-1890-4AF8-AB73-83B7FB284DAF}\_is39F4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{384ED687-2CC9-4442-9B91-1E4F59FD478B}3⤵PID:1556
-
-
C:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exeC:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exe /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵PID:6112
-
-
C:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exeC:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exe /P USERSESSIONID3⤵PID:2736
-
-
C:\Windows\SysWOW64\reg.exereg.exe import "C:\Windows\TEMP\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\CredProvider_Inst.reg" /reg:643⤵
- Registers COM server for autorun
- Modifies registry class
PID:5224
-
-
C:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exeC:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\SetupUtil.exe /P ST_EVENT3⤵PID:5280
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5476
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5088
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Drops file in Program Files directory
PID:6068
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{988F8ACF-18C8-4762-ADA1-1DAED40B8650}3⤵PID:5168
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{52CCFD02-49C8-48FD-A32A-F69F30518A88}3⤵PID:5012
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{890CA543-FA78-4C78-AD43-5A22A8777B1D}3⤵PID:5960
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{38A7114B-3358-4E2E-A00C-2376B5C6BB9C}3⤵PID:4708
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{910D5CF5-C8DF-4679-AC19-FF554F85FABC}3⤵PID:6000
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2AC2BC7-3762-4D8A-963E-8B992CA432EE}3⤵PID:4724
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{39C2ED08-8455-4FFA-88C7-99E49AA5887F}3⤵PID:5784
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8E64A7B-B759-40D9-BA42-1C36CA7B00AC}3⤵PID:1720
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE4AEBB5-71BC-4B2C-923B-D7628C700725}3⤵PID:5308
-
-
C:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exeC:\Windows\TEMP\{46C08344-DDC4-451D-9992-1C1021768AEB}\_is4DEB.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A31A9C5C-5938-438D-BA2B-59D420A1D2C2}3⤵PID:5304
-
-
C:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\Splashtop_Software_Updater.exeC:\Windows\Temp\{D9DF021F-C8EC-4644-BE85-A2A78F3CFF52}\Splashtop_Software_Updater.exe /S /Caller=SVR3⤵
- Loads dropped DLL
PID:868
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B392A1CA-B38C-4C58-996B-1854868B7952}3⤵PID:1588
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73DAF5AF-E852-43DD-84FC-F15EF5F30873}3⤵PID:5724
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC74CCE5-992A-4661-AF1B-D8D99CBA3C2A}3⤵PID:5100
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{75066F69-4356-4FFA-BD3B-F1ACB4858CEA}3⤵PID:5716
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{984DFDD8-DA60-406E-B74D-9F39A3FBADAC}3⤵PID:3408
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DD1E45BC-6214-4FDD-9CFD-E9C8351C80C4}3⤵PID:5420
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D26564C7-6195-4DC9-8BBF-D3B99F90D98F}3⤵PID:4556
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A648316B-3C17-4918-8AF8-80520FD7E8A6}3⤵PID:2664
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D8D7C674-CDFA-4AA8-8486-A54F1439B6FE}3⤵PID:1140
-
-
C:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exeC:\Windows\TEMP\{D9CECD5B-68DE-4737-9BA0-7403A90AA20A}\_is586C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9A10B02D-CC01-459F-93E0-60282537D8E5}3⤵PID:1276
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Registers COM server for autorun
- Modifies registry class
PID:5924
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{544F2FBF-5121-4425-ABF2-116B2585093B}3⤵PID:6116
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4571A43C-65B9-4AE8-BFA4-E2FBB12A9C66}3⤵PID:3600
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BF07633-C319-4715-8C2A-A3CD797BDBC8}3⤵PID:3764
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5BE90BFA-E801-4C74-993A-93EBEAC9D01B}3⤵PID:5164
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5F114918-4386-426D-BAB9-ED9DAE51F4ED}3⤵PID:2904
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDCDDBD0-A806-404B-8FBA-2C5DC754B791}3⤵PID:2184
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AFB02AF7-7DB9-44A5-B663-1B78B3638A3B}3⤵PID:2008
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96EBBF5E-5204-4286-9BB5-DEBD0D3FF0C6}3⤵PID:5548
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{82221D92-57F9-48C5-8279-B66F100BB61F}3⤵PID:3440
-
-
C:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exeC:\Windows\TEMP\{5E283147-28B0-4F16-897C-1E5A27FFA1C1}\_is5ADE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA6EE053-3E10-4BD4-8DD3-171AC81463EB}3⤵PID:2316
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵PID:2724
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9082D60E-78A7-4F61-8BEE-96CA6776A92F}3⤵PID:4612
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F530DA3D-0BE3-42ED-AD5D-578E3C068969}3⤵PID:5260
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37F06D11-BEE0-42E0-9836-C868C46E8A71}3⤵PID:4232
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73456B50-DDE9-4771-BD56-3E70E8A6EA12}3⤵PID:4588
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{95BBC7A6-1E6F-4EF6-9273-6EB46E503B92}3⤵PID:5672
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5AE5315F-CF0A-47BE-A109-EF9AEB0EF3F3}3⤵PID:3836
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F91FEA13-2E8F-4EE6-B286-1D61668BBFA8}3⤵PID:5712
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D7355C0E-2069-4CF0-B0BE-99AEA2EB8E49}3⤵PID:5764
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA85E92F-B283-497B-89EE-7068E713A249}3⤵PID:1240
-
-
C:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exeC:\Windows\TEMP\{1CAB4A70-813B-415D-91A0-2DF613A11301}\_is5DBD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{39AE7746-77E0-4F4D-93E4-548CBC5BF911}3⤵PID:3064
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2604
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:3548
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "0d832da8-5663-44cb-a140-208444acc2ce" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
PID:2268
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "3844f6b9-b23d-4ba9-89a9-94eb62870445" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4480
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "d79939e4-c095-469d-88f8-15c7c82b6256" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
PID:1360
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "1e3990e5-e5db-4f6d-9735-675b6ab30159" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"2⤵
- Executes dropped EXE
PID:4276
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "7e754dcc-63e8-4f68-9bc9-8faed77ee03f" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1068 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:1936
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:4748
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "bd527817-6d39-4001-95f9-0bf142fdafd5" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:324
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:3776
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "e2aebfac-da9c-410e-bee1-965062a0ea0a" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4404 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:4152
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "73cd74ec-2ecf-4d92-a5fc-4c5e2be9796f" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4724 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5792 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵PID:5604
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "b99f5a50-6c04-42e9-a424-d5bcfe1cbee2" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5008 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_6_7.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2132
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "bc6ccb5e-5297-4fa3-83f3-1e613fc896c6" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4052
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "a402e704-3e54-4f15-8398-e4b75cb5ae46" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:2812
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "544a051f-c598-4b83-84b3-aae75ec9ecd0" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3712
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "71460193-56af-436e-9d7a-86a9519c51ea" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4076
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "1d55c9b7-185b-4c33-be6e-871392abf447" agent-api.atera.com/Production 443 or8ixLi90Mf "connect"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1708 -
C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 1d55c9b7-185b-4c33-be6e-871392abf447 agent-api.atera.com/Production 443 or8ixLi90Mf connect3⤵
- Executes dropped EXE
PID:5648
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "d0d9be60-95ab-45b8-a357-fd1ffa51dd41" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4400
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "805e6c83-9558-41b6-8972-2fe298badfe5" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3328
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "b0990dfb-7df7-4207-8d56-88a2d1e3bc58" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1512
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "e579cca8-e215-4c84-81ad-1408aec24516" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4900
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "6199bce7-9daa-4e3b-82b1-3ced225fd690" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjI2IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzM1OWI2M2ZiLWNjYzQtNDI0ZS04YjY2LWM1NWEzOGIyNjI4Mi9mNWU2NTZmNTdmYmZkYzVkZDNlYmEwN2NmY2MzMTg0YS9kb3RuZXQtcnVudGltZS02LjAuMjYtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNzAyZWRhNi00NTJmLTQ3YTYtYmY3OC0xODk0YzBhZjM0ZGQvNmYzNTg1Y2U1MGI5MmU4MTJhZWQ2NmYyN2M5NWYzMTAvZG90bmV0LXJ1bnRpbWUtNi4wLjI2LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MTlkMjkwLWQ3YjktNDk1YS04Yjg5LTk4MjY3MzVlZDJjMy80N2Y0NjdmYzRlNDYyMDA1NTMzOTI1MzJjZDg2OWFjYy9kb3RuZXQtcnVudGltZS02LjAuMjYtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci83ZDNjZGQwNC05ZGI4LTQxZGItYmM4Ni00YWY2M2Y5ZWRkNGEvODg5OWZmNzc2ZWVkNDFiM2Y1Mzc2YmZjMDk5MTNjMzYvZG90bmV0LXJ1bnRpbWUtNi4wLjI2LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I5ZTQzNzE5LWYzY2UtNGIwNC05MDEyLWRiMjc2MWQ4NjQwNy9hNzI2YzFlYWMzYjhjMjA4NmEwNjc0MDZkYWU5MWJmYS9kb3RuZXQtcnVudGltZS02LjAuMjYtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Ilx1MDAyQm9nZGNpdTkzcWpNOVFZL3hoaGZPWXJ2R09ybDdcdTAwMkJHanMwUmVxdTZXeFpFcVJPY2h5ODlFVmFxbk5PL0hnaDlQNDdHVWZqOXMvWkV3b0ZCXHUwMDJCQjJoTG1nPT0iLCJNYWNYNjRDaGVja3N1bSI6IkRLL2lyTlB6NndnQTY1c0pDem5GRDhsdW51VE9ENHhQeThSd1dcdTAwMkI4N3oxN2VTT0JJLzJLcWo5UXVFRkJVTzdNYkVoc3JQWEpRMnJpUjhoXHUwMDJCL29paXlpUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJsSXU0NVc0ekI3ZHV3MjhBYVRWY0p4OGtBYlx1MDAyQnE2UGc1L25WenJFeWdpMUJIQVhXbHdhblNuV01VdDJRR3dCSk5hRzZNYURLVktTY0x1VUh4dkQ4eE9BPT0iLCJXaW5YNjRDaGVja3N1bSI6IlBLWElYYlJNR2VpNWJMZlI1QXpHellNRHlCUlFcdTAwMkJzZmhBMmdqdlNNaDI2RGx5eGhHUXJPV3JwMUJxOUVMVEFTTnIybkZ1V011T2NqcE4yaTdaZGw3OXc9PSIsIldpblg4NkNoZWNrc3VtIjoiTGNJUzl0c3F4RDhiMXByYnJVangwNDFYRkxrcm9lR3BxbHV6dDI3NlNqV1lVZi9hei9kTldcdTAwMkJJbGpxSmpLbGJBdmRaTlk5Uk1iM3BvVkVpUHYwdXFLQT09IiwiV29ya3NwYWNlSWQiOiJiZjBjZTQ5ZC03N2NmLTQ3MjEtYmY3MC01NzY4NjM4M2M5YWIiLCJMb2dOYW1lIjoiRG90TmV0UnVudGltZUluc3RhbGxhdGlvblJlcG9ydCIsIlNoYXJlZEtleSI6ImpVSVMvVDlDUlZEZUt4WWc0VXIzYUNoaFdRdWNZN1BWdndnMHpIdXFKc2NyVGpqUTJMd0s2VWpmdTdjQTJOcHJBUjByL1NSQVhKWVlsZFBLS0Z5S0tRPT0ifQ=="2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3408 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵PID:5432
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵PID:5600
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "773569b9-84d1-4181-847d-174e9cd075ee" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3516
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "d12171b9-cf60-40f6-be1d-2a9ba0a82709" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ=="2⤵
- Executes dropped EXE
PID:212
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5668 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4700
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "2f522e33-8b8e-4d18-9dea-3c6940166851" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjpudWxsfQ=="2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "7817d0e8-dca1-438a-b437-a592b898e396" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Executes dropped EXE
PID:4420
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "479700fc-da32-462d-a66f-8e0cdd9a1d71" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:5432 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:2392
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:1524
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "ccf2e34b-c7e4-4efa-896d-6803ac356bca" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ=="2⤵
- Executes dropped EXE
PID:2164
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "01d5e223-e483-455c-a4c3-6105b93a5e66" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"2⤵
- Executes dropped EXE
PID:5040
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "108cf61d-1a14-499c-8a07-ae81cf30590e" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"2⤵
- Executes dropped EXE
PID:5428
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "78ef63d6-eaa3-4f0a-97ba-7b526648d4bd" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjI2IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzM1OWI2M2ZiLWNjYzQtNDI0ZS04YjY2LWM1NWEzOGIyNjI4Mi9mNWU2NTZmNTdmYmZkYzVkZDNlYmEwN2NmY2MzMTg0YS9kb3RuZXQtcnVudGltZS02LjAuMjYtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNzAyZWRhNi00NTJmLTQ3YTYtYmY3OC0xODk0YzBhZjM0ZGQvNmYzNTg1Y2U1MGI5MmU4MTJhZWQ2NmYyN2M5NWYzMTAvZG90bmV0LXJ1bnRpbWUtNi4wLjI2LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MTlkMjkwLWQ3YjktNDk1YS04Yjg5LTk4MjY3MzVlZDJjMy80N2Y0NjdmYzRlNDYyMDA1NTMzOTI1MzJjZDg2OWFjYy9kb3RuZXQtcnVudGltZS02LjAuMjYtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci83ZDNjZGQwNC05ZGI4LTQxZGItYmM4Ni00YWY2M2Y5ZWRkNGEvODg5OWZmNzc2ZWVkNDFiM2Y1Mzc2YmZjMDk5MTNjMzYvZG90bmV0LXJ1bnRpbWUtNi4wLjI2LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2I5ZTQzNzE5LWYzY2UtNGIwNC05MDEyLWRiMjc2MWQ4NjQwNy9hNzI2YzFlYWMzYjhjMjA4NmEwNjc0MDZkYWU5MWJmYS9kb3RuZXQtcnVudGltZS02LjAuMjYtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Ilx1MDAyQm9nZGNpdTkzcWpNOVFZL3hoaGZPWXJ2R09ybDdcdTAwMkJHanMwUmVxdTZXeFpFcVJPY2h5ODlFVmFxbk5PL0hnaDlQNDdHVWZqOXMvWkV3b0ZCXHUwMDJCQjJoTG1nPT0iLCJNYWNYNjRDaGVja3N1bSI6IkRLL2lyTlB6NndnQTY1c0pDem5GRDhsdW51VE9ENHhQeThSd1dcdTAwMkI4N3oxN2VTT0JJLzJLcWo5UXVFRkJVTzdNYkVoc3JQWEpRMnJpUjhoXHUwMDJCL29paXlpUT09IiwiV2luQVJNQ2hlY2tzdW0iOiJsSXU0NVc0ekI3ZHV3MjhBYVRWY0p4OGtBYlx1MDAyQnE2UGc1L25WenJFeWdpMUJIQVhXbHdhblNuV01VdDJRR3dCSk5hRzZNYURLVktTY0x1VUh4dkQ4eE9BPT0iLCJXaW5YNjRDaGVja3N1bSI6IlBLWElYYlJNR2VpNWJMZlI1QXpHellNRHlCUlFcdTAwMkJzZmhBMmdqdlNNaDI2RGx5eGhHUXJPV3JwMUJxOUVMVEFTTnIybkZ1V011T2NqcE4yaTdaZGw3OXc9PSIsIldpblg4NkNoZWNrc3VtIjoiTGNJUzl0c3F4RDhiMXByYnJVangwNDFYRkxrcm9lR3BxbHV6dDI3NlNqV1lVZi9hei9kTldcdTAwMkJJbGpxSmpLbGJBdmRaTlk5Uk1iM3BvVkVpUHYwdXFLQT09IiwiV29ya3NwYWNlSWQiOiJiZjBjZTQ5ZC03N2NmLTQ3MjEtYmY3MC01NzY4NjM4M2M5YWIiLCJMb2dOYW1lIjoiRG90TmV0UnVudGltZUluc3RhbGxhdGlvblJlcG9ydCIsIlNoYXJlZEtleSI6ImpVSVMvVDlDUlZEZUt4WWc0VXIzYUNoaFdRdWNZN1BWdndnMHpIdXFKc2NyVGpqUTJMd0s2VWpmdTdjQTJOcHJBUjByL1NSQVhKWVlsZFBLS0Z5S0tRPT0ifQ=="2⤵
- Executes dropped EXE
PID:1200 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵PID:3308
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵PID:3572
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "2604e228-afaa-4d06-b9b3-e917d4ea6f5d" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2932 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5968 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
PID:876 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵PID:5372
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_session_pwd=ad9d2464b472e4df654929430a73ef7c&rmm_session_pwd_ttl=86400"3⤵PID:5512
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "85b170bf-02f0-4334-b5d7-1da3ef41f775" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"2⤵
- Executes dropped EXE
PID:912
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "2f7dfd04-66b3-4063-b0e6-c6b473c30951" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"2⤵
- Executes dropped EXE
PID:4748
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "9ff4c982-0423-40e2-98f1-f631c05c8d25" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
PID:1140
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "3ef6dc95-6bc4-4f27-a6a4-30e2212636ea" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"2⤵
- Executes dropped EXE
PID:5836
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "d668bb56-b00d-46be-9b3e-d40cd72a815d" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"2⤵PID:4356
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "65407d2b-7c58-4a5c-9395-7b95eb3d0596" "d668bb56-b00d-46be-9b3e-d40cd72a815d" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates"3⤵PID:5232
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 65407d2b-7c58-4a5c-9395-7b95eb3d0596 "7817d0e8-dca1-438a-b437-a592b898e396" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵PID:5440
-
-
C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUService.exe"1⤵PID:444
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵PID:3892
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Sets service image path in registry
- Drops file in System32 directory
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5896 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6116 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c sc stop SSUService4⤵PID:5164
-
C:\Windows\system32\sc.exesc stop SSUService5⤵
- Launches sc.exe
PID:1596
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c sc config SSUService start=demand4⤵PID:4532
-
C:\Windows\system32\sc.exesc config SSUService start=demand5⤵
- Launches sc.exe
PID:4212
-
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S4⤵PID:4060
-
C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe"C:\Program Files (x86)\Splashtop\Splashtop Software Updater\uninst.exe" /S5⤵PID:1796
-
C:\Windows\TEMP\~nsuA.tmp\Au_.exe"C:\Windows\TEMP\~nsuA.tmp\Au_.exe" /S _?=C:\Program Files (x86)\Splashtop\Splashtop Software Updater\6⤵PID:2252
-
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Checks SCSI registry key(s)
PID:6016 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:3312
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- Suspicious use of SetWindowsHookEx
PID:2800
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵PID:1200
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe"4⤵
- Suspicious use of SetWindowsHookEx
PID:752
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵PID:5276
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Impair Defenses
1Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5aee3d7e821553cf2d56b5aeb9fab0468
SHA1ff4a49c461634481531193cdd7e074adff81d870
SHA2560c8b06c76b74459b7eb8222305eb1b97799570a1e17c80b29e8f677a13e8d2fd
SHA512bbf0939f475d7b8fda96085b2150cae6c5dbe6ff40f62625697db83dd48905b1d0750faa961d18018f39e1aff3b42f6153c82582d519535a8f1319e6a106bee1
-
Filesize
9KB
MD5a97574d92e60767a46e897a17594b1f4
SHA1f19bcb692a4c72f42f8a8c57a6738e0cc46288b9
SHA256424a9bfbab548fbcb9f0c285c3bd1169ced5edc743244c133025351945833203
SHA51218583fc985a4952b9796a2756f667b363c1993b0a606331bd30f44acaa1fd65139debacf0b0321831e30eec57484bedad36bd78cb756d135fc7d736a30b7474c
-
Filesize
8KB
MD53f57f8e8b557438a4387cdb40e3493cc
SHA1263115d448c89f7f4dfdb2e343daf23b2be687f9
SHA256ff36686b377994b76009f9a91d6aab134fd211ea47cd1afa62e8ae4c7fb8d245
SHA512a5ec4e167f6248bf5f48b5ed62fdadb6beeb73dbcb7ced43a239512d7401afd533c4a96f49e0458b1a164b479c0074c2be3088c6ef55428d87ab1e107cccc887
-
Filesize
74KB
MD55f9e43dc60ee9cdae6e708ba56410cf6
SHA15781ec6c0792e009e7ff5fd34683f9e02454be11
SHA25663cc8aace12e6ca572062f0f060e4c3f8af8be71b5a4dbfa08763831bf80949b
SHA512de67c2b8889176d48b3e29b92ef942cbe192ecb30aca2548ec2126c852972c7f57703d1ccc6885c226c77789bfa7ebfb14a142a1d6a8361daf882296f987d588
-
Filesize
480B
MD564691dffe33ad05142b03a658924e5cd
SHA1bb5c9ad7ddbc41fb54204901e67a665cec30e299
SHA256603822efe4c9c7699c415bbdbb149b9b9f53494ff81d50bdf627e1ca4a90011d
SHA5126dd364d24b575d780f85aaccb961e7912983ad425e2c50cea58a7fc4c99712d33819bf2ced3e00255e4ec14a8882834e18369bfff21dd50e42ba6b270c0f267f
-
Filesize
1KB
MD53840b31c383fdf49bfd6740d945c9032
SHA1a6f50164a69718bcef4664d7c47534f0d721866a
SHA2561f119f4fda8028b420e70ee1637c65e2b4198b41eb3eb44d911afa6f1a0bbc64
SHA512f5315421d4bc5f08fef4e1449e5799ddf311f08eda317a9eaad8c88c2e7b7c26182bd586c0221ffe5f4112e5d6e05f5d45d2d0382b0ed51ca25aa94d4d95a84d
-
Filesize
305B
MD527c1adfa459a0d4c1a3ee1e4e92f8e0e
SHA1e21b1152b78827c8e59d84c541c190c099297632
SHA2568e88d3edb3da0f6dfe4dc7716ab64256fab189429a6690b129d6789f7eeca49b
SHA512f8f66043ad65be01a11e130ccedd14a1e638950bb95999e650f62362c05e81d413d330e87cc5fdade02776fc742ebf96331a3752ab80eda9931041089563ae36
-
Filesize
140KB
MD52899046a979bf463b612b5a80defe438
SHA121feaa6f3fbb1afa7096c155d6b1908abf4ea3b9
SHA256486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8
SHA5128c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
209KB
MD5a41c23558b3c07f8c749844bb553d545
SHA18473013cf5f2be8158c13f1056675d1cbd10586f
SHA256a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766
SHA5125930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f
-
Filesize
693KB
MD564e122b28a1e548c1cca376e32cdd248
SHA14506de40b8422c9be58333f35325a86674ca650c
SHA2560ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215
SHA51236fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize154KB
MD5e3ca6ba742fba06522ab0fe063c620de
SHA158f1e87ae1ac14cf043c1af4c21d00e4197c712b
SHA256f03771bab23cb012beb6bce3618a45fa6d06e3783a67f5f78bf0d9f41a198079
SHA5122de5d08a4a33c03f828244705e4dd25a39d7d56a82c5fb1e5512d10d133d30a6cfeb2dde182f13288e5e0bcab181d9b4636d65db2cf1cc54c834080af0348bcc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize156KB
MD5f52fc50d7cd546aac6ff5b3b6a81fef8
SHA1acee5c531f18e3f9a740fc510a363549eefb6d50
SHA2569adcb96da9b2af3e1f7baf2995ae288721ea14f20c708f5ed862e5b93d33a8e6
SHA51246bbe96cb751fc1af755d486a14411ee03b5c3ed1883b8e5b00e083c21d417fe6ffa0c205bd22a56f38df604621bc443a1f610c5c39415d5b90010614d2f09f8
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize46KB
MD52add1f7594df835ca2e2d0dd4494bd13
SHA1c39884219b3b4ba3125f9ddbc20d55757b41ae61
SHA25659b970908d00dcef9f24b9d74f331bcd1986eaa1543de10ddf27f6ca97351e71
SHA512430e74c2acf0921c5c0b89c82367e096267059a2f0ec2d1c932b7b94c3ffa39bcfc80cc1f95858fb5b574e2469d1c3fdd75655b74a9603981ef5cd3ef2744423
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize163KB
MD53723dec9f9f58e9548cf705a08272aa7
SHA10eb60973068ba24edd449bed2be05c64a17c46e7
SHA2562906684ef97d39b4aba921be2728dc50458b66045c328adedc33fe483a7ca877
SHA512469b8ca4a0dc6433c90c141320ddcdf77e6b529f660326b249fd4a9d8bc22281079fde6ab71e02b03656f13f5af6d1c4185ac62ce470786091794b33d1433530
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini
Filesize12B
MD5e1d717a53b79233000376e06e7e818fa
SHA1e9f5a584cc49acaf36d4837802b9a3ea7b5144e8
SHA256b670eba39ceb4441a7c9b00d2ad56c22c762a985ab3620fa2df94af6a05d3bc0
SHA512759a6ecbc46bac091a9c712f69125ea739651b185d1ffb26f79bffaf0d5c79ec10f9cb42408e098a89f0408f434919500cf07314ac4eae0948e4aba7a099178f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD53ca5eae6bc6b5b68e86d7e94da6680b4
SHA18b1506e53cd0cc830450cf864bc300b9b249899d
SHA256d297eb8b6b451e47bdd5118a311c30220a392c2e1c606004d822b8db978f6855
SHA512c7d19f1e66d50a0891284c9aedea9bbed9fa82c0aa119c6c6b1e3ef23167727db89c741a70d8673d29aa652b1f97c61f821e5609d16151749f05b83816cdd16d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize687KB
MD574b54353c4e2834907dcf55d0c329050
SHA1bdf81278635673ed3c3f7d9243c56338b18ba950
SHA256a0fcf15c913a9871724f36fd280aa3654a1325c24c46da42704fb79c72860608
SHA5126b4d54bd31310fb5c1936e64c5d1fc7213fa672db1ee18953b62491724c6c407632f9999d8edcab9f15a8b99479572e11e00194b2be3008ba238a5675cdc44f1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize25KB
MD5fd9e8a53114dba71999e09386fb6ff83
SHA18b24a77a7f8cb1070a8207ff9abb9b8b7fe8a679
SHA2564a7d1e7fac5578c585f0d5598f37245bf8288ca654f4d8bfe9935376256b3dbe
SHA5124412e7b8feafbc140a74ff431557e4755fb5a0da15de85666e58a414f378d13a9a23f7e84f7167663e00d95cedddea425af96f63be0a13dec8bc704f71fa7d0b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD50f130672aa993be9264cdc9900b2d9a9
SHA183dfebf1ccce15592b4b250e373cfb768934bc72
SHA2564f3dfdb6e2fa63309466035e0efaabc321659bde04f2d26ebac7ff282e3752cb
SHA5121d2fa98f45c732cf2ab22fd0a8cb6c1d54c09d0118c358c5a511b0a57fbef7cda7b2181b58c70023b1f3ea9a6af5c615dde995b11f6aeef8d917779c46aee931
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize31KB
MD55c33b399551c1ff47d5486c6556121bb
SHA174d49780496b0ed524442aa95f6eb69bc83ded18
SHA256aad2956ff675d736d2d98f79aefe3f5fab742846a7f7eac0b796dbab69acd3b9
SHA5126f9c4fa63fb157248a1483869e2c4fd071926a08b396df163db6d53f637c1a0dcb7e4c1315f3bafa438f75a08084ca8cfd7d5fb485316b19eede00814393e74c
-
Filesize
3.4MB
MD581631e3788900f3d082e8aa7d856f891
SHA1bd9e5fdcb27debf5c7b3e00adaae2a704c287b7f
SHA256067456a17bef5440d269fb30fd48032b3d83c52d693d5c82ca1a370be1bc0bf3
SHA512b1da3b21c655af96dd060dfc485258af1c5a80b07cab89f14f7ea3ca0c8ab93e50037c8ea8d925a1e3bedf6f5a1079f56f3e912d387fb15ccda15840159ecffa
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.INI
Filesize12B
MD594fb323992e48f9d4a3acb5c1e88d656
SHA137a26436c73fb82cb808e56de98ed028adb2a514
SHA25687cf69fb5b332d110b0445fe784c12513a1154aa4393e24e4c4ad489049fd99b
SHA5124d41cf9ffbf90b494ef8100ce88401a92232841907ae464b12ddc9c25f92f1bb1411bfad6ce75a04dad275081174db8779e3def6af25aadf1b4b2dffa9eaa632
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize385KB
MD544c39bf8425d1201ac8c003524ab1f6d
SHA19ee7caed9e7bfeafccddd02726da2fa4950924ab
SHA2564de559a6f68aed57a56773511cbcf08a204cf32644cd6d794f67d7a0a0cb3316
SHA5129fe8f6c39d31965883661a3e225a039861b23d545545db75ca4748c7beb50612e86458c0be50ec41241a06958e9ef128f46ccdcc173c09c222e2c7257734dd9c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config
Filesize1KB
MD5c6ecf24757926eba64e674bff8b747d1
SHA13a46083826c20e8e085c42bbfdfeef4f9e2b90d9
SHA256c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc
SHA512efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll
Filesize64KB
MD5d180ff7e7c71e01f07fdb9fe124804b8
SHA1151dcabab8bf10ce179f225667bdc2acec725e5b
SHA256aeab12845410f6ed1c56a78f2dd0bb3d072e24417edcb3dfc8550fc918f14f8d
SHA512eac0cd257be1b9f512147f1605eb50c4337b353c1bd6a2ba84e2ab13811acdb4f56686bf48afb99be27fc8a93e6ce52419daf78184cd1db707aa445b708c8154
-
Filesize
151KB
MD5c3d7a0e65ff83cd9f143aa3cab2b7b5b
SHA183291f57922d7ceb203a793e69d1aaf8da5aa288
SHA2563bb327a09a6929fc85d6c8286d2996bb82d1f1ce68b117ebefb522b1e2056960
SHA5128a0df1b1c2723607b557d7a4be482d099229c2c863a4a390452a036d0311c280dd6d388d6b5759b14d3eb8787d4b67dcc4b39a1dbe52810f82e756c18a5e0efb
-
Filesize
862KB
MD587f396a5611ebde1f26ca0aee63c9bc6
SHA1cf2154ee6d8989c108804ca6415d227c889ccbe8
SHA256a4b4bd0442c2c376917ae441d3ee59a299d202ee0277b967e7e9baf076c6b271
SHA512506922bbb8771c2a269792f730bc277d812bb53c5feded003ee9c60acd8420ede07ea5fc5c2688fbb9696f7f2e3a55cb7b457b017d4e011054ba11eed57f6ac4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll
Filesize693KB
MD53ca5d328d909c76b43fbb58fea5e0d4f
SHA18261d45ef9aa6c94bd72a01b80b180f6beceef31
SHA256d94fe016a38ede7c645dce77076167475682e2871d5887cf1d83c40bc8026bb4
SHA5127b688688218fe4873f307539563415c349a0347d11048a8f2af1adb25e07f4b84a8c6cab4024f4f22b73c31dc3262413513ac78b99959591ce7b395c1413135d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll
Filesize286KB
MD5262f1c97c8e49a527d44c302568e83c8
SHA1e8060b1613f37d7b26cada0a52752a53663921f2
SHA256748dbbda6b1f55f2ad4f0cdcc2cff8376abfa4b45ff0219f86adb24ffcb8243f
SHA51212687a3eb11ac1eba02c6ab076b920a6380f1df93cd9a79a62f7966cdb2cee6f08e31f573fb497d5211f56335df58ebb0021bc4049e4254bdb4da54fb2bb0bde
-
Filesize
270KB
MD51b0509b22d4ebe1d5e0ddf2ef48d2916
SHA1370bd80fd4834b2ecc8daa3ab7feecc06c6d48d4
SHA256e5e742e1c79e2e1777389ae54a20b6afce32ebd69a49083b60ba0d685f100967
SHA512836d17e2e333a4de7711bd0448eca9f5ee2b859a4a24d2b3bcc2f984e15befd21172fd822a458703ee58f95096188cc409c7d9f6ff01128fbc6ec18ded427d8a
-
Filesize
277KB
MD5c3888dc400a36905e2eecbfd815e220e
SHA1aaa531c1cce9a340023bc79f7890abf242351369
SHA2564e11cf3a8e43f8dbaaee073efa513009c492e64d1f89922511aa5e08f8967cfc
SHA512005e24b5206f866ac294a8baa7a3f48af53ba993af3da24546eecb3aaf9573f3c04604aebd83626a3b7dd3fcb9d5caa0b6f69cc4ad3fee4e9ea0c0a0adf787d6
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll
Filesize399KB
MD531761bbd8eac4cb1bdf9c0b0a67d40a5
SHA1f88d78c6bd1f2fc5e87e4af348cd7bbf07648c4d
SHA256365bb1d2f0c95230d67c92f3275e44cc2c829afed1c624323c40eaa42c42b6c0
SHA512460986675f4222ece5538914a835e53f5da104b4c625e672d34e398690f83805bc89691f2b591e32bf40fed53d9ecc5ce5b160e62c308908ec7a20a493e652d8
-
Filesize
48KB
MD5d5b223cb25ec2ecec2384c1f0850de91
SHA11c408b8c1a1ad90a25698c6f561a10db854f7f9b
SHA2562c4947e07954a48a14848f710af8f241a4b413f1c314e4d7128ff97dfbe1d425
SHA512d18995e6cd95b816ec4248a55d11d7968c3f9199e44558f75358203ece400ae2a2183c0f145f5140988a43426c8d6a3efd167e748b1a521329cc895f40c0f238
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD517f32580ffa2e18693e58fb7659b998c
SHA16460f12c4550ebca70aaa148531580ca42cab2eb
SHA256d64ec004270373daf7d1861d62f4dcd1b19c7a84d42d2a41f16e6662c962fce7
SHA512522cfbba3f8dc65b24d2815792d52da366007ba354117c4ba0f2cd00763359ac4806249cd24400570394618d26c5bc648c6fbb23f6ce857c42700904995746d3
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize189KB
MD50abcddc5d5030a547db34232f50fe20f
SHA139b9a26b7cd0a5a04bba69b934918b17b4dd36e8
SHA256dbb0955bd2b4c0088fc56b633bf3ec48624159afd68d8092ca7d0224da442231
SHA5122d933d6fe444e8e9919a8dab5a31b13decc805b662b685d62efd6983cad455649ef4b275f0f871483ccc3164355d7c920684e7417ec7eb05f8931a10511615d5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize48KB
MD5bcea673768ea4e64d96b426fd0dabef1
SHA1782e35b1904e1e2f86ae0e3ad1f8645d860cf457
SHA256ee853ebbebc9cf31540b00d50d404cfd868397c087710c4b6ee4fed230e3981c
SHA512de6c60eb30c5c4027920a78bc48c72848f1e31c6504a6bbd710daf8cfdf8f0acd2be320abdf5a4431d03e377e8c5e167a2e95ae9571c983a5106e0bd00c6b14e
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize53KB
MD5b2fc69f3f118fde1076848d3bddb7de7
SHA1c35f7d35e715fdd6656f2dab5302be0df2acb27f
SHA256dbe8c0ffcf0eeb12ba6cf1303ce1feda4d9a866a41dfdeb94f5a49bb6cd43e2e
SHA512e13e2c7880fd2a4022747837fd0fd1a8cfc60fea8a418c165c12e0db34ac9effb113d3d1e183be86affdb71a46a885328ce6071c32a129ee64e9a612ed8bd114
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize66KB
MD5a9feeb4fab8f35c9a015be172ee8bf8a
SHA1bd8b6b68ab66d6b83844b5fb9a37762ec9984b26
SHA256f05e83cb0775daf025426ad9d3f2668b2000646e01a953f63033c64898f07631
SHA5126612b9a742d5fcfab171ffb049c45d118acad7062bbe13c00b72c96dd85ba11e539bd74b21e1ca147de151300f3acae8864cfb1e9d1819c660f0c0fa0f660f88
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize44KB
MD5104da30f344fa2c2a47f7831b8084bcd
SHA13a14aadbbe204ef694b648128334e41b546619c7
SHA2561394ea09f30db994bb8bbb5ad99d0e143eed5064f78889125736223006529925
SHA5127cc7c4b859b73bdfaf24fc30593452be80d64e52b02e4abd92d831901591736a9c8c9e47ef310010f389f866e18fb1394aaaa0b520651932ed5c6f9f3e4b4241
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize30KB
MD5194d372fd98820f5d3632ba7a3fe2198
SHA1c5fefcf9957f62b25873d30de32551fd1a596e88
SHA25608a1bc2a8b4faf85dc20e46de6f2046c980625e68dc7c43596574ce122948d61
SHA512db9a905b9a548289b95f29b41e65053151a2badd994d3b5f627010130682232f1fa642d408267322271795d1a23ec56deccd12dd3b9729406ba89ad777144067
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingSettings.config
Filesize366B
MD526e7faae0a4aa19676807c7c61b3d039
SHA17162da207e9c164b1e3229c6b219b634743ee210
SHA256bbaa2125f9a5e49418ad7b23e0d4a182c551f0314111464aa61fca9537933471
SHA5128b125cadcaa6fed50caf3862d5e71709fb259a66c7aa6c7045a7375e7d85157089e4a5e70ed973277ae95f7e9bb40cf66b6024f5d18f234d5b579ca5b8cebda3
-
Filesize
432B
MD5a67f90a8dad4e0122ed387c45e3dcd02
SHA1648515c288031318fe0861028b3e6c80413152eb
SHA256369f6e32f6c2f958437a57b57aebbcf0618109787cceb1db18e87cb5d1fe1d63
SHA5125c9d6f17bb441f0f85deb716a4d4f48b8ce8644202c39af2619b5aafe57bdce733b17c7e3592a040a14e25a56879c14c83fb22c907071c36ef1d926c16ac4d00
-
Filesize
520B
MD543fcaae8558f01efe0d4eb1b5a4755f5
SHA1ca9fcb47c2a730781eb96ccb8042516ba6c59733
SHA256c7c3b6a6b726d0032abd5b3b420aee61d1b8db61fe9f3284d947bd401fb9bbb8
SHA5121837e954b63abd79a0e671ca51783a541346fa45e47c94c69b55fe345bae274721885626b2143baf41ba49315059df89a7fb634ba920317696050e7bbb8efed4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize50KB
MD5359325e26281f6d0f1d8301710d8fdb2
SHA12ed1ea282a138b394fe0db4d9d403896e34102bc
SHA256edaf1c2640f2fef085003fc7f831447fbef391d1eeb0aa9ca5ebc021a4759869
SHA512fcbef79be0ef4b5c3b46ff9c4f29b2b75b82b32c52792d045a53f2ff2d1ff711339474420a09b2dd315493416b41d4a1a794f867f9717e5e876a5536ad962ce3
-
Filesize
588KB
MD582b17dc9838e1e21e5c6f53d2867e94a
SHA1a09bfe6582bff9193337cc7dbab79d0b6b723205
SHA2568e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00
SHA512c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430
-
Filesize
158B
MD5101ae1794851aecb0e6fd87a7719aec0
SHA19bd50fb247187bf2eef1217eca65c849330d5531
SHA256ced412cd55013900f3162af4e00ca278aa3c397f7c0ea217ba187a8d585ead97
SHA5128ed095e7c9a53aeb4391b5d8c1c91a033ed4e10177c4eb3ca216d4c16ae6aa94e83e9e5cabb77958439cb1ea079fdb91810276b37e306bfca2048c0709ee936c
-
Filesize
196B
MD52f6f87bd09be5725e1d23ad64c0504be
SHA1f25f887c740c7e80bacbb4edf3073afff82d139d
SHA25651a46a023ccb1ee2abf88f368a84e13fa57364abdd4e41f738f3b26a985af974
SHA5128b4fe75238ba2be573a2174c5e0c7222fb1ea2e10df38eac3c275b82c48d092d692824081327811b705013eb6469421bf3788f5a7e8fc3489a138931b0edac22
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
80KB
MD5414d3fc2699569ff9f8ce21c79489a86
SHA17dd8b319a551e570a18a12f880670689355d75ea
SHA256cdf798e6fe61a05cebe4d5b14ad547f9a3129f378ec39b895573bee8c16ea8b9
SHA512e51f89d6dccfa03dcda1770b714e5112ed6bdae11a1189f9f596f5c16e6e78d165b32d6bc80bd10c18ca7f39c4d799c9982d7229fb121f5cbc5f606639a68020
-
Filesize
60KB
MD5634bc0c41fd7861545ea4d020be2ff20
SHA15b1b7c7f0ce0fd93caf8a0b6f2efe0fe4446b762
SHA256c3f2c7c91127cf7deabd262c7167399c81a8440db61290f293818b458633895b
SHA512478806bdb21984c709886094c155bfcd83dbcb57b5b8c1417555355f76681c7c8c0f63fa02349b5f6bdf7788a8b5e7efacfa0b5417d8222145cb0e9b8ed36d27
-
Filesize
287B
MD5fcad4da5d24f95ebf38031673ddbcdb8
SHA13f68c81b47e6b4aebd08100c97de739c98f57deb
SHA2567e1def23e5ab80fea0688c3f9dbe81c0ab4ec9e7bdbcc0a4f9cd413832755e63
SHA5121694957720b7a2137f5c96874b1eb814725bdba1f60b0106073fa921da00038a532764ec9a5501b6ffb9904ee485ce42ff2a61c41f88b5ff9b0afde93d6f7f3d
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.9MB
MD50839967f6a7825e2ec897f7c7864727c
SHA1c9c540c0259b07870e7f68be62b70f852a5b767b
SHA256c3fc47982d670b544c9f7b98c5d7375ce12e45b63180773de57c645ba42e5d8a
SHA5128be156409b59d4073d80b4f949d2fbee178167a6d55089bf9bda3da8eacb8c52243bbd37cf8d1f1e3dba611315dcefa414e80d116a73bb491284c380811523e4
-
Filesize
1.1MB
MD584fac5e89653949fcd3a132fc8bbbc40
SHA1f3c939e86538de163bbb2b0adacaaab615c04ef5
SHA2562e8ed005f3ad4216798ddeb2cae212986702ce4509e86bc3d3e84921d59e396c
SHA5121d249c5d46cfc2e6a61ace6922c3568a55dc9ebf4a2f4cf3e7249df5b86b149a79b84a615383bd1c3333b9498e94d68a3dbe92b4325f17de0b912eeecc006719
-
Filesize
256KB
MD5c850af1b1e2e5d84d04478bfba17681d
SHA1df04f3076310b1326bae8e44be28273ba8267d05
SHA256ea8b693c4e427a628b5f7bc5124ccbecc34c706da8206db69bc26257a65a760b
SHA512b072b517b7705d23925d1ae22500d8356ff8087c70e183a07d2e410c31d3651ced288551a92e6a7431791e56091af09833bb2feaedc0631d71708fee3f7a7dc5
-
Filesize
257KB
MD5f54436dd3ee2ac48146afa2446265971
SHA1b23595b5664910bc7a9fd9d6bfd70ae13016b8a1
SHA2564737f4cce3aed5c4e553aedcdd3f06be6a2a9c024f4f05a065f36147946675d7
SHA51287cfa10cf5eb93db5b69a91a146bda33e3dbad8afec3a45d7b2515640ec2b160ee91c52eb28170174f3a252cf9d5ff048602562ce229853a9b0fdc3535509483
-
Filesize
812KB
MD551e384a5446e10a5fb9a152f56554b01
SHA1616c1f36bae6ee3ba27082c8d2e0ab5e352e9ff9
SHA256ffd03fc476413e2686c0d9fea0d6f2862c341991fbc1a9e21ee7f23b332de22f
SHA5122470cb875e2f3278c4f013bb146aecf07f4aae01cf080156511492ef50e40b83b6918d654d61988c1ebf541b07bf7c4b398023035c9fd06de7bad07430c78450
-
Filesize
1.2MB
MD50ea2b575392ea7632732b37c5cccca66
SHA1313e0fb4ac84c820f3433fc01d6603c2c6bf90fd
SHA256de854de77d86569c1d3ec2642d47f1961eb4c33ecb78ba1e6d6c2b04ac8f0067
SHA51277e3f27ab579e45e3bb28f55a98d8858410cec249b6847fb9569540acd2a59692e70a8d71e2448593101b85f1cec8091ef40837bed9bfad7c26c3c04133521cc
-
Filesize
48KB
MD5b4a865268d5aca5f93bab91d7d83c800
SHA195ac9334096f5a38ca1c92df31b1e73ae4586930
SHA2565cbf60b0873660b151cf8cd62e326fe8006d1d0cbde2fad697e7f8ad3f284203
SHA512c46ee29861f7e2a1e350cf32602b4369991510804b4b87985465090dd7af64cf6d8dbfa2300f73b2f90f6af95fc0cb5fd1e444b5ddb41dbc89746f04dca6137b
-
Filesize
48KB
MD5d5c189ebf6e0c11caf30527e97057d14
SHA14873030fa43cf2143bac2be96c9a197ac61193a3
SHA2566b9c31b640282fe14621eaff31565f6efbb04d5645d3261026a68696db6b3a53
SHA5120457a42175e4c284f428475add4597eac123fc982b46da3525a3a3f2fccd8d7e85689f2473392e5a6123cde677f6f9c0635921bcb9e41d26179ac06abf4f5f0b
-
Filesize
48KB
MD53b53a7a57ce24aa8e315489450d1069b
SHA11930c384bcd4e2a6a0bcfe5fca3f802cb4058517
SHA2565ac019c53844822515e66350d706e53d1d82dd0d953f7dbd46fe17ee89f2cc03
SHA51285fadf78fd02c0522199f8c9152789ee1071081166205c4f859896a84e7b74a79045605fcd8265c54c7d2970d0bef1ffaea7a750f72dbf4d13af15fb7f8edc12
-
Filesize
2.8MB
MD5c1bf52ee4269fd0d828f87f060916bb1
SHA1a93b06f7c0750911221cd311c5fa0a691710c7d5
SHA25675ddd489737eedfe8734552bbbc3593a17bea1d8a28a964d3ee8dec2090190a9
SHA5127faf5a2bf746c6c39644fe3daf369a2bf88bafa356cef2415228e871162a7fd04146d3d789f47cc04e27f910ac6fc5f14ae7fefb63d645bbec9ddb01cc8a6f41
-
Filesize
2.6MB
MD5f28ce55ef79b8ba242afca3bd8cc0513
SHA13703d9836f3bd3ab428313d0dffc3d00410632e6
SHA256fa7f7b73e090daa8662118e1db3ba95b6425ca296d5daaeb39ddf4575282f2f3
SHA51244c5820dd70d1fa925f0308b48121e649e92ce8f2dbd88f747c5691c478e590de94fed4564bfabe6b0fc9130b694489e721d126b329066a87baf2a9f833673a5
-
Filesize
1.1MB
MD5a603fcf1c73ecd23566d0d8089b04e89
SHA1f73021ec8b2d29a0fa80a50edb14c464dc1d51a2
SHA256a7ee72ee7c08c185b3b2d376fa468b9f9ba7d4259bd7cbf6d6e8add5f8ea8fe7
SHA5125c5922251fe4f7ba9f8708229654f495e0a1bb61a48318bb0ed0820a0c29b94c3f62b896f6c23b2051eccef49a81524e1b6c25e98f486203d69bdfba287e7e7a
-
Filesize
331KB
MD5f4fcbad16f581936b9157c1e4cd4c17a
SHA16f38fe22258075724e7e7fa6b7af231f1ba46e42
SHA256a3b68ab87740b148fdd5b9cba2077373047b9174a9edfbe756aa5343d55de81f
SHA51266cb3274e96152f48f1c48543aee96cf79d050695a2896fcd3f089ed100c2255c2a122ec3a0210e8c1a07aa8a046dcd69b1c9e318ca29a07de2191274e83a0fe
-
Filesize
353KB
MD586f9da8aee6d44f3baff360a3eb6fc68
SHA11da7357c75fd74ee93206cc7a35e03cc9b327da7
SHA256c2e921bd0bc0ff049db43bb120d7338d2eb51228e732727187268d26810df16d
SHA5120e6294f4395ffcf2456213f701ffb844ea2b2822c05aec1cb683f948b6dfd2393ee06ffb50fa035da8692bbccefeafb804677d0be0cf1b16fca673d5f8194d78
-
Filesize
567KB
MD5ffa8e311b03e0086a9c124ebc241f9c1
SHA1d06b1b1e91d9dd8f79e454490cedd277bb3827a1
SHA256318c7d7b2def9fd2bcb2769b50087714f9d837e3b170b60284d708a9dd73a92c
SHA5124e553eb9c05c3f80db89c4cbedeb444cbef4b4e221f8641429a55e2b1129dcd5a203d2723dbfa2e3ed576bc81603570b9d4df4e4043e7e696d0f9adfc10b9200
-
Filesize
27KB
MD529f288f751fbcea5cd75ea9774882787
SHA15a4c30382c63e29e848b681d39cc213c2198e12e
SHA256711702eb24803788ce601996f90b7ef57eef1f764f7aaf3a96e2196ed4a9533e
SHA512b7fc0a739b33e79232ef506393cf90297f4d41f165f34b5be50648d8a1967419e1f0ee369e809d5c142898824e8b5a3784106d33a2d1d72cd811d5352f4bbd60
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD59abfa0026b796b2b4c474f15856623d5
SHA14bcac56e75dfac0dff2a1afe4dfccb38983ddf9d
SHA256958b9885c158e596f721373a787b680dd30a793a5620545b6d038eb6761614bc
SHA51212e703681f826a57fe73268611e49ec077e531427c16b034e45c9435e5faa19cf0b2117bd803b041501bf199965ccf4abc81c95639a6dbbb3777c64be137b568
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5acacf23d53fada183c9e96be5834f2c6
SHA164ad8008fe5a583fc141c68b77da4f768b24f57b
SHA2563bf90b75af73cb7be45748ce7a0aa083cda22cb817fb5265496490102cca6d05
SHA51211da415131ca37d9832f3f4e3e5ca2d3e9414b0c40233ff1a738eb7e95dcb9d4e0e7935b0e4bfa8d1f2e4b148926e9935c0b2051b83784b1bcf8a51eb8df20e5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD57919a6e82e13fdbc3b9bceff3e812dd9
SHA19e7a44e513d57bd7caee81e3d53bf01d44dc06e1
SHA256e6638bbbd6c7095af8928670b9a5ee874ecc1b40778cd1226614f1db6d4e7730
SHA5126947c67e7c9a1281083ee1494ba504fa31d78c636650d7efcd12b4a16aaf78d1b077e2be3b94cf36d4fdc7fb70848ecdf76759f69b3f5c5bfe5d2563137482c5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD54864edd0582ec3b79d84abf6fa9e6352
SHA1ae2cf3f1b436406d58805029f74674bf327670be
SHA256ed44ef8fe7e656259f2a6640c8cdff769110231ae1d72a3b2107ab12d234ce1d
SHA512985f530b2ba75285aebbca5f9cb2859b64eaacb99464a66c5e9480efc6893a6e8dd8519279f2349df666c856a96152278d583254123e1719d21b693c4efb172f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD55f7e36f49c862f21099b8b9e3a678412
SHA1dc5237fa97452485f4da6fe2a5e9b973e211615a
SHA256a18912361ad57e852b792ed5659c0c3b8aac021dd85eee01b28e5421b55ad5f7
SHA51270ddedf0e7b0144148705aabe05afef0c1e7835196c2ceed2804f5ee17dbbccafb97cb3deb84d040beb1b4852d2ab060367e7b663f838088eeb99e62b9ae6731
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD52513f7fdf207bf4ce1b9a14bfba7bc3f
SHA1d1324b52f8fc939fe9a5f1ea4133999784b8aaeb
SHA256c2c378f3f204d5a97060b1eee0c9154493955c56cfd83a59bec11e55e672e0dd
SHA512e098ab0644c39b56efac31f844fdd6a59c1329d0c03ce128fb427bcce2d8423c26846b7143cb06126f989c1bcc40036e34c6e58e26053db79bf0a2e7a276befe
-
Filesize
4.5MB
MD52ad8fa8566819c976074bb69952b696f
SHA1483102e5db40d2f0f1c43c0ff8db21e67ec15149
SHA2561276f6941cb2f9f852c43843b9a921dea6c4999a49b1f9fa6530f619be730e5e
SHA512ed48dedaaf90463a64dd2bcdf5a2858cafbb59e3a914e58a24cb2e1481a8eab9fa91de7ad8e403bc89bba0940132e56aa0e0f3ce1635cad025db28a61db24f90
-
Filesize
1KB
MD51af5819fdd9eb400a9a511d6ad0d2895
SHA1dbfc9cde51dcf09e87495be4fa40997de434f268
SHA256f864f1cf177c104ec6fc25520fe58dd502ea163c77219c4ad0c59ba929253797
SHA512b0cdbbac53ae163e7a5131649ff241757e61c18910d10aa1f157d3376f61fd612dd2aeebd2d31d8259e6bebd5aa2114991f357e173cc595508629192841923b8
-
Filesize
275KB
MD5672e03b9d7a2d50f3e935909a198928b
SHA16cc8a45126243c6ad8a6336ef1789e6a8b5dd33f
SHA256c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d
SHA512bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372
-
Filesize
19KB
MD54db38e9e80632af71e1842422d4b1873
SHA184fe0d85c263168487b4125e70cd698920f44c53
SHA2564924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa
SHA5129ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
192KB
MD5f9d9cb41b549a1466c7496f51edefee2
SHA1385bd00473e116e27d69ac58792bb5496e226edf
SHA2566b4247b98ec8bcc42a796ed706917a355012d1caa45c2889a57ac8366ddc6085
SHA5128a4e06e180a61d5f1b0a2f2890c22caacc05909c1302ec935379f898d9aab3df0f526d9218c55731c3013b5d7353a21f5dc2a03f1d9aacb91593d03d6561d898
-
Filesize
49.1MB
MD58ea7e4e29322afde0c01a5745f7992ba
SHA14fede6c44392940b859d29e47501d9971dad9848
SHA25606db65d83a7627a8fb06d0c570bc08df29277b298fc1f4d3e7d6beb14df7d4bc
SHA512e5e19e2c137b794ff971e383c94d740720f7202948d2ef82bf80f4c23e831f90f5827630a8e43e3fafc67bd8c6ae4b629fa9ae1e4b5ec03faa4510cbf4327413
-
Filesize
4KB
MD526e3e31b5471a4890ee90b3c4103cc87
SHA1659d75459e63ba0264aa74afb4382ca3f308951c
SHA2560286045cc46ba55c25f6da06b6236c57d96e6cf49b6c192efdbd67b8bd17b3eb
SHA512d74b0fd778518eb90d9aeb7f9d0628f692619cf96e246b1453360be97121386076cbbeedce749728f24846468fbc643e21c29ba94c9e6e1174629907aae1c549
-
Filesize
2KB
MD5e29795a9c862791e436352896f1bbdb0
SHA1b92713ebe2a13085f1910e73e545bfbae97f99e1
SHA25616d2f34ec52c71f39e1ae03c2f4840c23318f91e8efba678f1a44d17f84afc26
SHA51255ed1b98f759940291b9e3ea45b8ca27367816b9e18fe7c35887a222d83ef0d178b3d4a241344654c43d48122cf77296fb968f73086f87a76e080654212111ef
-
Filesize
5KB
MD505a1c34b2ddf2bd9ce2b539230e034f4
SHA1940fa7a9d5f050f6f119e35c5ee0288c2d1da607
SHA256f88426681ea6df9c248f697c3ed5c4e46028a5b108c5e675d5cfea29ef413c98
SHA5124a100bbd2b319acce8361d8e0baf0914fa86b0ef84998e42ed83f91216c09ac5c6f7106d948b0cab287992f4b1cc3727d2455b5d6efc10c937b0aa5688a3f7bd
-
Filesize
52.2MB
MD559e70b73490996efadd047db10f13a97
SHA19b91c2a3899514a2e1ae0aa577a6aa81ec038eef
SHA25604c3215b847240f1c9710a3c55fddff4ee9676c590951cf9ba7cd45c4aeb5fa4
SHA512b5cc698ca5271d6c86255a069e97691a406904227aa3d2861cd4039ec1c26689609f0c5c9f72fd98e6ea01e571687d4cfe4f87c11bf87aec3172eaab5c25314e
-
Filesize
3KB
MD5560af444a6a7faa0b0ca94dc16ca2a58
SHA1df31453fafde354870a0a9a8ca50b18e284c32e4
SHA25694739ca46676bd602a78671257fbfce39feaabc9664c6326bf4970a0108e3429
SHA5127c853176c088d56a517e52c6687b6debf08f6f9726376720ade9d13fafc9be0ca72f0f2b35562a61ece653aeb789c838c60447f463b2bbe70c21bfc8c039b681
-
Filesize
10KB
MD556a321bd011112ec5d8a32b2f6fd3231
SHA1df20e3a35a1636de64df5290ae5e4e7572447f78
SHA256bb6df93369b498eaa638b0bcdc4bb89f45e9b02ca12d28bcedf4629ea7f5e0f1
SHA5125354890cbc53ce51081a78c64ba9c4c8c4dc9e01141798c1e916e19c5776dac7c82989fad0f08c73e81aaba332dad81205f90d0663119af45550b97b338b9cc3
-
Filesize
4KB
MD55a3df0de9d80c27170fa81cd49d5d4d3
SHA1789fb2c517bdeeabd4391a9f5c2ee4feccaec25c
SHA25679219352d8bfb1fa33019204873427b60e8b5b467ee174efe23d6d8e0115782d
SHA5121f5385efe08668507a490c17701fb3a7ec9232225f4079a20400f4b684edacdc02bd70c5d3c4e9363e02d0c2ed1b3d6d444d43f892e3e0a159e0586ab879dfe6
-
Filesize
5KB
MD59f7452980df4bee2ba668160642700c5
SHA182ad8a5dc86d67a1a21e71d7e76327fb2595c9b1
SHA2568c78d84ae940b2becf6d18d569fa812efc97087222bc2b089f3f076d15bf1ba4
SHA512efdf616f7101c5e754d77a2f34385678491a07941d9ad632cb9a40206e45c6ae1034edee56ca8786303568fdde95e7e4ba8ae7d0349a514eab8bdd42fe26ffae
-
Filesize
2.7MB
MD56a93028122ca116eacae296d1d5b2696
SHA182b26b1f9dfd19c90508b6d8e2ea482ed93c0736
SHA256a60db6d81fdd5174b6e5bc21dc4497dd9e1c2b19b3393584adb2aa10e711bb5f
SHA512d11c049385205b32803ff463df3f87390f12c5e59cba725f707fe8ce2401d9c7a74c9eb23af96563edfc57f267f65ef3c1ce86d94467cafd2fa149ad5e93701b
-
Filesize
538B
MD5cbe2e79acebb14d0922b094e65a0f4b6
SHA147dc9082b099919048029994a7e85e0773a66e6c
SHA256896e08da4b5a13b3a67ad54cb847285efddd96208b645cbf8d9ba6ddb9deb09d
SHA5122ec052d8187b75273b1e9056301a654ae4ac55c7dfead004676239447a2888bbe07a5bc057824e0a7f2156993a8b23c2c2e6fde3e30dc70f8bf1bca68de54fdf
-
Filesize
181KB
MD528abb4a512eeecdc2a7996df8896622f
SHA101885f11e9a7eebdceab7ae234ebbd6336bedef4
SHA256fa5331562c929e748e92de08836729bd94d9f07056dc75ce9181342f64460815
SHA512c7bd74911ba78a501f6a4b4349af288bc63f9688d28a9c880f8618bcc50df06e9472e21be92f35eb720c52b010c07819c0b57339856f538864d73ef8c9bf47ca
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
343KB
MD543454a76a06dc9ec2ccd6be7eacfc025
SHA16fdf1b80dd62d159dd9e6fa52ef7d6a72634ffb5
SHA25604171540d4dad2237035075aa6175a0b5752fc16a19b91789cc33ca9cce08998
SHA5123d70eb04d83f5e51a272571cbfe9916b86e12f75b7de9fe098fe1982c8758b140f3cafe05e860b80ed2fa00f90c719e8b93b443d8a39bf6881116706690d05d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize727B
MD522da0d8f64f6e0ada177d89231b0966d
SHA1bffdc1244a666a7bfe9d493f1c74d39e4b3153f5
SHA2569febeea3bcd4c7e2634ef104b36ba79106d111034ea50de571b3dd6130b71925
SHA512979b9d7be728ded8ff8682f11509d96f9f048fa028166a68190f7e33e1e4b3112542e1a3573b9ecc92739aa160e6852393d48123ba4bf239390b8f42a17c2174
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize408B
MD57076d9a40fe38e49e746dfb0341dfb43
SHA12b308a9dbba303062d062548445dbde4f67677dd
SHA2569805fcd3a2e158fd131aaadb5d262cec1f1a504cad61326751efb1934a2b073e
SHA512ce5427c4af3830fd32af26100bb41258c966cac5eeb75dd11b6dfa9df71a367df2fa5aba8df2dacf9dcc7b83e389369010906c5f655028f945e3d8d5a6a4ac3c
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5b5f71b0aca369143b7ea34d0e5288ab7
SHA1add2de54bac5537548fb11c9417ab2b8e2206297
SHA2567fc71b5365df881a4a7af9984b43d64c4c925634b8787276feaaf1727619e5c3
SHA512af8e0784e958df256920bcb8e22469b10f5f2cb8c1a9ef84fcbf3c2857d88b07a16bf5033b0a31ac86ff874c18759d8733a8d5cb783e4fb162ade8594225d2f4
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Filesize1KB
MD5e96c8d2aabf9b24de725a25342bca261
SHA11b273ccb6660b2659c735d9a31ea5e14d3af70bf
SHA2568fe942027d0e728c075281385535acd62e1b226c2c44dc58d2e6144c5c9d5ab7
SHA512fdf1fcb0235df8883220bba56ce614d09a9c4ae20efc4b97d22761279f550803be62c962b5f0e28b629eb539ab9684bf18cd2c896075d31736ad6e35c84f5a2f
-
Filesize
8.5MB
MD574bea0d3f9a79b51f4163d7c034e4ca4
SHA1c0c0ce1b37803ca6c558921792bfc40ff5c60d15
SHA25692143064692a02d6a7d4cb4a28b0135819420d900508129b7bea5ae6d94905cc
SHA5126554d5d740cfe4322c5e5c2ca16b4a43f924800b7318ec0b31c46732242bac7f867c1b2977584fa56a6a79bc56da75abe18ff2d4d11d5a3575909a8c0f8c919f
-
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{921d4f34-c56d-4556-a633-c3e7f85b85f8}_OnDiskSnapshotProp
Filesize6KB
MD5a1da8522bed7bde90bf1d98019e383cd
SHA110ac3f833a53a06da299379dedcfe24942b861f0
SHA256783bbc830dd433dca83e5d1acb6648f429e35d2555bb14bed8b53f7db57cd5ed
SHA51262d738060811e4a8d0cf1532c8f8634a4ed41186059b9a3780528a95014330f33b023aba0ca678ed96b4c830b18ace560835d5a80528cc29214f2b156ca5216a