Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
31-10-2024 02:03
Behavioral task
behavioral1
Sample
0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468.msi
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468.msi
Resource
win10v2004-20241007-en
General
-
Target
0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468.msi
-
Size
2.9MB
-
MD5
2ba70a300e16d1b51bd103de907777d8
-
SHA1
9774343aeb3b6f06593fc84a59422ef3b8cce66b
-
SHA256
0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468
-
SHA512
a2ba8694ea4d014e4103ed02d11ba7309d0ce0f290f55f0d671710cdf61f6d06d976531469686325965966a2d9cd5a0b3a69f47ca5b351b40da03ffaf15d47bb
-
SSDEEP
49152:h+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:h+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral2/files/0x0008000000023c77-236.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exerundll32.exerundll32.exeMsiExec.exerundll32.exerundll32.exeflow pid Process 4 4300 msiexec.exe 7 4300 msiexec.exe 38 2500 rundll32.exe 42 368 rundll32.exe 88 5480 MsiExec.exe 135 5312 rundll32.exe 164 660 rundll32.exe -
Drops file in Drivers directory 6 IoCs
Processes:
DrvInst.exeDrvInst.exedescription ioc Process File opened for modification C:\Windows\System32\drivers\UMDF\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\drivers\SETA93B.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETA93B.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\SETAA45.tmp DrvInst.exe File created C:\Windows\System32\drivers\UMDF\SETAA45.tmp DrvInst.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
AgentPackageMonitoring.exeAgentPackageMonitoring.exedescription ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 64 IoCs
Processes:
DrvInst.exeDrvInst.exeAteraAgent.exeAgentPackageADRemote.exeAgentPackageMarketplace.exeMsiExec.exeAgentPackageSystemTools.exeDrvInst.exeAteraAgent.exeSRManager.exeAgentPackageInternalPoller.exeAteraAgent.exeAteraAgent.exeAgentPackageHeartbeat.exeAgentPackageSTRemote.exeAgentPackageUpgradeAgent.exeAgentPackageOsUpdates.exeAgentPackageRuntimeInstaller.exerundll32.exerundll32.exeAgentPackageMonitoring.exedescription ioc Process File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\lci_iddcx.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a} DrvInst.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File created C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\x64\SETA6AB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\x64\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64 DrvInst.exe File opened for modification C:\Windows\SysWow64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\SETA807.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\x64\SETA6AB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\lci_iddcx.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\SETA6AD.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log AgentPackageSTRemote.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File created C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64\SETA804.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\SETA806.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\lci_proxywddm.inf DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64\SETA7F3.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64\SETA804.tmp DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log rundll32.exe File created C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\SETA6AC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\x64\lci_iddcx.dll DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64\SETA805.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.PNF rundll32.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92}\lci_iddcx.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{ca9aad7d-55f2-2c48-8035-1f18ac6a1d92} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\x64\SETA805.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\lci_proxywddm.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{34b667e4-4502-b149-8b59-c2f9ac84214a}\SETA807.tmp DrvInst.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Processes:
resource yara_rule behavioral2/memory/6040-1144-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/6040-1146-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/6040-1145-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5232-1163-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/5420-1164-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5232-1193-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/5232-1190-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5420-1165-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/5420-1162-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/6040-1225-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/6040-1232-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/6040-1239-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/5420-1275-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5232-1274-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/5232-1278-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/5232-1277-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5420-1276-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/5420-1273-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/6040-1272-0x0000000072310000-0x00000000726D4000-memory.dmp upx behavioral2/memory/6040-1271-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/6040-1270-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/6040-2170-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/5420-2484-0x00000000726E0000-0x00000000727FC000-memory.dmp upx behavioral2/memory/5420-2483-0x0000000072800000-0x00000000728FD000-memory.dmp upx behavioral2/memory/5420-2485-0x0000000072310000-0x00000000726D4000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeAteraAgent.exeAgentPackageProgramManagement.exeAteraAgent.exeSRService.exeAgentPackageAgentInformation.exeAgentPackageMonitoring.exeAgentPackageAgentInformation.exeAteraAgent.exedescription ioc Process File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDxgiHelper.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\Microsoft.Win32.TaskScheduler.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\chocolatey.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.dll.manifest AgentPackageProgramManagement.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config AgentPackageProgramManagement.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\RestartReminder.exe.config AteraAgent.exe File opened for modification C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt SRService.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x86\lci_proxywddm.sys msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Reflection.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyInstallPackage.ps1 AgentPackageProgramManagement.exe File opened for modification C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\log.txt AgentPackageMonitoring.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdnup.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-UACEnabled.ps1 AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.ZipFile.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\System.Management.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_proxywddm.cat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\NLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Buffers.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\stprintmon.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdCMYKPrinter.icc msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Security.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.X509Certificates.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\update.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\UserDetections.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\chocolateyScriptRunner.ps1 AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\NLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XDocument.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch AgentPackageAgentInformation.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\license.txt msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnames.gpd msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\es\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.inf msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
msiexec.exerundll32.exerundll32.exerundll32.exerundll32.exeDrvInst.exerundll32.exeDrvInst.exerundll32.exesvchost.exeDrvInst.exerundll32.exerundll32.exedescription ioc Process File opened for modification C:\Windows\Installer\MSIBD18.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICC7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1D72.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3756.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI81C0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB611.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB854.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\e57b57e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI81C0.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI88F6.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\inf\oem4.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIACB4.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57b575.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB854.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB854.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBD18.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\e57b578.msi msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIACB4.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e57b575.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIBD18.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBD18.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI3B3F.tmp msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIACB4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB854.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI88F6.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIBE90.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC858.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC858.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI19F7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4013.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI88F6.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB611.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBD18.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e57b577.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC858.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57b57e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI88F6.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB611.tmp-\Newtonsoft.Json.dll rundll32.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI24B7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2515.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8423.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI8423.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI907B.tmp msiexec.exe File created C:\Windows\Installer\e57b58c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIB611.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIB854.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC858.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB0F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB611.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB854.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIBD18.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBF7D.tmp msiexec.exe File created C:\Windows\Installer\e57b578.msi msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI8423.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI90CA.tmp msiexec.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe -
Executes dropped EXE 64 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAteraAgent.exeAgentPackageSTRemote.exeAgentPackageMonitoring.exeAgentPackageAgentInformation.exeSplashtopStreamer.exePreVerCheck.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_isD3A.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is1A99.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exe_is25C5.exeSetupUtil.exeSetupUtil.exeSetupUtil.exeSRSelfSignCertUtil.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exe_is3799.exeSRService.exe_is3BD1.exe_is3BD1.exe_is3BD1.exe_is3BD1.exe_is3BD1.exe_is3BD1.exe_is3BD1.exe_is3BD1.exepid Process 3512 AteraAgent.exe 2808 AteraAgent.exe 4692 AgentPackageAgentInformation.exe 928 AgentPackageAgentInformation.exe 368 AgentPackageAgentInformation.exe 2616 AteraAgent.exe 4056 AgentPackageSTRemote.exe 1492 AgentPackageMonitoring.exe 452 AgentPackageAgentInformation.exe 1432 SplashtopStreamer.exe 5296 PreVerCheck.exe 5704 _isD3A.exe 5764 _isD3A.exe 5800 _isD3A.exe 5832 _isD3A.exe 5864 _isD3A.exe 5940 _isD3A.exe 5984 _isD3A.exe 6028 _isD3A.exe 6060 _isD3A.exe 6092 _isD3A.exe 5912 _is1A99.exe 6080 _is1A99.exe 5928 _is1A99.exe 6100 _is1A99.exe 5148 _is1A99.exe 2876 _is1A99.exe 4956 _is1A99.exe 5336 _is1A99.exe 5284 _is1A99.exe 5672 _is1A99.exe 5812 _is25C5.exe 5852 _is25C5.exe 5968 _is25C5.exe 5896 _is25C5.exe 5872 _is25C5.exe 6028 _is25C5.exe 6072 _is25C5.exe 6120 _is25C5.exe 5156 _is25C5.exe 5164 _is25C5.exe 1324 SetupUtil.exe 2064 SetupUtil.exe 2876 SetupUtil.exe 5820 SRSelfSignCertUtil.exe 5988 _is3799.exe 5984 _is3799.exe 6080 _is3799.exe 6128 _is3799.exe 928 _is3799.exe 4604 _is3799.exe 4956 _is3799.exe 5336 _is3799.exe 5284 _is3799.exe 5424 _is3799.exe 5204 SRService.exe 5528 _is3BD1.exe 5540 _is3BD1.exe 3972 _is3BD1.exe 892 _is3BD1.exe 4496 _is3BD1.exe 4912 _is3BD1.exe 5660 _is3BD1.exe 5680 _is3BD1.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid Process 4956 sc.exe 1428 sc.exe 4748 sc.exe 5876 sc.exe 736 sc.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exeAgentPackageMonitoring.exeMsiExec.exeSRManager.exeSRServer.exeSRAgent.exepid Process 2776 MsiExec.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2040 rundll32.exe 2776 MsiExec.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2500 rundll32.exe 2776 MsiExec.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 3916 rundll32.exe 2776 MsiExec.exe 3920 MsiExec.exe 3920 MsiExec.exe 2776 MsiExec.exe 368 rundll32.exe 368 rundll32.exe 368 rundll32.exe 368 rundll32.exe 368 rundll32.exe 368 rundll32.exe 368 rundll32.exe 1492 AgentPackageMonitoring.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 5480 MsiExec.exe 6040 SRManager.exe 5480 MsiExec.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 5420 SRServer.exe 5420 SRServer.exe 5232 SRAgent.exe 6040 SRManager.exe 6040 SRManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 60 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
NET.exeMsiExec.exeSetupUtil.exeSetupUtil.exeSRManager.exeSRUtility.exerundll32.exetaskkill.exetaskkill.exerundll32.exeMsiExec.exeSRUtility.exenet1.execmd.execmd.exeSRSelfSignCertUtil.exeSRAppPB.exetaskkill.exetaskkill.exeSRAgent.exerundll32.exerundll32.exeTaskKill.exerundll32.exeSRService.exerundll32.exeTaskKill.exeNET.exenet1.exetaskkill.exeSRService.exerundll32.exeNET.execmd.exetaskkill.exenet1.execmd.exetaskkill.exeSRVirtualDisplay.exeTaskKill.exemsiexec.exetaskkill.exeSRServer.exeSRFeature.execmd.execmd.execmd.execmd.execmd.exetaskkill.exeSetupUtil.exeSplashtopStreamer.exetaskkill.exeSRService.exerundll32.exeMsiExec.exePreVerCheck.execmd.exeMsiExec.exeSRUtility.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRVirtualDisplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe -
System Time Discovery 1 TTPs 4 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
Processes:
cmd.exedotnet.execmd.exedotnet.exepid Process 440 cmd.exe 6072 dotnet.exe 1560 cmd.exe 6328 dotnet.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exeDrvInst.exesvchost.exeDrvInst.exeDrvInst.exerundll32.exevssvc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID rundll32.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID rundll32.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exeTaskKill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTaskKill.exeTaskKill.exetaskkill.exetaskkill.exepid Process 5584 taskkill.exe 4532 taskkill.exe 2572 taskkill.exe 5844 taskkill.exe 4640 TaskKill.exe 2224 taskkill.exe 5420 taskkill.exe 3768 taskkill.exe 5700 taskkill.exe 1852 TaskKill.exe 1516 TaskKill.exe 5144 taskkill.exe 5312 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
AteraAgent.exeAgentPackageAgentInformation.execscript.exeAteraAgent.exeSRManager.exemsiexec.exerundll32.execscript.exeSetupUtil.execscript.exeAgentPackageInternalPoller.exeDrvInst.exeDrvInst.exeAteraAgent.exeMsiExec.exeAteraAgent.exeAgentPackageMonitoring.exeAgentPackageMonitoring.exemsiexec.exeAteraAgent.exeSRVirtualDisplay.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AgentPackageAgentInformation.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness SRManager.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\Sequence = "1" msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageInternalPoller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SRVirtualDisplay.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeMsiExec.exeAgentPackageTicketing.exeSRService.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468.msi" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Version = "17301511" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\ProductName = "AteraAgent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Net\1 = "C:\\Windows\\TEMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50790402" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\PackageName = "ateraAgentSetup64_1_8_7_2.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeAteraAgent.exeAgentPackageSTRemote.exeSetupUtil.exeSRSelfSignCertUtil.exeSRService.exeSRManager.exeSRAgent.exeSRAppPB.exeSRServer.exepid Process 2960 msiexec.exe 2960 msiexec.exe 2808 AteraAgent.exe 2808 AteraAgent.exe 2808 AteraAgent.exe 4056 AgentPackageSTRemote.exe 4056 AgentPackageSTRemote.exe 2808 AteraAgent.exe 2808 AteraAgent.exe 2876 SetupUtil.exe 2876 SetupUtil.exe 2876 SetupUtil.exe 2876 SetupUtil.exe 5820 SRSelfSignCertUtil.exe 5820 SRSelfSignCertUtil.exe 5888 SRService.exe 5888 SRService.exe 6040 SRManager.exe 6040 SRManager.exe 5888 SRService.exe 5888 SRService.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 5232 SRAgent.exe 5232 SRAgent.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 2600 SRAppPB.exe 2600 SRAppPB.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 2600 SRAppPB.exe 2600 SRAppPB.exe 5888 SRService.exe 5888 SRService.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 6040 SRManager.exe 5420 SRServer.exe 5420 SRServer.exe 5420 SRServer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid 4 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exerundll32.exeTaskKill.exedescription pid Process Token: SeShutdownPrivilege 4300 msiexec.exe Token: SeIncreaseQuotaPrivilege 4300 msiexec.exe Token: SeSecurityPrivilege 2960 msiexec.exe Token: SeCreateTokenPrivilege 4300 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4300 msiexec.exe Token: SeLockMemoryPrivilege 4300 msiexec.exe Token: SeIncreaseQuotaPrivilege 4300 msiexec.exe Token: SeMachineAccountPrivilege 4300 msiexec.exe Token: SeTcbPrivilege 4300 msiexec.exe Token: SeSecurityPrivilege 4300 msiexec.exe Token: SeTakeOwnershipPrivilege 4300 msiexec.exe Token: SeLoadDriverPrivilege 4300 msiexec.exe Token: SeSystemProfilePrivilege 4300 msiexec.exe Token: SeSystemtimePrivilege 4300 msiexec.exe Token: SeProfSingleProcessPrivilege 4300 msiexec.exe Token: SeIncBasePriorityPrivilege 4300 msiexec.exe Token: SeCreatePagefilePrivilege 4300 msiexec.exe Token: SeCreatePermanentPrivilege 4300 msiexec.exe Token: SeBackupPrivilege 4300 msiexec.exe Token: SeRestorePrivilege 4300 msiexec.exe Token: SeShutdownPrivilege 4300 msiexec.exe Token: SeDebugPrivilege 4300 msiexec.exe Token: SeAuditPrivilege 4300 msiexec.exe Token: SeSystemEnvironmentPrivilege 4300 msiexec.exe Token: SeChangeNotifyPrivilege 4300 msiexec.exe Token: SeRemoteShutdownPrivilege 4300 msiexec.exe Token: SeUndockPrivilege 4300 msiexec.exe Token: SeSyncAgentPrivilege 4300 msiexec.exe Token: SeEnableDelegationPrivilege 4300 msiexec.exe Token: SeManageVolumePrivilege 4300 msiexec.exe Token: SeImpersonatePrivilege 4300 msiexec.exe Token: SeCreateGlobalPrivilege 4300 msiexec.exe Token: SeBackupPrivilege 2644 vssvc.exe Token: SeRestorePrivilege 2644 vssvc.exe Token: SeAuditPrivilege 2644 vssvc.exe Token: SeBackupPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeDebugPrivilege 2500 rundll32.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeDebugPrivilege 4640 TaskKill.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe Token: SeTakeOwnershipPrivilege 2960 msiexec.exe Token: SeRestorePrivilege 2960 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeSRServer.exepid Process 4300 msiexec.exe 4300 msiexec.exe 5420 SRServer.exe 5420 SRServer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
SplashtopStreamer.exeSRServer.exeSRAppPB.exeSRVirtualDisplay.exepid Process 1432 SplashtopStreamer.exe 5420 SRServer.exe 5420 SRServer.exe 2600 SRAppPB.exe 2600 SRAppPB.exe 5372 SRVirtualDisplay.exe 5372 SRVirtualDisplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.execmd.exeAgentPackageSTRemote.exeSplashtopStreamer.exePreVerCheck.exeMsiExec.exedescription pid Process procid_target PID 2960 wrote to memory of 4836 2960 msiexec.exe 104 PID 2960 wrote to memory of 4836 2960 msiexec.exe 104 PID 2960 wrote to memory of 2776 2960 msiexec.exe 106 PID 2960 wrote to memory of 2776 2960 msiexec.exe 106 PID 2960 wrote to memory of 2776 2960 msiexec.exe 106 PID 2776 wrote to memory of 2040 2776 MsiExec.exe 107 PID 2776 wrote to memory of 2040 2776 MsiExec.exe 107 PID 2776 wrote to memory of 2040 2776 MsiExec.exe 107 PID 2776 wrote to memory of 2500 2776 MsiExec.exe 108 PID 2776 wrote to memory of 2500 2776 MsiExec.exe 108 PID 2776 wrote to memory of 2500 2776 MsiExec.exe 108 PID 2776 wrote to memory of 3916 2776 MsiExec.exe 110 PID 2776 wrote to memory of 3916 2776 MsiExec.exe 110 PID 2776 wrote to memory of 3916 2776 MsiExec.exe 110 PID 2960 wrote to memory of 3920 2960 msiexec.exe 111 PID 2960 wrote to memory of 3920 2960 msiexec.exe 111 PID 2960 wrote to memory of 3920 2960 msiexec.exe 111 PID 3920 wrote to memory of 4056 3920 MsiExec.exe 112 PID 3920 wrote to memory of 4056 3920 MsiExec.exe 112 PID 3920 wrote to memory of 4056 3920 MsiExec.exe 112 PID 4056 wrote to memory of 4508 4056 NET.exe 114 PID 4056 wrote to memory of 4508 4056 NET.exe 114 PID 4056 wrote to memory of 4508 4056 NET.exe 114 PID 3920 wrote to memory of 4640 3920 MsiExec.exe 115 PID 3920 wrote to memory of 4640 3920 MsiExec.exe 115 PID 3920 wrote to memory of 4640 3920 MsiExec.exe 115 PID 2960 wrote to memory of 3512 2960 msiexec.exe 117 PID 2960 wrote to memory of 3512 2960 msiexec.exe 117 PID 2776 wrote to memory of 368 2776 MsiExec.exe 120 PID 2776 wrote to memory of 368 2776 MsiExec.exe 120 PID 2776 wrote to memory of 368 2776 MsiExec.exe 120 PID 2808 wrote to memory of 1428 2808 AteraAgent.exe 121 PID 2808 wrote to memory of 1428 2808 AteraAgent.exe 121 PID 2808 wrote to memory of 4692 2808 AteraAgent.exe 124 PID 2808 wrote to memory of 4692 2808 AteraAgent.exe 124 PID 2808 wrote to memory of 928 2808 AteraAgent.exe 127 PID 2808 wrote to memory of 928 2808 AteraAgent.exe 127 PID 2808 wrote to memory of 368 2808 AteraAgent.exe 129 PID 2808 wrote to memory of 368 2808 AteraAgent.exe 129 PID 2616 wrote to memory of 4748 2616 AteraAgent.exe 132 PID 2616 wrote to memory of 4748 2616 AteraAgent.exe 132 PID 2808 wrote to memory of 4056 2808 AteraAgent.exe 135 PID 2808 wrote to memory of 4056 2808 AteraAgent.exe 135 PID 368 wrote to memory of 892 368 AgentPackageAgentInformation.exe 137 PID 368 wrote to memory of 892 368 AgentPackageAgentInformation.exe 137 PID 892 wrote to memory of 2860 892 cmd.exe 139 PID 892 wrote to memory of 2860 892 cmd.exe 139 PID 2808 wrote to memory of 1492 2808 AteraAgent.exe 143 PID 2808 wrote to memory of 1492 2808 AteraAgent.exe 143 PID 2616 wrote to memory of 452 2616 AteraAgent.exe 147 PID 2616 wrote to memory of 452 2616 AteraAgent.exe 147 PID 4056 wrote to memory of 1432 4056 AgentPackageSTRemote.exe 150 PID 4056 wrote to memory of 1432 4056 AgentPackageSTRemote.exe 150 PID 4056 wrote to memory of 1432 4056 AgentPackageSTRemote.exe 150 PID 1432 wrote to memory of 5296 1432 SplashtopStreamer.exe 153 PID 1432 wrote to memory of 5296 1432 SplashtopStreamer.exe 153 PID 1432 wrote to memory of 5296 1432 SplashtopStreamer.exe 153 PID 5296 wrote to memory of 5388 5296 PreVerCheck.exe 154 PID 5296 wrote to memory of 5388 5296 PreVerCheck.exe 154 PID 5296 wrote to memory of 5388 5296 PreVerCheck.exe 154 PID 2960 wrote to memory of 5480 2960 msiexec.exe 155 PID 2960 wrote to memory of 5480 2960 msiexec.exe 155 PID 2960 wrote to memory of 5480 2960 msiexec.exe 155 PID 5480 wrote to memory of 5704 5480 MsiExec.exe 157 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4300
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4836
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 78D8757FF5E07B23E76D1E591C7279292⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIB611.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629484 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2040
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIB854.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629875 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2500
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBD18.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631062 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3916
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC858.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633968 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:368
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 9889EC70503662264CB505374133BCF6 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:4508
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000LlkxmIAB" /AgentId="186f2a72-8a09-4052-8e57-fbaab24e322d"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3512
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B51759E0A6A6252AAD92127A12B70E19 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5480 -
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{354A65E7-B046-46B0-B9C4-B78EB132890B}3⤵
- Executes dropped EXE
PID:5704
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1726E06B-B3EF-4A2D-9EDB-2AFC6DEAC054}3⤵
- Executes dropped EXE
PID:5764
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE204408-FC1A-4A04-8120-A95D42086C71}3⤵
- Executes dropped EXE
PID:5800
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4978F77E-CC5A-40C2-BB79-0CE20D8E487B}3⤵
- Executes dropped EXE
PID:5832
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C96CD7D5-0346-474C-97C8-E51F5A220681}3⤵
- Executes dropped EXE
PID:5864
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2828570A-FAB2-44C8-90D2-7A21DF63E805}3⤵
- Executes dropped EXE
PID:5940
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2EE2A4D8-EA72-4A47-9D5E-E9B053D33647}3⤵
- Executes dropped EXE
PID:5984
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E8AC30B2-8D58-41FD-8C56-07F29FE8C1EC}3⤵
- Executes dropped EXE
PID:6028
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{49CA02AA-CA41-4ADB-8C70-AE8AD3392B2E}3⤵
- Executes dropped EXE
PID:6060
-
-
C:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exeC:\Windows\TEMP\{A6325769-5224-4DC1-9739-414D6FABAEF7}\_isD3A.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{969DB39E-1777-46AE-AF2F-6F06D0094CA7}3⤵
- Executes dropped EXE
PID:6092
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:6132 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1768 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5312
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5352 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5420
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1812 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3768
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5464 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2860 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4532
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:936 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4624 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5844
-
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F316B4B6-3E15-4614-8E8B-A60CAE24F9A5}3⤵
- Executes dropped EXE
PID:5912
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8933859E-81BE-42E5-B8C4-A9CEF2151722}3⤵
- Executes dropped EXE
PID:6080
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BF049B7-71C5-48A5-9D44-850E6C34EF1F}3⤵
- Executes dropped EXE
PID:5928
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{977C3CB2-E1FB-45BD-BDBC-3ED943D0613A}3⤵
- Executes dropped EXE
PID:6100
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E6C4072F-BBEC-42ED-A2BD-469A4315B771}3⤵
- Executes dropped EXE
PID:5148
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B814414-F6D7-4F9F-A0E7-7555A430BBA1}3⤵
- Executes dropped EXE
PID:2876
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9353FF8F-7E7D-415B-A741-5C22EE59BFFA}3⤵
- Executes dropped EXE
PID:4956
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E6BF84C-70DB-485E-A7B9-E4893DE7FE68}3⤵
- Executes dropped EXE
PID:5336
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BF18444-DEF3-463E-B681-A75C3B9A8F72}3⤵
- Executes dropped EXE
PID:5284
-
-
C:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exeC:\Windows\TEMP\{80D7EC4B-0833-4306-AA3C-7544EE1B8693}\_is1A99.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B06E12B-BD00-4F14-9FF2-11C8F7364ADF}3⤵
- Executes dropped EXE
PID:5672
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B6F4C48B-472A-4251-827B-07619FDCF5B9}3⤵
- Executes dropped EXE
PID:5812
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{11C2EF94-B632-43A2-99FF-84C908E410B4}3⤵
- Executes dropped EXE
PID:5852
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4BB4FF0C-B34A-472E-9A86-5D0C6D5571BB}3⤵
- Executes dropped EXE
PID:5968
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87CE031D-1804-42DA-9F93-A5419D263D0D}3⤵
- Executes dropped EXE
PID:5896
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{473C792C-F427-4DFA-9C73-02503FB83756}3⤵
- Executes dropped EXE
PID:5872
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA3CE19E-983C-44E9-8763-DE9838DE6A36}3⤵
- Executes dropped EXE
PID:6028
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{668A1174-77AA-4080-A6CF-3B70BE1153A5}3⤵
- Executes dropped EXE
PID:6072
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90AE845C-34F1-4CB8-AA03-656BB5B2670E}3⤵
- Executes dropped EXE
PID:6120
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{976A868B-798D-4B5A-8454-202E35B463F4}3⤵
- Executes dropped EXE
PID:5156
-
-
C:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exeC:\Windows\TEMP\{BDD26838-77E0-4F2D-8C45-5520B8DB6DFC}\_is25C5.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE3F8C84-6042-45E1-B5ED-5FD0242B99D8}3⤵
- Executes dropped EXE
PID:5164
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1324
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2876 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5616
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:368
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5820
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{42248884-6784-4C31-875D-6FD108EFC712}3⤵
- Executes dropped EXE
PID:5988
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B2F10DF-9045-4410-9EE6-43AD512C8969}3⤵
- Executes dropped EXE
PID:5984
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CAD6BADD-4859-4DF7-98AB-1D10F9EE8325}3⤵
- Executes dropped EXE
PID:6080
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA046E93-F0EC-4266-AAE4-6DA91C8A138C}3⤵
- Executes dropped EXE
PID:6128
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{492F80CA-A1F3-4971-A944-48EC9BD7B86D}3⤵
- Executes dropped EXE
PID:928
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{13B98F77-E1E9-416A-AA35-223015104DE5}3⤵
- Executes dropped EXE
PID:4604
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB617729-6C0C-4C72-A745-D88325CAE34E}3⤵
- Executes dropped EXE
PID:4956
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5F3606CB-1C36-4AB4-BC90-24DBAAC071DA}3⤵
- Executes dropped EXE
PID:5336
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{53C5C862-7D11-4409-9DCB-2CC912E1EB2F}3⤵
- Executes dropped EXE
PID:5284
-
-
C:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exeC:\Windows\TEMP\{59D6800A-4033-4C75-8FC9-DDF38A1ACF89}\_is3799.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{55077713-4B57-4AA3-8206-33CED9325599}3⤵
- Executes dropped EXE
PID:5424
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5204
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{377FF165-E0B3-4EEF-8361-AEC193A1107C}3⤵
- Executes dropped EXE
PID:5528
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5ECF30E3-A854-402E-871C-42F924CA71A3}3⤵
- Executes dropped EXE
PID:5540
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ABECEC6C-7DAE-470B-AFAA-7E611358C07F}3⤵
- Executes dropped EXE
PID:3972
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F9F33B42-3A94-4B55-A0A1-88AE234FDBB2}3⤵
- Executes dropped EXE
PID:892
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{24FA7749-DC33-4ED2-95C4-7DC014F0C5D0}3⤵
- Executes dropped EXE
PID:4496
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB699C19-BDC6-43EE-9735-6CD447DB2F74}3⤵
- Executes dropped EXE
PID:4912
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3DFFF0B9-C933-4C83-A87F-EBD66AA16840}3⤵
- Executes dropped EXE
PID:5660
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1EBAAEB8-000E-4254-AF10-D1DFA4CBF1B5}3⤵
- Executes dropped EXE
PID:5680
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ED8106D4-42B2-4806-BA61-8B94F442999D}3⤵PID:2144
-
-
C:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exeC:\Windows\TEMP\{9C7309A6-9E53-4B83-93A6-C0F3D6880C62}\_is3BD1.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C58F1A5-B837-43B7-BF03-9061C960C933}3⤵PID:1816
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5800
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 375725B2B0EFC946707ABC53BFCC44A5 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:2188 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI81C0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240681578 464 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI8423.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240682015 468 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5312
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI88F6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240683234 473 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2344
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:5892 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:4484
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1852
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:2096 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:5068
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1516
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIACB4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240692375 511 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:660
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
PID:6012
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="38e5c68b-4ab6-4d58-8bc2-59f7ac2de9ef"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5836
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2644
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2808 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1428
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "b484335e-8fbe-4783-85b5-995c7932ef16" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LlkxmIAB2⤵
- Executes dropped EXE
PID:4692
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "bcb54673-164a-480a-962a-2fe99c72eeba" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000LlkxmIAB2⤵
- Executes dropped EXE
PID:928
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "12f8a547-ca2d-4975-8892-36400f08ec94" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000LlkxmIAB2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:892 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:2860
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "23df11b0-2ff3-4cf7-8cd9-0512be10478f" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4056 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5296 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:5388
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "4ded033b-60f1-4248-b1ca-352eadca220b" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:1492
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4748
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "f9a8ecd8-e610-439a-aa8b-a8cfd86844bf" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000LlkxmIAB2⤵
- Executes dropped EXE
PID:452
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "6bb80668-d4c1-4c62-b148-46596e196159" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LlkxmIAB2⤵PID:6128
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5336
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5396
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "7baf1702-2c07-458b-b78a-b6687aa5d845" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:2064 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
- Modifies data under HKEY_USERS
PID:5832
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "a8b7424e-fe5a-4371-a939-e5640db083e7" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:1116
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "6ec260c2-4d75-4312-8bf5-e8a8732378c2" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:772
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "6efcf5d1-f45a-472d-a9e0-9b9a35940bee" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:5132
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "74b3d6b0-6527-4c30-b36c-f5a184d26f5a" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:2804 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:440 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:6072
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "d80472b2-33bc-45a4-83d8-6c8f90d2dcd7" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:628
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "8cb52515-8438-44f3-abcc-886518be4d76" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LlkxmIAB2⤵PID:4396
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=ce3cf3d3026f17e15c00ac4119d55cf5&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:5976
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "fde15ae1-535b-430d-b74f-671581d10303" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000LlkxmIAB2⤵
- Modifies registry class
PID:2452
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "f3cc798a-2b92-4fec-b111-d28beee63ebd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LlkxmIAB2⤵
- Drops file in Program Files directory
PID:5340
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "aa5e382b-df1c-4ef7-9997-ae803f8b4f5c" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:4340
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "d4812b7b-e81c-4102-9244-efcf4aa60ae1" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000LlkxmIAB2⤵
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:2792
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "61be40fa-c630-40b9-8b1d-563e04e5dc2d" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000LlkxmIAB2⤵
- Drops file in System32 directory
PID:1780
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "b5263d39-8f10-4d37-8f3b-993d8191f93e" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000LlkxmIAB2⤵PID:5176
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5888 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:6040 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5420
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5232 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:5512
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2600
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
PID:1800 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:4484
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5372 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey4⤵PID:2808
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver5⤵PID:1324
-
-
C:\Windows\system32\sc.exesc query ddmgr5⤵
- Launches sc.exe
PID:736
-
-
C:\Windows\system32\sc.exesc query lci_proxykmd5⤵
- Launches sc.exe
PID:5876
-
-
C:\Windows\system32\rundll32.exerundll32 x64\my_setup.dll do_install_lci_proxywddm5⤵
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5528
-
-
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:5236
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5892 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1780
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "000000000000017C" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2316
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "000000000000017C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4412
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"2⤵
- Drops file in Drivers directory
- Checks SCSI registry key(s)
PID:3268
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:1396 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4956 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4396
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "f2ec594f-16a5-4f4f-94ba-a52ac38d7421" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000LlkxmIAB2⤵
- Drops file in Program Files directory
PID:5516 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:6012
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5172
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "e842b76d-25c9-4e75-b4b2-54917d82cffc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000LlkxmIAB2⤵PID:4732
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "237de637-4278-4b74-9147-b771b80e9df8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000LlkxmIAB2⤵PID:2136
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "149ccfe9-b717-4ffb-a3ff-609247a780a5" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000LlkxmIAB2⤵PID:4164
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "41c26a59-ce25-4e62-83d9-dd9f74fb151c" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000LlkxmIAB2⤵PID:3808
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "044ef4b0-698b-4cb8-8105-87ef2e79106c" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000LlkxmIAB2⤵PID:4120
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "5fa6a0fc-e59e-4b8b-bf58-2d4c2be32293" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000LlkxmIAB2⤵PID:6432
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=ce3cf3d3026f17e15c00ac4119d55cf5&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:7092
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "6d50093a-85ee-41db-8049-a1177e7b24d3" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000LlkxmIAB2⤵PID:6576
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "3a224477-04ac-42fc-ab3e-503982c1866c" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000LlkxmIAB2⤵PID:6612
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "59b845d0-c957-4a8c-8754-903f821ea77d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000LlkxmIAB2⤵PID:6636
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:1560 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:6328
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "a8a7b385-13ed-4163-b1b3-9d2ebf5779b6" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000LlkxmIAB2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6768
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "f0ff4813-4c92-400c-b359-a53253c86f26" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000LlkxmIAB2⤵PID:6812
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "357225c5-9305-4483-a956-6a1396bd1c90" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000LlkxmIAB2⤵PID:6552
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "186f2a72-8a09-4052-8e57-fbaab24e322d" "357225c5-9305-4483-a956-6a1396bd1c90" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "001Q300000LlkxmIAB"3⤵PID:6992
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 186f2a72-8a09-4052-8e57-fbaab24e322d "e842b76d-25c9-4e75-b4b2-54917d82cffc" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000LlkxmIAB2⤵PID:6160
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD58c6a7cd737bddb3d916774585b2cedce
SHA1cf4480544869a222e521a778c62fd612409b23c6
SHA256027440331b4655b97b72a2227c8a68def8968a1eea4d6350845a19556c94d2aa
SHA512d30c0f4047d5b8ea2371c94f21104441464dc75231665604eb0fb03d6f5f14037128aa472a514fa321c65f2bfc53ba17047c63c15d033d0a086dd77ed2a2a46b
-
Filesize
74KB
MD5af0e9290783f36ab304c3b1024f73107
SHA1ae7479ec259d837500f5e8ea49c99dbdf176ac0f
SHA256d56e0414b6195716ca51193c70d8c753e8663b60f84ad33c85eccb49b8d59579
SHA51201b6d8c9699a93e55f92c1efa7381efd6d0e2e8f94df81cc3f7d7a818442c7ffa38766a1f4cc7a1b6201f427ddd715a0cc10bbc2735963f90cd221b90bb64970
-
Filesize
464B
MD522e427f3d89d1766772d1a159b3a039f
SHA186807f25c0b4b4147eb2eef0b0128a4795161759
SHA256f8fa89b183f520350e5e0993c97ada08a82a46237258279f83e4d3c7cabaa6a5
SHA51207d1f378632998a970f0de2239cdeebe7a65b9455c25dd0a64a761c4fc93b002094e499adbab05bef4388ee60518d33da229df1e457adfe986e13687707424df
-
Filesize
9KB
MD55ddb2758f19996a19766f00e5a56a0cd
SHA1c60f053d3b37a2bcd11b9a7af0c4b6a40aadcd1b
SHA256257927c9f1ec018c6b541ba50287c40e495ed1ef360c7dd06c1942d54e1df158
SHA512c1ae9e1ce0cf74cdfaa91f8b3c9e8cdc11f75b618cd4062890e4a2e0929125bc52d2aa44ea825ccab36642f1cca33bccbbdad0e8d841453d5a4429bccf11e67e
-
Filesize
8KB
MD5cbf42328feda6d6485fb35f198474483
SHA1650a60e23b5e7caa5ad5a8e15c0bf0d4cadf0ca9
SHA256cefccdaa52fdaabf8f02dbc8aa823958b2997722ae7ae353cc3c214247bf994d
SHA512dd6f869bdaf6bfa787169765cef1ac7a087da3ae6e9f080cf4bd4d1ffb842130c343f85ad5f3444cfb857643e095074d7d4687df0984ea9e444b5e050e47ee49
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize157KB
MD557130702f8ea46ed0437ea893c95f7e4
SHA10e26c3ef0ec0be063aacd7321ee550e321bad17f
SHA2569338c8080cb7be1ee73f1cd706e5e230a0c3b8690305cd9de451fad20b2d0b7b
SHA51210951c367ac35dba9d644fb1cc07043fc238f4cad5ab2280cc1102e860676e1bc4b3a88054f252e26aa9b9e2b52c8941c2d47e1e79d153b4ee3780151c73a02c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD5e010d1f614b1a830482d3df4ba056f24
SHA15873e22b8c51a808c06a3bbf425fcf02b2a80328
SHA25698a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b
SHA512727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize389KB
MD55e3252e0248b484e76fcdbf8b42a645d
SHA111ae92fd16ac87f6ab755911e85e263253c16516
SHA25601f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e
SHA512540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699
-
Filesize
48KB
MD5372dc22d93bb6b3417bfa151b6fabaee
SHA11616486ae59f8e50d37f16acc34d2dbcd93c7d49
SHA256e0c2c6e421b3cda35c6b837d8cb199a456b20d2037a895a8c01bc61841875be5
SHA5127e96dd7f1316ed1cd9a45614cd65a2f7cbf33cff3d6149b313aec990d20e019afeab11fd511d311011ff2b592aa2e27a64ccc34316c6354ea63cd657ee3d5ebc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize195KB
MD584cb0cf784734c3ee8c151bc54f77b6e
SHA16f300359be48f38ca18ea54d744566635fd13e6f
SHA256adacab8ac34991a5b4908aafb21a9d0eef3a24b4a44ac6b48a1ac745623eb2a9
SHA5120c628ebab1720a02b2d2dee52c805f17b986f3c46a8c91bac6c67d7a7faf155dcb1c0a46e208d5b1b7d913f26e81b037e2b9e83d25e65c86cbca249b26866e34
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize55KB
MD5715ca834b9645c0e8a37ac29f89e4c56
SHA129f696945cde25500b4f0c9767afae75231eb137
SHA256b9a24b5a8d6e2cdb3b5fd5e22b415b42246e7aba4e82eb193345e98128f9817a
SHA5126bc37b78fad4362967cc04fad91ddbdc861185fbf1eafdd580d44140be6c045cbf07805f788516c331c1eb1afc54c24b8dab59f60366284353c5f819e2f8f7bf
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
Filesize9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.5340.update
Filesize9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
Filesize13KB
MD55f9dbd3009c3b29d2842e865de8e9cec
SHA17f6083b310851292f14c92bb08d9b09782d129ec
SHA256069fa3bff6a7973a1895879525642155e19a227dd3794fa27c16f2a494141f7b
SHA512105625370a431a9b9e5f7ca996f1bce96eec6705ab61d9b567874b3995609c73ae46dc7a6164a2e1a89d065c6df9964e86a0946f982955352c5ab115b0a9950b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
Filesize
334KB
MD5b3e14504a48bed32c53ec7aab2cb2c8f
SHA10bc0d486a5ed1c4cdf2390229883ed3473926882
SHA256adea6001759b5604f60bbaec8ce536a1e189adebc7394f9cff3921cae40c8c9b
SHA512e5a5c09355eb9cb45dc872b59edbd54f62f15445ca6caaa3187e31e7928ef4453ae8405d9eee5d2aec4fa34965d3006dcf61c060b8691519a2312382612c683f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize72KB
MD5749c51599fbf82422791e0df1c1e841c
SHA1bba9a471e9300bcd4ebe3359d3f73b53067b781d
SHA256c176f54367f9de7272b24fd4173271fd00e26c2dbdbf944b42d7673a295a65e6
SHA512f0a5059b326446a7bd8f4c5b1ba5858d1affdc48603f6ce36355daeaab4ed3d1e853359a2440c69c5dee3d47e84f7bf38d7adf8707c277cd056f6ebca5942cc5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD5c0f02eaa3eb28659d8f1bcba8de48479
SHA15be3c69e3f46daff4967484a09eb8c4a1f4a7f0f
SHA2566befb51a6639cae7e25570f5259f7b1f2d9b9b6539177d64d2ed8be50dde6268
SHA51247b536fa628608a58f6f382bbc99911eeff706becfaf4b1c5ff904ca768917f40c2e916ba5a31992df0335ba5a57755f047f70aafaac414fc655da0cd6f95e34
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD5097726da90e126fcc3202f1e386cf2f4
SHA1e1f8e7b0d399ec568ac2a47e41bb004d1dd2f2e0
SHA2568f95244aee9389ad0eee52a25f6a9ed67561f504d7eaca085bea5be94e12b724
SHA512547b6f21e6b8767af1f4437cc806f5388538c55f9f9269dd7880ee63d1c98785a23ee8361ae46133937d715e5f3499b073a5c0fe7aa6594aa4289c4792abcff5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize54KB
MD5d11b2139d29e79d795054c3866898b7f
SHA1020581c77ed4bc01c3f3912f304a46c12ca443e6
SHA25611cdb5ec172389f93f80d8eff0b9e5d4a98cfeab6f2c0e0bc301a6895a747566
SHA512de5def2efcba83a4b9301dd342391c306cf68d0bb64104839dfc329b343544fd40597a2b9867fd2a8739c63081d74157acfc9b59c0cb4878b2f5155f582a6f09
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
238B
MD5048a7f5d9c34b289cd2d3aea471a6893
SHA169324f305c0e4cfe1f6e30007bb104a902fec2fa
SHA2567c363a16914701a5c78d288b76112687e267ac6ae9fa6a9edf5a0c61d0722913
SHA51265f84451aec98dd04b67f0b03625086654cbbef89130ddd699a9d9aec5c2275d76e993352b1e01d265556e6293ab8dfd72f7e95e3bdae2cf01b8aaa77aec6f64
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
433B
MD5cf5f69533151675ab4f248fbc8cdedeb
SHA1eb736e17118ac79e341b49eb29ea04433e65e66f
SHA256e774620005d8e57306dcad1f2b427044f0be3da21897de56258fed1f8c565486
SHA512e9954bab77bc76a3b85bcd988f05356c8dfa1f109c5fd58e5f2d214ed266ddbc520159a416fbfb0a4e24133b143e873ee3d9e88d62db4c486403215d76394f84
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.9MB
MD5e0b94ce5d948f332b6bcb4661b73611b
SHA1a9272bd639ff5f25f44b3a31c5cb919f0d40c4d3
SHA256a27b758c00eab6777ac9571ef4fcdb80abaccbc4eb6fa5ff8e5ec33c08ffbc37
SHA51217b5df8ea6ccbb64839e5d223ed388a3bb54c0a7974e05e285361e36489d63f9e4a5f0da21cdf86c58dbe80903e8cb288817291dce4c7e98e8e8ce8a0b912b46
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
375KB
MD53c93b399b417b0d6a232d386e65a8b46
SHA1bb26deae135f405229d6f76eb6faaeb9a3c45624
SHA25629bc4577588116cbfea928b2587db3d0d26254163095e7fbbcde6e86fd0022d7
SHA512a963f5cf2221436938f031b65079bea7c4bafbd48833a9e11cd9bdd1548d68ed968d9279299aa2adfc23311a6744d516cc50e6537aa45321e5653755ed56f149
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini
Filesize11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini
Filesize12B
MD55796d1f96bb31a9d07f4db8ae9f0ddb3
SHA193012724e6cc0a298838aede678806e6c0c6517d
SHA256a90d255cce3b419641fa0b9ba74d4da464e0ce70638a9c2eba03d6b34fca1dc4
SHA512890112ddcb3b92b739c0dd06721efa81926ce3aab04c55cdadb8c4e6b7a28c9796f08f508249db189547dc4755804aa80cc8b104dd65c813a0450aad2cdda21c
-
Filesize
48KB
MD5b4a865268d5aca5f93bab91d7d83c800
SHA195ac9334096f5a38ca1c92df31b1e73ae4586930
SHA2565cbf60b0873660b151cf8cd62e326fe8006d1d0cbde2fad697e7f8ad3f284203
SHA512c46ee29861f7e2a1e350cf32602b4369991510804b4b87985465090dd7af64cf6d8dbfa2300f73b2f90f6af95fc0cb5fd1e444b5ddb41dbc89746f04dca6137b
-
Filesize
48KB
MD5fc0856b73e06b2ec4f5bb08f8fffb439
SHA191015f0e119b5d0e5c5848c5ca6e63665d1d7fcb
SHA256332d317e1f453a08808d6d648a5b972d9c7c293ebbc0cca8a829fd493c322185
SHA51203f3159c8a82247d04d51b6a7bb63f0f6fb8751827288e81e016f6d65de1286dc3d2f15fcb5d0fbbe20aa1f1af9cab4ae036ceff2a772ef52005687a6de588dd
-
Filesize
48KB
MD51026e502d97195697996c5dd4f50806a
SHA178ccd869a61f4be3507b691c77a742a11bc03cd7
SHA2569bb63463b1a14718a95164e07def6a6d3e1fa2823dc0d14fbc4732e7522b69c3
SHA51275fe0c24de553e7c629412947b68e6c10a2ef2a8880da8d11b427e1f3c2dcc613b8adb7f03dd85392e4d8cef953cac68d5f51b11b3440e1cb8910d0bbfdca13a
-
Filesize
2.8MB
MD505974ad24d0fc5005fd90ca96941beaa
SHA17ccf99236729a614ca0d15b7e5a18ece0dd14242
SHA25630215a902c746227df0d5fed400eaf74a5c1e827d50eec7c21cd37ea1b299aa5
SHA512c9426d56833d61a1763f93ce5388a4c2b5af3c0ae9a71b200a0a3bab1937381220d9a981077c2bd286a53faebde764ffe1608729e4d3895a69b2318403b89ca9
-
Filesize
2.9MB
MD557d8984a7bae70c6ff3f85f71655241a
SHA1d747283e7621632a0e70c2926c315e6e5141a6be
SHA256a124b14f13dcea8e25a9b7d9350e0b5527006e921f0c32ff922826f6564b170b
SHA51267c468168f5a9782184e2a7cd0ebbc54b9fc4fdf2f72cce51c3d03d5b46d4d8c2c8b54e9f74c3ef4a3f2cd53ee9f51dbb9cff100ed4d9a19334888ab6c411788
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
Filesize
12B
MD53d66ae5ed06891e8ce75a39a24070844
SHA1368064119835d4376727a14706c41384446183e8
SHA25673dba8242fdb4de1393b367a239f730aca6713e6658be69f1d8992ad26479176
SHA512c0b61f92bb61a7bf90225d1ba5a1bea0fc077c2481a2149663b546296421855ab3147c3a1f5372ebc920731624bc8578595c18ca9d138691c720fdcb86d03f8a
-
Filesize
646KB
MD57895698867d1ad33934a8553b4806dc5
SHA132704df55deaff9bf0b4ee0b887541856578938b
SHA256ef5854b5e800a534a08c083d4a3956dfc0a474ff540cae9bf0a9077a213b2ff9
SHA51220337093ddc5322c4b96c7bf26f1a0b966fafde70a96f7e9b5e9d36acac7d862bd2a50cae9a63731b23904a9256c94cd3bb4e19768130580511ec4c408536a58
-
Filesize
569KB
MD59614d1da18956de06747c03068208d66
SHA1fea2680ddb9e4ceea8489a132df9a1542febfe88
SHA256dde9e0ca3fd274902f1a4c22cfec6870c6c4dbbccad17d2189477ab60f769dab
SHA512d8e46a5819e9dced61471966646de153bf3480933054c50190d50de4900685265367b12c9147630f184ce8809786fc010bf6fcd1884035fb4c77cfde660a8b9d
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
12KB
MD52a7ebccfa524d925fb302458253165f5
SHA1115cc2bbe5ed416f380db3113d42fc8f65b0d2fb
SHA256773f7b659b4e39bb28f209bad9f682982ee6c7181252aa8150b981bd84211af7
SHA512918ad6941460d9e9f6c061127946420906f1b6a55c0aafc42336a7dff0a5d525ffe9fc132cabe2d0507ab3c8725ebfe6b8eeda8cde773172e0953d8e4a74efe4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD59368f227f2d233beceecdc39f7dcf10c
SHA1c411ac59670511a71d58e4146a390c9e517fc522
SHA25689fec915186f771ea75e806b37951b415a87d9091bae6c503f045092254a9705
SHA5126c01018d4b434cc4549dae4238df31871721174c22e4cacecf365f259ab5e22800823e741bd4f07073a7bf6d4a4a85a8af8fbfdd8157f06a6c7d59b46e9b53c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD5edb4e3317b95e16a448b0cd9282ae23a
SHA10f6e826bd5c7c642334855aa206da5038f29eeef
SHA256bb75eeb18bda565003475de62ef5c37ca005d2809c0da6fdcdeb82c07b6a71ff
SHA5124e353ab569b7a5177f776584ebd28e70cba33acb6589fc4bc1f698fcd9b4c5edc16ab0e770c3c3e98833928ff5f407c953e9609176c3cc0b16b10cf0fae1557f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5bcfd43b53a47b2dcf107efdcbd0b59a4
SHA175b548df2aecb2dec9a995c9ff974be78959411a
SHA256b0fa8ff8516c233400ff93675d5091c6747a19287d70c92c470fb30978868fa6
SHA512f473cfef0228f41b471e67ad3dbfe5715ba9aab9eb541f27445da87b8944bcd6a3560ab3e5e57a440f8a626b9137fdcd85aa2a50366f67ec61f478b4c7cea634
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD511bb45ba5249ab6268b8d36479f02510
SHA1706703e01a5a1b9ab57e358f11d8950060809c63
SHA256d516b25d3c154c23f23bd98a83b80b261a073fca38ec1a85bdde82cea1d2fe95
SHA512213a029e96bf6b6b9bb62b600b2b93420817b491db6df1c062b922662b1fe851f3de80d761ce48f97454ceffe978597409a28aea1054b7c05bdcb4c681ac9c8a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD5fb0073709a3a272bed9454209fab0837
SHA1c79fdb52969e5e3d390100528183fc0a485d61a0
SHA2566a87c712dfc11a0fdff71644bda3d857e341fd555b3ad335b4851c84b669453c
SHA512d2917f5ffe91812360795e59accaa3651dc70d2cda471184e606954de473cd7959d6d7cfba6c8fea57ea466873705c93f7a4b370ba9e3e8c3cb1d11899ac9a60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD572acbf7b9295b2b3da5fce9311917107
SHA1bffa1f9f91b1c9750753cabefafb01996266359d
SHA2561507cf50bd54f23529e0cc6454748a3a340f6a41758b866951370d7238dba36e
SHA512b76db05ae0b7771dab839c68136e2d55ad9cb8c9b91604fe689193b242ddb79b2d32f722a9e8b76c8d652712e469125f10ac24cbb7c6d7a898adbcaab6cc3286
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
4.5MB
MD525a0aa722268b17888b4e159a9f82f18
SHA168ccb5adae9095056a9d5592f6a850f30715a86b
SHA25672896d8abeeeb40360596927c0feade8f0bc28f9937d35f646b9ba2a47f1edca
SHA51279a574f95dbb5ff11e35f2938fcd6a9e22a3f1a35d7e032aceb099dd69ad45dcdf006d92aeb7d1086e3d0615241f6669e510d5dee6f7d262e0e3d4179822365d
-
Filesize
60KB
MD5878e361c41c05c0519bfc72c7d6e141c
SHA1432ef61862d3c7a95ab42df36a7caf27d08dc98f
SHA25624de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40
SHA51259a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD52ba70a300e16d1b51bd103de907777d8
SHA19774343aeb3b6f06593fc84a59422ef3b8cce66b
SHA2560d47740bf97710835ebe91ac545ff0da45d81b54dfb8e2dea485fe5a123ae468
SHA512a2ba8694ea4d014e4103ed02d11ba7309d0ce0f290f55f0d671710cdf61f6d06d976531469686325965966a2d9cd5a0b3a69f47ca5b351b40da03ffaf15d47bb
-
Filesize
12KB
MD58e16d54f986dbe98812fd5ec04d434e8
SHA18bf49fa8e12f801559cc2869365f0b184d7f93fe
SHA2567c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd
SHA512e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029
-
Filesize
2KB
MD50315a579f5afe989154cb7c6a6376b05
SHA1e352ff670358cf71e0194918dfe47981e9ccbb88
SHA256d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d
SHA512c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af
-
Filesize
179KB
MD54dc11547a5fc28ca8f6965fa21573481
SHA1d531b0d8d2f8d49d81a4c17fbaf3bc294845362c
SHA256e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d
SHA512bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6
-
Filesize
135KB
MD567ae7b2c36c9c70086b9d41b4515b0a8
SHA1ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b
SHA25679876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69
SHA5124d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078
-
Filesize
119KB
MD5b9b0e9b4d93b18b99ece31a819d71d00
SHA12be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e
SHA2560f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf
SHA512465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53
-
Filesize
10KB
MD562458e58313475c9a3642a392363e359
SHA1e63a3866f20e8c057933ba75d940e5fd2bf62bc6
SHA25685620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562
SHA51249fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad
-
Filesize
4KB
MD51cec22ca85e1b5a8615774fca59a420b
SHA1049a651751ef38321a1088af6a47c4380f9293fc
SHA25660a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf
SHA5120f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb
-
Filesize
52KB
MD501e8bc64139d6b74467330b11331858d
SHA1b6421a1d92a791b4d4548ab84f7140f4fc4eb829
SHA256148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438
SHA5124099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5
-
Filesize
602B
MD594ef35a3fb9d89985ca6e3ef493ece44
SHA1adfdc317476675bfb9d04766bbf8ebd8509556de
SHA2564ecf256f8ab9fa5e6edf6ff1900b516af925cefefdc61fd0da7d02751778420c
SHA5121c3547403d062367f67fdd310f6b51a993279432c2047e71ae1aeaf1491e046f2aa83f2aab541f714f873a72c68b010ebd19de76328be330dfdcb50fb6853b15
-
Filesize
4KB
MD5f5a2bb0651046649d2d13dde26af06ff
SHA1e7a568b446661ba64bbc3934f38ff45db62c98ea
SHA256edf1d0252a2f1f0628351853c70b197cdede9c536fed59fbc92ab7df73f7361d
SHA512fea8c1f220961773328951d7ccff0b6832c9d5bfaecfa84956de3d1fedadca53a0f1d53cc29060fc8f8c5481221e5826e73b307225298d711c5ab70638ec7a35
-
Filesize
1KB
MD5ecadf293590f09e0a2433f8d9a10d741
SHA16f7bf11222d095920f93e029056bcd0631c3cf6e
SHA25650314ed141d621b1f46f58604233e3426589363033386552063176aabef2951c
SHA51273819c5285bc69c3664104a75167fe10bdb2764d6c3e490a194717fa938b6d13af890278eaf2b422bdf123268c33d68d409e6b4d366b8f0a73e09695f2ed914a
-
Filesize
2KB
MD5498ff1f036f09007f385c9fc9c4a5104
SHA15de615a84cb4950d53899ecc880c8a65c3dc6d5e
SHA256aa9e957b4990278a3aedbfc0984b5e02734a4e991eedb9efd4209001abb70187
SHA512b3da5acf4398797763f65d4dfff8308dd3352fa68dd5d016fda4ca32b52a526da8c67142ac704c4279337ddf70155fb43721ffc45a33a4b04a29e24a67dd3587
-
Filesize
2KB
MD5b8e6122cc7d90a2cacd3d39feddddf68
SHA1691ed3107cf0531170b93a295305a939306e9678
SHA256671ba929cd0f8fa39118610580c3f282707ec125b4745f41f1ba36def316ef2f
SHA51258a2ce07e12ad1addab6f66d1396f91e68ef50949176ba9f56824830d67d091de06ff2c7d0e683015fc5015ab6a8f8c15add64657a54c5f4528358bf447ac4f6
-
Filesize
2.7MB
MD5df5eb1af99091a902effa52463eda084
SHA1b04578b36490a4ec0092e9a44ae6b2679670450a
SHA25683ef8e362af27279b63ef28379675a087984791e5eaf4a9272a5cb4e52dd059c
SHA512663e11667ec5c6c7969ce61f90d869f3723cbd007236150478ef6dbd861ddc75cf5f96b0345319bd178cd87045daa39a0d6ca4af83cf8dcdb4ebe7462d3eeabd
-
Filesize
571B
MD5de10be3435fbcab7eeccaa67e2431619
SHA17afdb3c4c042692ea3f19f2d2275bada7cacfbfd
SHA256d193eda99410268676293d315164ff29cd263ca0251a0238592a23a9d78476b0
SHA512bda2f23885d4bb07c328622d7f637379f63f08b57eb54c4a665fb56d5f68e61d36ff4b4e3cc2b8b2b3d3c5f2e0d3dbb581770eec4fddf9a8c0f4b6555ad3c1af
-
Filesize
182KB
MD51d4329601bef6492cd3227df5bcd5125
SHA1d03a3c50ba7663b52c13b54b08b9284f40e4f848
SHA256bd703470b2f35e3c4d917d3038bf806fcc7c155142d300806c95500274951efd
SHA512b0cfc1aef000d428d1ff4f2df41539284a048571e26a2c1a217093e593e546f5af79bbc61be8458021a9829a7d79f68cb8728bf942475096b53c81a66094dd7b
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD577bf225bc111d312f056eb4fa6fc11bf
SHA1243ab212c90d0d3c933be8ea7ccadc9ea4a8bd06
SHA256bf23d534686fdb0c8030a57318bde007049fd93de8ac46d21e1480a847b4c826
SHA512a40897bea713aafa27a804ab37825fe749a5b8c27facbc8e2eb9139ce522642f71e27f19ec931241aaea2f5a2696528b2ec0870692acc1003481f97ccabcbdb5
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD55bc6e03f575cc473049ed20e016cf805
SHA1c902fb18892de4dd6706c36a70763a49521e0af2
SHA256f2454138c5f5a09f52ad78ea2fe13c6b6b6d7ae95a5ce3ee9191925d9a008fc0
SHA512a0dadcd233e316e68c8f9f59c5f512a3229bce6af98c30210773565dc4135055d8767ec5c0480397a2a25c6f51c4ef6387377427c942f8ed1e1d57ed4b0aeb62
-
Filesize
24.1MB
MD58f17af054f62b67bcccc9d5e6b06b576
SHA1162be1780f2b2bd07e9b44c0d56a60133024ae9e
SHA256f5f9d80d32c2dbd31e0ff9de8b799c263e5478d3a4d89b187aded358eb21ac3d
SHA5122c567aef5fd4572ead937a349d723f838e86a8ebb481eed09e661d7d41a62ee6548b832b62fb96472edb63ebdb47a0453b5f32e912e3ed8570bfa9fe8ec8d0bf
-
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2bb60d55-92de-4eec-ab05-7a9d0c334140}_OnDiskSnapshotProp
Filesize6KB
MD51e9c8ef7fd63e210088ae22173153718
SHA150bc308b884cb2e5f70e355a52368025d1ea88d8
SHA256e042c44d89026a7839d3b3a07506426c747fab275bacd80a2e2362601c4bd688
SHA512677e4fa29802dc0587fd13f9ea291b4a7ebb8680ca5b6f5eec9258633c04755e26911f3491250b02ff6579657f5d091ee415399f630727295b3ceebba43d26b5