Analysis
-
max time kernel
397s -
max time network
394s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-11-2024 12:57
Behavioral task
behavioral1
Sample
e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007.msi
Resource
win10v2004-20241007-en
General
-
Target
e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007.msi
-
Size
2.9MB
-
MD5
c5d6f1dbaaa149c1037f2e88d824a759
-
SHA1
46facb96e7a2332c44e412cc8aca7d2b9aca497a
-
SHA256
e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007
-
SHA512
5edf7f578c5cedd6cbd12f8904019a52a85ac819b2d87eb47e2300a0e95fd891a220b32790587eec6c93b4a0c88a0f554301e17bca2c78801fbb55381ad3c7e0
-
SSDEEP
49152:g+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:g+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
Processes:
resource yara_rule behavioral1/files/0x0008000000023cab-236.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
Processes:
msiexec.exerundll32.exerundll32.exeMsiExec.exerundll32.exerundll32.exeflow pid Process 3 1728 msiexec.exe 5 1728 msiexec.exe 31 464 rundll32.exe 35 3836 rundll32.exe 80 788 MsiExec.exe 106 1008 rundll32.exe 145 2696 rundll32.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
AgentPackageMonitoring.exeAgentPackageMonitoring.exeAgentPackageMonitoring.exeAgentPackageMonitoring.exeAgentPackageMonitoring.exedescription ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 44 IoCs
Processes:
AgentPackageADRemote.exeAgentPackageSystemTools.exeAteraAgent.exeAgentPackageMonitoring.exeMsiExec.exeSRManager.exeAgentPackageUpgradeAgent.exeAteraAgent.exeAgentPackageProgramManagement.exeAteraAgent.exeAgentPackageSTRemote.exeAgentPackageAgentInformation.exeAgentPackageOsUpdates.exeAgentPackageRuntimeInstaller.exeAgentPackageTicketing.exeAgentPackageMarketplace.exeAgentPackageInternalPoller.exeAgentPackageHeartbeat.exerundll32.exeAteraAgent.exedescription ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log AgentPackageSTRemote.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File created C:\Windows\system32\SRC4341.tmp MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log rundll32.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Processes:
resource yara_rule behavioral1/memory/5452-1134-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5452-1135-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-1177-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5760-1178-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5724-1176-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5724-1163-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5452-1218-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5452-1219-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-1615-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-1614-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5724-1612-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5724-1599-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/4348-1769-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/4348-1773-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/4348-1786-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/4348-1783-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5452-2291-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5452-2292-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-2294-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-2293-0x00000000728C0000-0x00000000729DC000-memory.dmp upx behavioral1/memory/5760-3105-0x00000000724F0000-0x00000000728BD000-memory.dmp upx behavioral1/memory/5760-3104-0x00000000728C0000-0x00000000729DC000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
AteraAgent.exeSRAgent.exeAteraAgent.exeAgentPackageProgramManagement.exemsiexec.exeAgentPackageInternalPoller.exeAteraAgent.exeAgentPackageUpgradeAgent.exedescription ioc Process File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\SharpSnmpLib.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.Utils.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.ModelsV3.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.NetworkInformation.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3 SRAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Configuration.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\fr\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\lastSnapshot.txt AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\ICSharpCode.SharpZipLib.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.ini AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe.config AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidSupport.reg msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.FileProviders.Physical.dll AteraAgent.exe File opened for modification C:\Program Files\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.cat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\stgamepad.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Infrastructure.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\snmp.cfg.bak AgentPackageInternalPoller.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Pipes.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cinst.exe AgentPackageProgramManagement.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdsmpl.gpd msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.Exceptions.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe.config AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.ini AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.Utils.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Numerics.Vectors.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x86\SQLite.Interop.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\64bits\stdpms.sys msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\ToBeRemoved\BouncyCastle.Crypto.dll AgentPackageUpgradeAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.ModelsV3.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\ICSharpCode.SharpZipLib.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Requests.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.runtimeconfig.json AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Atera.Agent.Package.Tools.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\NLog.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAdemWrapper.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.TaskScheduler.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\System.Diagnostics.EventLog.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.cat msiexec.exe -
Drops file in Windows directory 64 IoCs
Processes:
rundll32.exerundll32.exerundll32.exemsiexec.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exedescription ioc Process File opened for modification C:\Windows\Installer\MSI9306.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI949D.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEBAF.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI50E9.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDB2E.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE15A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3DCE.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI949D.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI9E34.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9ED3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDFA4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57d7c5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEBAF.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI2F83.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3D5F.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57d7cb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI97AC.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp-\Newtonsoft.Json.dll rundll32.exe File created C:\Windows\Installer\e57d7c2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE248.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9306.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBAF.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\e57d7c5.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI949D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1D9D.tmp msiexec.exe File created C:\Windows\Installer\e57d7c9.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI97AC.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI9E55.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI5446.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI97AC.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI9306.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI949D.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI97AC.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDB2E.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIDFA4.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID84F.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1E2B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEBAF.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIEBAF.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI949D.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB55B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID84F.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDFA4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBBD7.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID84F.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIDB2E.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI97AC.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4} msiexec.exe File opened for modification C:\Windows\Installer\MSIB666.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID84F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID84F.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIB54B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDB2E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9306.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57d7c4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI1FB2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI2C27.tmp msiexec.exe -
Executes dropped EXE 64 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageSTRemote.exeAteraAgent.exeAgentPackageMonitoring.exeSplashtopStreamer.exePreVerCheck.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2025.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is2C6B.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exe_is3EAC.exeSetupUtil.exeSetupUtil.exeSetupUtil.exeSRSelfSignCertUtil.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exe_is512C.exeSRService.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exe_is54C7.exepid Process 3960 AteraAgent.exe 456 AteraAgent.exe 2456 AgentPackageAgentInformation.exe 4140 AgentPackageAgentInformation.exe 1464 AgentPackageAgentInformation.exe 4956 AgentPackageSTRemote.exe 1992 AteraAgent.exe 5076 AgentPackageMonitoring.exe 4588 SplashtopStreamer.exe 2716 PreVerCheck.exe 1808 _is2025.exe 5100 _is2025.exe 3960 _is2025.exe 2472 _is2025.exe 1876 _is2025.exe 2676 _is2025.exe 1816 _is2025.exe 3052 _is2025.exe 3772 _is2025.exe 1196 _is2025.exe 5988 _is2C6B.exe 6024 _is2C6B.exe 6056 _is2C6B.exe 6088 _is2C6B.exe 6120 _is2C6B.exe 3052 _is2C6B.exe 5228 _is2C6B.exe 5192 _is2C6B.exe 5320 _is2C6B.exe 3224 _is2C6B.exe 5596 _is3EAC.exe 5644 _is3EAC.exe 5676 _is3EAC.exe 5648 _is3EAC.exe 1764 _is3EAC.exe 5744 _is3EAC.exe 5840 _is3EAC.exe 5820 _is3EAC.exe 1712 _is3EAC.exe 5868 _is3EAC.exe 5940 SetupUtil.exe 6052 SetupUtil.exe 1808 SetupUtil.exe 5456 SRSelfSignCertUtil.exe 5568 _is512C.exe 5620 _is512C.exe 5556 _is512C.exe 5692 _is512C.exe 5676 _is512C.exe 1764 _is512C.exe 5836 _is512C.exe 5812 _is512C.exe 5056 _is512C.exe 5872 _is512C.exe 1916 SRService.exe 6076 _is54C7.exe 6108 _is54C7.exe 6140 _is54C7.exe 6128 _is54C7.exe 5204 _is54C7.exe 1636 _is54C7.exe 2036 _is54C7.exe 4764 _is54C7.exe 1420 _is54C7.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exepid Process 1044 sc.exe 628 sc.exe 6064 sc.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exerundll32.exerundll32.exerundll32.exeMsiExec.exerundll32.exeAgentPackageMonitoring.exeMsiExec.exeSRManager.exeSRServer.exeSRAgent.exepid Process 1064 MsiExec.exe 4388 rundll32.exe 4388 rundll32.exe 4388 rundll32.exe 4388 rundll32.exe 4388 rundll32.exe 1064 MsiExec.exe 464 rundll32.exe 464 rundll32.exe 464 rundll32.exe 464 rundll32.exe 464 rundll32.exe 464 rundll32.exe 464 rundll32.exe 1064 MsiExec.exe 3340 rundll32.exe 3340 rundll32.exe 3340 rundll32.exe 3340 rundll32.exe 3340 rundll32.exe 1064 MsiExec.exe 3504 MsiExec.exe 3504 MsiExec.exe 1064 MsiExec.exe 3836 rundll32.exe 3836 rundll32.exe 3836 rundll32.exe 3836 rundll32.exe 3836 rundll32.exe 3836 rundll32.exe 3836 rundll32.exe 5076 AgentPackageMonitoring.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 788 MsiExec.exe 5452 SRManager.exe 788 MsiExec.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5760 SRServer.exe 5760 SRServer.exe 5724 SRAgent.exe 5452 SRManager.exe 5452 SRManager.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 60 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
cmd.exeSRManager.exetaskkill.execmd.exetaskkill.execmd.exetaskkill.exeTaskKill.exerundll32.exerundll32.exeSRSelfSignCertUtil.exeSRUtility.exerundll32.exeMsiExec.execmd.exeSRFeature.exeMsiExec.execmd.exeSRService.exeNET.exenet1.exeSetupUtil.exenet1.exeSplashtopStreamer.exePreVerCheck.execmd.exetaskkill.exetaskkill.exeNET.exetaskkill.exeSRAppPB.exerundll32.exeTaskKill.execmd.exeSetupUtil.exeMsiExec.execmd.exetaskkill.exeSRServer.exerundll32.exeTaskKill.execmd.exetaskkill.exeSetupUtil.exeNET.exemsiexec.exeSRService.exeSRUtility.exeSRUtility.exeSRAgent.exerundll32.exeMsiExec.exetaskkill.exeSRService.exeSRVirtualDisplay.exerundll32.exerundll32.exenet1.exetaskkill.execmd.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRVirtualDisplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Time Discovery 1 TTPs 4 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
Processes:
cmd.exedotnet.execmd.exedotnet.exepid Process 1800 cmd.exe 1824 dotnet.exe 3132 cmd.exe 4156 dotnet.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exeTaskKill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTaskKill.exeTaskKill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 5676 taskkill.exe 724 TaskKill.exe 5284 taskkill.exe 5444 taskkill.exe 5516 taskkill.exe 5596 taskkill.exe 32 TaskKill.exe 5820 TaskKill.exe 5128 taskkill.exe 5208 taskkill.exe 5372 taskkill.exe 5756 taskkill.exe 5832 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
cscript.exeMsiExec.exeSRManager.exeAteraAgent.exeAteraAgent.execscript.exeAteraAgent.execscript.exemsiexec.exeAgentPackageHeartbeat.exeAgentPackageMonitoring.exeAgentPackageAgentInformation.exeAteraAgent.exeAgentPackageMarketplace.exeAteraAgent.exeAgentPackageMarketplace.exedescription ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum SRManager.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageHeartbeat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\CRLs cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" AgentPackageMonitoring.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMarketplace.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMarketplace.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\SessionHash = 5569c295adfe88076dbd1706c7a621ec9baf38e3e3aefc4668bb0eecc98e5b4c msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" AgentPackageMonitoring.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe -
Modifies registry class 64 IoCs
Processes:
AgentPackageTicketing.exemsiexec.exeAgentPackageTicketing.exeSRService.exeMsiExec.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open AgentPackageTicketing.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\PackageCode = "F2E9E119D83B20D41A84E594CFD99834" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Version = "17301511" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Net\1 = "C:\\Windows\\TEMP\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "SRCredentialProvider" MsiExec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait AgentPackageTicketing.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\ProductName = "AteraAgent" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe -
Processes:
AteraAgent.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeAteraAgent.exeAgentPackageSTRemote.exeSetupUtil.exeSRSelfSignCertUtil.exeSRService.exeSRManager.exeSRAgent.exeSRAppPB.exeSRServer.exepid Process 2592 msiexec.exe 2592 msiexec.exe 456 AteraAgent.exe 456 AteraAgent.exe 456 AteraAgent.exe 456 AteraAgent.exe 4956 AgentPackageSTRemote.exe 4956 AgentPackageSTRemote.exe 1808 SetupUtil.exe 1808 SetupUtil.exe 1808 SetupUtil.exe 1808 SetupUtil.exe 5456 SRSelfSignCertUtil.exe 5456 SRSelfSignCertUtil.exe 5196 SRService.exe 5196 SRService.exe 5452 SRManager.exe 5452 SRManager.exe 5196 SRService.exe 5196 SRService.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5724 SRAgent.exe 5724 SRAgent.exe 1756 SRAppPB.exe 1756 SRAppPB.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5452 SRManager.exe 5196 SRService.exe 5196 SRService.exe 5760 SRServer.exe 5760 SRServer.exe 5760 SRServer.exe 5760 SRServer.exe 5760 SRServer.exe 5760 SRServer.exe 1756 SRAppPB.exe 1756 SRAppPB.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exerundll32.exeTaskKill.exedescription pid Process Token: SeShutdownPrivilege 1728 msiexec.exe Token: SeIncreaseQuotaPrivilege 1728 msiexec.exe Token: SeSecurityPrivilege 2592 msiexec.exe Token: SeCreateTokenPrivilege 1728 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1728 msiexec.exe Token: SeLockMemoryPrivilege 1728 msiexec.exe Token: SeIncreaseQuotaPrivilege 1728 msiexec.exe Token: SeMachineAccountPrivilege 1728 msiexec.exe Token: SeTcbPrivilege 1728 msiexec.exe Token: SeSecurityPrivilege 1728 msiexec.exe Token: SeTakeOwnershipPrivilege 1728 msiexec.exe Token: SeLoadDriverPrivilege 1728 msiexec.exe Token: SeSystemProfilePrivilege 1728 msiexec.exe Token: SeSystemtimePrivilege 1728 msiexec.exe Token: SeProfSingleProcessPrivilege 1728 msiexec.exe Token: SeIncBasePriorityPrivilege 1728 msiexec.exe Token: SeCreatePagefilePrivilege 1728 msiexec.exe Token: SeCreatePermanentPrivilege 1728 msiexec.exe Token: SeBackupPrivilege 1728 msiexec.exe Token: SeRestorePrivilege 1728 msiexec.exe Token: SeShutdownPrivilege 1728 msiexec.exe Token: SeDebugPrivilege 1728 msiexec.exe Token: SeAuditPrivilege 1728 msiexec.exe Token: SeSystemEnvironmentPrivilege 1728 msiexec.exe Token: SeChangeNotifyPrivilege 1728 msiexec.exe Token: SeRemoteShutdownPrivilege 1728 msiexec.exe Token: SeUndockPrivilege 1728 msiexec.exe Token: SeSyncAgentPrivilege 1728 msiexec.exe Token: SeEnableDelegationPrivilege 1728 msiexec.exe Token: SeManageVolumePrivilege 1728 msiexec.exe Token: SeImpersonatePrivilege 1728 msiexec.exe Token: SeCreateGlobalPrivilege 1728 msiexec.exe Token: SeBackupPrivilege 2800 vssvc.exe Token: SeRestorePrivilege 2800 vssvc.exe Token: SeAuditPrivilege 2800 vssvc.exe Token: SeBackupPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeDebugPrivilege 464 rundll32.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeDebugPrivilege 724 TaskKill.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe Token: SeTakeOwnershipPrivilege 2592 msiexec.exe Token: SeRestorePrivilege 2592 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
Processes:
msiexec.exeSRServer.exepid Process 1728 msiexec.exe 1728 msiexec.exe 5760 SRServer.exe 5760 SRServer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
SplashtopStreamer.exeSRServer.exeSRAppPB.exeSRVirtualDisplay.exepid Process 4588 SplashtopStreamer.exe 5760 SRServer.exe 5760 SRServer.exe 1756 SRAppPB.exe 1756 SRAppPB.exe 1248 SRVirtualDisplay.exe 1248 SRVirtualDisplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeMsiExec.exeNET.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.execmd.exeAgentPackageSTRemote.exeSplashtopStreamer.exePreVerCheck.exeMsiExec.exedescription pid Process procid_target PID 2592 wrote to memory of 4080 2592 msiexec.exe 102 PID 2592 wrote to memory of 4080 2592 msiexec.exe 102 PID 2592 wrote to memory of 1064 2592 msiexec.exe 104 PID 2592 wrote to memory of 1064 2592 msiexec.exe 104 PID 2592 wrote to memory of 1064 2592 msiexec.exe 104 PID 1064 wrote to memory of 4388 1064 MsiExec.exe 105 PID 1064 wrote to memory of 4388 1064 MsiExec.exe 105 PID 1064 wrote to memory of 4388 1064 MsiExec.exe 105 PID 1064 wrote to memory of 464 1064 MsiExec.exe 106 PID 1064 wrote to memory of 464 1064 MsiExec.exe 106 PID 1064 wrote to memory of 464 1064 MsiExec.exe 106 PID 1064 wrote to memory of 3340 1064 MsiExec.exe 108 PID 1064 wrote to memory of 3340 1064 MsiExec.exe 108 PID 1064 wrote to memory of 3340 1064 MsiExec.exe 108 PID 2592 wrote to memory of 3504 2592 msiexec.exe 109 PID 2592 wrote to memory of 3504 2592 msiexec.exe 109 PID 2592 wrote to memory of 3504 2592 msiexec.exe 109 PID 3504 wrote to memory of 4744 3504 MsiExec.exe 110 PID 3504 wrote to memory of 4744 3504 MsiExec.exe 110 PID 3504 wrote to memory of 4744 3504 MsiExec.exe 110 PID 4744 wrote to memory of 212 4744 NET.exe 112 PID 4744 wrote to memory of 212 4744 NET.exe 112 PID 4744 wrote to memory of 212 4744 NET.exe 112 PID 3504 wrote to memory of 724 3504 MsiExec.exe 113 PID 3504 wrote to memory of 724 3504 MsiExec.exe 113 PID 3504 wrote to memory of 724 3504 MsiExec.exe 113 PID 2592 wrote to memory of 3960 2592 msiexec.exe 115 PID 2592 wrote to memory of 3960 2592 msiexec.exe 115 PID 1064 wrote to memory of 3836 1064 MsiExec.exe 118 PID 1064 wrote to memory of 3836 1064 MsiExec.exe 118 PID 1064 wrote to memory of 3836 1064 MsiExec.exe 118 PID 456 wrote to memory of 1044 456 AteraAgent.exe 119 PID 456 wrote to memory of 1044 456 AteraAgent.exe 119 PID 456 wrote to memory of 2456 456 AteraAgent.exe 123 PID 456 wrote to memory of 2456 456 AteraAgent.exe 123 PID 456 wrote to memory of 4140 456 AteraAgent.exe 126 PID 456 wrote to memory of 4140 456 AteraAgent.exe 126 PID 456 wrote to memory of 1464 456 AteraAgent.exe 128 PID 456 wrote to memory of 1464 456 AteraAgent.exe 128 PID 456 wrote to memory of 4956 456 AteraAgent.exe 130 PID 456 wrote to memory of 4956 456 AteraAgent.exe 130 PID 456 wrote to memory of 5076 456 AteraAgent.exe 134 PID 456 wrote to memory of 5076 456 AteraAgent.exe 134 PID 1992 wrote to memory of 628 1992 AteraAgent.exe 136 PID 1992 wrote to memory of 628 1992 AteraAgent.exe 136 PID 4140 wrote to memory of 1436 4140 AgentPackageAgentInformation.exe 138 PID 4140 wrote to memory of 1436 4140 AgentPackageAgentInformation.exe 138 PID 1436 wrote to memory of 3404 1436 cmd.exe 140 PID 1436 wrote to memory of 3404 1436 cmd.exe 140 PID 4956 wrote to memory of 4588 4956 AgentPackageSTRemote.exe 144 PID 4956 wrote to memory of 4588 4956 AgentPackageSTRemote.exe 144 PID 4956 wrote to memory of 4588 4956 AgentPackageSTRemote.exe 144 PID 4588 wrote to memory of 2716 4588 SplashtopStreamer.exe 145 PID 4588 wrote to memory of 2716 4588 SplashtopStreamer.exe 145 PID 4588 wrote to memory of 2716 4588 SplashtopStreamer.exe 145 PID 2716 wrote to memory of 1696 2716 PreVerCheck.exe 146 PID 2716 wrote to memory of 1696 2716 PreVerCheck.exe 146 PID 2716 wrote to memory of 1696 2716 PreVerCheck.exe 146 PID 2592 wrote to memory of 788 2592 msiexec.exe 147 PID 2592 wrote to memory of 788 2592 msiexec.exe 147 PID 2592 wrote to memory of 788 2592 msiexec.exe 147 PID 788 wrote to memory of 1808 788 MsiExec.exe 150 PID 788 wrote to memory of 1808 788 MsiExec.exe 150 PID 788 wrote to memory of 5100 788 MsiExec.exe 151 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1728
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4080
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 94D0FDC634A1A822ACBECCC1CB1A767B2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1064 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID84F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638281 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4388
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDB2E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638812 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:464
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDFA4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240639968 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3340
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIEBAF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643015 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3836
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 55D08A76C1B1913F54144D23E479D44C E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4744 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:212
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:724
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="2" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000MVDpAIAX" /AgentId="94ae291a-8739-4b3b-a9b7-54dade11c279"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3960
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 631928C0E59E7E407D0AA307A7FD924F E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE334B27-6CD8-482F-8B2A-A1D1B236A2E4}3⤵
- Executes dropped EXE
PID:1808
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FDD5547-7874-4AEC-A99F-C5587D6AAD4B}3⤵
- Executes dropped EXE
PID:5100
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DF4FE0E-BF0F-450B-94F6-F624FD4B39FD}3⤵
- Executes dropped EXE
PID:3960
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41EBE5CC-8CA8-4DF1-934B-FD2918E6DC80}3⤵
- Executes dropped EXE
PID:2472
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C7FE1A4F-B1E1-4D53-BEB9-6A2576959E94}3⤵
- Executes dropped EXE
PID:1876
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{02432933-8B3E-4BD2-9B96-348FFC5DBA32}3⤵
- Executes dropped EXE
PID:2676
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF47258C-7169-4C1D-9616-3462D2901745}3⤵
- Executes dropped EXE
PID:1816
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C5F45E8C-E356-4AF8-831A-0DD6A61A59CA}3⤵
- Executes dropped EXE
PID:3052
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FD28CD93-6234-4E5B-A7E2-1197AC0B3702}3⤵
- Executes dropped EXE
PID:3772
-
-
C:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exeC:\Windows\TEMP\{BEE33017-ECAC-47AF-88CB-FD27BC23DBF8}\_is2025.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{75BBEB83-28B4-4CA6-868B-39D42B000530}3⤵
- Executes dropped EXE
PID:1196
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4564 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:1876
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5128
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5160 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5208
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5236 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5284
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5324 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5372
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5400 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5444
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5472 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5516
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5548 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5596
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5628 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5676
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5708 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5756
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5784 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5832
-
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D3F563FA-EF6E-4E6E-B4AF-32BD4E12F658}3⤵
- Executes dropped EXE
PID:5988
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1A0F1609-2BB9-45EC-A981-447281814ED0}3⤵
- Executes dropped EXE
PID:6024
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9254F3E-3999-4324-847A-F54948044881}3⤵
- Executes dropped EXE
PID:6056
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{468CBB83-058E-4E96-A426-7DE76A7422A4}3⤵
- Executes dropped EXE
PID:6088
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C30D8C69-A22A-42F8-8FEE-CB00EE788CB5}3⤵
- Executes dropped EXE
PID:6120
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{317A384E-59D3-4D69-8B95-9BAF1A10D8C5}3⤵
- Executes dropped EXE
PID:3052
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA3FAD96-D498-435F-BB4C-CF0B93B031EF}3⤵
- Executes dropped EXE
PID:5228
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF32B249-FCE8-4745-B3EB-C7B5D27C0CEC}3⤵
- Executes dropped EXE
PID:5192
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BDE16C5-96E4-41C2-B144-ADEA05A146EE}3⤵
- Executes dropped EXE
PID:5320
-
-
C:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exeC:\Windows\TEMP\{19281E57-1B5C-4D70-813D-D60F27E6CB39}\_is2C6B.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BC6A931B-093C-4486-9B9E-A120D4672964}3⤵
- Executes dropped EXE
PID:3224
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A6C6FB1-48FC-44E0-9690-E794C65C2A3C}3⤵
- Executes dropped EXE
PID:5596
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BCAF9920-7AF0-4EFD-B6E0-53A32974D948}3⤵
- Executes dropped EXE
PID:5644
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C855A430-17EC-4E03-B409-6AAEEF0DC01C}3⤵
- Executes dropped EXE
PID:5676
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3E324FE1-B2C2-467A-A058-021BEB9D8D72}3⤵
- Executes dropped EXE
PID:5648
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{457FBB16-4F5D-438E-8EA0-A856A25E6445}3⤵
- Executes dropped EXE
PID:1764
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D35CCF8E-937C-481E-81A0-8E87DE748D77}3⤵
- Executes dropped EXE
PID:5744
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A707899B-C234-4BC2-B01C-8CA3B4940790}3⤵
- Executes dropped EXE
PID:5840
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{53493599-C727-423A-803A-CCAF38BBDD81}3⤵
- Executes dropped EXE
PID:5820
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1217E8AB-2800-4903-AE29-4921DDF46BC8}3⤵
- Executes dropped EXE
PID:1712
-
-
C:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exeC:\Windows\TEMP\{19880953-2669-4F32-870B-730FBC42B87A}\_is3EAC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F90BD685-835B-4C7A-809E-DA06AE791F7F}3⤵
- Executes dropped EXE
PID:5868
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5940
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:6052
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1808 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5252
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:1404
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5456
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CED0AE9C-E0B9-4A2D-AB96-27E24BA5978F}3⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{556C325D-94B6-42FB-A8BF-6B8BDB772F97}3⤵
- Executes dropped EXE
PID:5620
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7C093AAA-C41B-4595-B49F-09C308A2C258}3⤵
- Executes dropped EXE
PID:5556
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F894A50-1C05-4F15-86C6-6DF24E9C7A26}3⤵
- Executes dropped EXE
PID:5692
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{738AC9B6-BD07-43B5-AB1F-7E139FFDEEF5}3⤵
- Executes dropped EXE
PID:5676
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3ED6E684-DFC5-4B9E-821C-589A2C23C7DD}3⤵
- Executes dropped EXE
PID:1764
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E35373F7-16E1-4C1E-972D-006EEB365F7D}3⤵
- Executes dropped EXE
PID:5836
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0BC3F06-B087-433D-BD65-165FD3BFC936}3⤵
- Executes dropped EXE
PID:5812
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30F3CC48-C793-47B7-A25C-2BFDB2E13C6C}3⤵
- Executes dropped EXE
PID:5056
-
-
C:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exeC:\Windows\TEMP\{A0156528-F2B4-4794-A65A-A373011FF673}\_is512C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A7646D35-F063-419C-9571-6DF619CD70C8}3⤵
- Executes dropped EXE
PID:5872
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:1916
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30F4B590-80A9-4DB0-B00E-378058CECB8C}3⤵
- Executes dropped EXE
PID:6076
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{718C57FB-2FEA-46FF-A1C2-242B67A5FE14}3⤵
- Executes dropped EXE
PID:6108
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9BADFCF7-2C9F-4999-8B5D-4B1D98A860C9}3⤵
- Executes dropped EXE
PID:6140
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27EC7247-B2FC-4DE8-8F6C-6423506ADF6D}3⤵
- Executes dropped EXE
PID:6128
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C88CFCFF-87A6-4EA4-A8C5-2C477F0A5FBC}3⤵
- Executes dropped EXE
PID:5204
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B68BA05-805B-4747-B1CC-CA442A14DC03}3⤵
- Executes dropped EXE
PID:1636
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0307E487-20F9-4DAD-942E-9AD37284DAF2}3⤵
- Executes dropped EXE
PID:2036
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F09367B3-5E84-4CF7-8D71-9B13BBD73070}3⤵
- Executes dropped EXE
PID:4764
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CBDB6ED-F287-4EB7-B71D-5F2EF65D110C}3⤵
- Executes dropped EXE
PID:1420
-
-
C:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exeC:\Windows\TEMP\{01DC7B4A-66EA-4DC5-BFF6-C1C954B09F7F}\_is54C7.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6A33AE72-73B8-4EE6-AC8C-FF6AD77DE1F8}3⤵PID:4692
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- System Location Discovery: System Language Discovery
PID:5264
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 34FE16F841579D650221B6CC26EA047C E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:5432 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9306.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240686000 463 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4256
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI949D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240686234 467 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1008
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI97AC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240687015 472 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5404
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:2276 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:4856
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:32
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:3860 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:1692
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5820
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBBD7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240696296 510 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2696
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
PID:5940
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="c7855923-0b10-4350-ba21-5cfce30603ab"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5064
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2800
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1044
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "9b686750-e4e2-48f6-ab0e-89b6e1469d55" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:2456
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "bca81a44-c465-4a28-bad8-c751a5eb2dc5" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000MVDpAIAX2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:1436 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:3404
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "df3e6912-cee7-4764-80d9-05db146cf6ef" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000MVDpAIAX2⤵
- Executes dropped EXE
PID:1464
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "50c90d42-654e-487c-965a-affa949be73c" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4956 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4588 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:1696
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "a1655f0f-9126-49dc-9d8f-b7832288c057" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:5076
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1992 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:628
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "4bfffd33-95a9-4fd4-9e5d-dac714c890fb" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000MVDpAIAX2⤵PID:5276
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=a64f96139de52f7737c85a116012a691&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:4348
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "e17e60b6-9846-4285-9c60-aa43c3589514" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MVDpAIAX2⤵PID:4164
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5768
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:432
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "ba433051-c01c-4657-9424-7a82fbed796e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5488 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵PID:3612
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "d02b9421-6b85-417d-8d5f-5ffa25f697b0" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
PID:5880
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "9abeb229-ef52-4276-83b4-b86ec5279260" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
PID:1028
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "bc8c85c2-13bc-4eee-8e51-cd985dbc4961" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5240
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "218a6a42-193b-432c-be22-155b3b2681bf" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:880
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "6d20232d-0c00-4fbb-a2f0-ec6ada0c90f7" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5472
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "70516a65-aafa-4059-b2b8-eb8f998055d5" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MVDpAIAX2⤵
- Writes to the Master Boot Record (MBR)
- Modifies data under HKEY_USERS
PID:2196
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "3a81d785-9e46-4910-9a03-748d50ca4014" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
PID:1268
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "0bee0d86-c711-43e8-a764-d442b0baff1f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
- Modifies registry class
PID:3504
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "273167bd-c0e7-44bb-9a83-9f41c7a2a287" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
PID:5448 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:1800 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:1824
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "5d2f2b1d-646f-410e-90f6-6cbf7ca50de4" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000MVDpAIAX2⤵PID:5232
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "1a40dff6-c82f-442f-bb90-0c384ea0458f" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000MVDpAIAX2⤵
- Drops file in System32 directory
PID:5852
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5196 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5452 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5760
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5724 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:2204
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1756
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
PID:4696 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:6012
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1248
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:432 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:6064
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:2404
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "427b40f3-2aac-4829-969c-7837f07bfa6a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MVDpAIAX2⤵PID:1228
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "44343495-9b8d-4924-8b24-f441201db258" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000MVDpAIAX2⤵
- Modifies data under HKEY_USERS
PID:5476 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:1776
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5300
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "7e3c6c2b-f0a6-459f-9f35-9fdd2e4b9350" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000MVDpAIAX2⤵PID:4432
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:3132 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:4156
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "8b23c6dd-28f7-485b-a78e-c5e6608eedff" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000MVDpAIAX2⤵PID:5268
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "89729f6c-1789-4189-b420-33b2b168cadb" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000MVDpAIAX2⤵
- Modifies data under HKEY_USERS
PID:6344
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "3381d90e-4a9b-4c7d-bbdc-b3bd2f911069" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000MVDpAIAX2⤵PID:6360
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "c410ece9-710a-47cd-9156-87cfdfd22918" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MVDpAIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:6452
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "05b3c7b9-8018-4b45-b512-aba242cd4d63" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000MVDpAIAX2⤵PID:6492
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "aefdc0ab-a48e-4ac6-b1a1-7e1b32d1b061" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000MVDpAIAX2⤵PID:6552
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "06ec7599-9732-4dd3-9efc-3f90c46e9e02" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000MVDpAIAX2⤵
- Modifies registry class
PID:6612
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "b4802576-7a3c-4fce-a53f-c2d341abd68c" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000MVDpAIAX2⤵PID:6624
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=a64f96139de52f7737c85a116012a691&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:7080
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "771d5c77-f83d-43dc-a1a4-23a56dcdc100" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000MVDpAIAX2⤵PID:6636
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:4812
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "7b4f363f-8016-4366-ac53-b102c596da0c" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000MVDpAIAX2⤵PID:1672
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "94ae291a-8739-4b3b-a9b7-54dade11c279" "7b4f363f-8016-4366-ac53-b102c596da0c" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "001Q300000MVDpAIAX"3⤵PID:728
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:6868
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:6584
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "c410ece9-710a-47cd-9156-87cfdfd22918" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MVDpAIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:6840
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "427b40f3-2aac-4829-969c-7837f07bfa6a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MVDpAIAX2⤵PID:6488
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:6164
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "aefdc0ab-a48e-4ac6-b1a1-7e1b32d1b061" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000MVDpAIAX2⤵PID:5660
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵
- Modifies data under HKEY_USERS
PID:924
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "c410ece9-710a-47cd-9156-87cfdfd22918" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MVDpAIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:1640
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:784
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:5044
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:5876
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "aefdc0ab-a48e-4ac6-b1a1-7e1b32d1b061" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 001Q300000MVDpAIAX2⤵PID:4156
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "427b40f3-2aac-4829-969c-7837f07bfa6a" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000MVDpAIAX2⤵PID:2196
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "68c4a9c2-ceeb-43c5-ace5-5dd83a168345" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000MVDpAIAX2⤵PID:2852
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 94ae291a-8739-4b3b-a9b7-54dade11c279 "c410ece9-710a-47cd-9156-87cfdfd22918" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000MVDpAIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:5376
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52495646ce206cf9890465ced7f29e99e
SHA1d8ea671527f51b31ee0a939cb76c269ea9259104
SHA256e37919829459777e48d70cca71bc612acbb05ec1d6049d584a0d2358ff76178f
SHA512d465e968d7940901a2f7642fa0e0af90b9c676030ac7aafce0aaee1686540ea22ad5f6f09168f0921588b0461f41e76b6e26262d4d588e02e72a8c14136a506c
-
Filesize
74KB
MD5f9747fde761a346b0e37ab8965736b78
SHA1eb986f533373583cfaf87ee83089939a4b9c371d
SHA256f7b9fa2133ba68ef2a0d09759969c79c47c57848c9ce59566b0c99d3097f008a
SHA51205459285cc2bb30120e12530f9f9bdb68d279de125911b85b3ebeedadd8982517543f39f73254594902eed419c8627ca3b228a96ffa95fabb4c5b30f4cc38596
-
Filesize
464B
MD5322beac4c81953ee129e4238f54a00d9
SHA16474ea8c383cfbe3039a9ab8cd43d6db76dbed7f
SHA256b555985bb489ba511a61ea822f9c08e5c9fef52bc2bb9f77641f1638ffefe45c
SHA5129e9892bd51e4b5af05418203646574e2aa88fcaf4e05957620f61ed8ac468f5101ef494f6949abac30f9d4d8f271a8785abfbfcd18d21af8b30902ed0e3ca32a
-
Filesize
9KB
MD5a5204d0245c7dfa509a2ff49e19088f8
SHA14f1c980e84ae70beb487747ff9c3585f4d48489b
SHA25674379dcc8158de04f5911faa2f57792bb90b8fd809c7947b3f071621b91b7838
SHA512734cb497e809bb7568d0fbae2b0a4a21d1cf2e239161af77678788e49bf2313442b87b7477768290f22e31485b5081fb3569e293aa4bf98d698b80843464b24b
-
Filesize
8KB
MD5c343dde9b00df83f263ce34a1230032f
SHA1a999293f607d9a623f6901f7c06aa1f3b3a2a937
SHA2565b6b5e1db5a18f8c214f3b176e35daa474f6e38c17b9aefa4baaf6f94d4412c7
SHA512c52a91edfa8c450c48b448e0409d919a3d613958b7f70e855ccb9eac1082798e5eb03c9ae20f4124dcba682d5a52bbeb9f8608bf15091cb684a0bc92eaa50205
-
Filesize
1KB
MD5337079222a6f6c6edf58f3f981ff20ae
SHA11f705fc0faa84c69e1fe936b34783b301323e255
SHA256ae56a6c4f6622b5485c46d9fde5d3db468c1bfb573b34c9f199007b5eedcbda5
SHA512ae9cd225f7327da6eeea63c661b9e159d6608dff4897fb6b9651a1756d69282e8051b058a2473d9153fc87c0b54aa59b9a1a865871df693adcb267f8b0157b61
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize157KB
MD557130702f8ea46ed0437ea893c95f7e4
SHA10e26c3ef0ec0be063aacd7321ee550e321bad17f
SHA2569338c8080cb7be1ee73f1cd706e5e230a0c3b8690305cd9de451fad20b2d0b7b
SHA51210951c367ac35dba9d644fb1cc07043fc238f4cad5ab2280cc1102e860676e1bc4b3a88054f252e26aa9b9e2b52c8941c2d47e1e79d153b4ee3780151c73a02c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD59d8b5941ea5b905e8197a175ef2b15a9
SHA186a078e94b5578ec4125f50f78c8518a8ce1d086
SHA256c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d
SHA512fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5ba66874c510645c1fb5fe74f85b32e98
SHA1e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c
SHA25612d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9
SHA51244e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD5e010d1f614b1a830482d3df4ba056f24
SHA15873e22b8c51a808c06a3bbf425fcf02b2a80328
SHA25698a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b
SHA512727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize389KB
MD55e3252e0248b484e76fcdbf8b42a645d
SHA111ae92fd16ac87f6ab755911e85e263253c16516
SHA25601f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e
SHA512540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699
-
Filesize
48KB
MD5bb0622688747597214b4c5be0a88cbf2
SHA171f74f4b9e39502e8a04950b2325e609f07f5d7e
SHA2568fc1cac39513e7c821465f6f43a9350a418466f8937909cdf3e0d55f7506bb7b
SHA512d3a1045a0e97bf1c99895a96758b718b010695b582245978c0bfa7b280ecf90e971fe698163fa16f6ecce9d1e01ab20e16101c96964dad20e148b005578125c1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize196KB
MD55f782d0cb0f717ae9dfd1b4da1295f15
SHA1b33575e428e19940f0585c747e054ca70a12d454
SHA2560f233bd5fe96cf5f7efea0fa0634f98c37a3a095f72acc79a3544590bf228b43
SHA512e373be20e06f31f81a8c0368e8fbee0bd7e98095a6e1f85ecb8969a35caf32e22194e2448de9213bb86478f454e708363ea6ab990648422b57f057a0516959ed
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize55KB
MD5a739b889642ca9ce4ad3a37a3c521604
SHA118bcf6fd14c5aece67ae795a3c505a0c1a9d5175
SHA25644b96244b823052fb19509b1f9576488750c4edab61840af24b10c208b47fc92
SHA51292243e80fd77b9c3f9231c750935b34d9adcdc76e1a45a445c47888a1e98faca1c26f617459db0c1af4860a5172401f03e64039888e6f84726d2457cc550bae0
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
Filesize9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.880.update
Filesize9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
Filesize8KB
MD588492105286ac447615803d66201b486
SHA1c65b5d67a798038e7c8becc669d61729b97634ec
SHA2568ff745ffe1033874154491100150890f54e1ad1389a48ad6429ada477ed1809d
SHA512edf742db94f8ccffc67fdb7989ce806fee9fdce88811cd002659db5a5e23935c754020769a79ce5279cbfde5056d8724d45bcc172dc74f47cb915daa98bb010e
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize72KB
MD5749c51599fbf82422791e0df1c1e841c
SHA1bba9a471e9300bcd4ebe3359d3f73b53067b781d
SHA256c176f54367f9de7272b24fd4173271fd00e26c2dbdbf944b42d7673a295a65e6
SHA512f0a5059b326446a7bd8f4c5b1ba5858d1affdc48603f6ce36355daeaab4ed3d1e853359a2440c69c5dee3d47e84f7bf38d7adf8707c277cd056f6ebca5942cc5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD5c0f02eaa3eb28659d8f1bcba8de48479
SHA15be3c69e3f46daff4967484a09eb8c4a1f4a7f0f
SHA2566befb51a6639cae7e25570f5259f7b1f2d9b9b6539177d64d2ed8be50dde6268
SHA51247b536fa628608a58f6f382bbc99911eeff706becfaf4b1c5ff904ca768917f40c2e916ba5a31992df0335ba5a57755f047f70aafaac414fc655da0cd6f95e34
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD5f531d3157e9ff57eea92db36c40e283e
SHA1d0e49925476af438875fa9b1ccfb9077fa371ecc
SHA25630aa4b3e85e20ada6fe045c7e93fee0d4642dcabd358a9987d7289c2c5582251
SHA51227d247ab93ef313ce06ff5c1deca4b0819b688839c46808a6be709c205c81b93562181926a36a45a7da9570baea3b3152b6673a3bcce0b9326c7d3599a3d63c8
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize54KB
MD5d11b2139d29e79d795054c3866898b7f
SHA1020581c77ed4bc01c3f3912f304a46c12ca443e6
SHA25611cdb5ec172389f93f80d8eff0b9e5d4a98cfeab6f2c0e0bc301a6895a747566
SHA512de5def2efcba83a4b9301dd342391c306cf68d0bb64104839dfc329b343544fd40597a2b9867fd2a8739c63081d74157acfc9b59c0cb4878b2f5155f582a6f09
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
214B
MD51d5bb68dcef4a84b6967b4399524734b
SHA178c45782f4794f01c9a2eeeb85caa79955a662ef
SHA256e92f50544d88c7bff7c5134c4bacedea19a04c0f8fd7b86b388102a616444023
SHA512221ee64c121db8a0a20a783d26164ad43bfccb04ebc0e0f11842f1785701b5d14e28f956799de0dc4bb314b17b486b0aa616d0c4bc7f79f699f75eb6eed6aaa8
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
92KB
MD51ed3ba4568ccd052b28109123a3a2196
SHA11639e8dd5ee78b493d708b7b261288c731190a8b
SHA256e18421a57eb3acc1d50b40a21c1668121ca5fc8065f6da4f465cd9fec43905d7
SHA512d55b8640056c1cc89268658c63cbbf50069f54591d4a80416c2df4142c7bb3d033a0ecce342102b66995f45bbaec24da8685263760006ed16f635bf5b68dce9b
-
Filesize
287B
MD5fcad4da5d24f95ebf38031673ddbcdb8
SHA13f68c81b47e6b4aebd08100c97de739c98f57deb
SHA2567e1def23e5ab80fea0688c3f9dbe81c0ab4ec9e7bdbcc0a4f9cd413832755e63
SHA5121694957720b7a2137f5c96874b1eb814725bdba1f60b0106073fa921da00038a532764ec9a5501b6ffb9904ee485ce42ff2a61c41f88b5ff9b0afde93d6f7f3d
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.9MB
MD5e0b94ce5d948f332b6bcb4661b73611b
SHA1a9272bd639ff5f25f44b3a31c5cb919f0d40c4d3
SHA256a27b758c00eab6777ac9571ef4fcdb80abaccbc4eb6fa5ff8e5ec33c08ffbc37
SHA51217b5df8ea6ccbb64839e5d223ed388a3bb54c0a7974e05e285361e36489d63f9e4a5f0da21cdf86c58dbe80903e8cb288817291dce4c7e98e8e8ce8a0b912b46
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini
Filesize13B
MD582f71b382e51cae212e670779dbdf14e
SHA1c764f353e7b76236468649989c39eaef3b97e701
SHA256b57642302dea3460bd78b6d9c62593939852c8526ba1779067d411e4dda3de17
SHA512c5687a7dbbd4c714181f1ecfe1810a48109a4d9d4e3e90e88da67fa3cb2736d5b3aa260b6680fa6a07faa66ccb59db05f9e8e345fd0dc50abb63cb83daaf0bff
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
375KB
MD53c93b399b417b0d6a232d386e65a8b46
SHA1bb26deae135f405229d6f76eb6faaeb9a3c45624
SHA25629bc4577588116cbfea928b2587db3d0d26254163095e7fbbcde6e86fd0022d7
SHA512a963f5cf2221436938f031b65079bea7c4bafbd48833a9e11cd9bdd1548d68ed968d9279299aa2adfc23311a6744d516cc50e6537aa45321e5653755ed56f149
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1KB
MD5c7406225f0c7a53b06931ea9919188a8
SHA1c2ac8ae1777d3c7b377c9a3dbfee31b713ccf46d
SHA256e7b0bcc2702df286b0ff8a8eeb03450180b0cf360d76fe3a79ed79259bb6fb60
SHA512d999e8159eb7f0cc5e8e0f728fd4c9cc000f27fa2eef48905d34185108cac3a2954644843da41aa1c62e89d37470b4dac4d859e9dcb30e5d76e6cf856959e868
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini
Filesize11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini
Filesize12B
MD55796d1f96bb31a9d07f4db8ae9f0ddb3
SHA193012724e6cc0a298838aede678806e6c0c6517d
SHA256a90d255cce3b419641fa0b9ba74d4da464e0ce70638a9c2eba03d6b34fca1dc4
SHA512890112ddcb3b92b739c0dd06721efa81926ce3aab04c55cdadb8c4e6b7a28c9796f08f508249db189547dc4755804aa80cc8b104dd65c813a0450aad2cdda21c
-
Filesize
48KB
MD510c3db0f1db581816d0b9d66e1465175
SHA117d7d1f3cc78321b6fecc05a8881dcdd77598bd1
SHA25644212e71af43092a05d2e6dad945ad765cb96b9aad33571a2783f9f9c63ac21a
SHA5121c1438b3ee8b8aa72ad3db93a6fa5da936fdb4a61bea8f73bb97ecb171d40e3af135d2e0296d8948a52709a5edbf15b133b6ef454b172d4b25c4913f97372623
-
Filesize
48KB
MD543b8b49417883a65db80497104bc5e72
SHA13a1c01050d0e3b7ece984006363d1bc4b1a0666a
SHA256858249add5f3dbf7696a0a61875fdfb7f425fd5865d9206f0206a91683cef5ff
SHA512ea3bf5f4edd32705c83728e68f3504a5c2d866e05c20cfd69b5e02fb0687f292bca24d5fcdd41565d4ac00a8aa1e1c3cbf6cf334e3f2304c53dcaa828b17db43
-
Filesize
48KB
MD5f5dca09df1a2fcd22ab2951629b389e3
SHA1f912a8061e4d0dfe7c24b9c15913743791951b4b
SHA25662f5358fb0fa4218b99422bc65b454e19c9687b2f79463dda3a03e77e2a474c5
SHA512e581bddcd1203421d961159c6f59f82b54409a36e9ab35236c35637021df91bc0ac0d37d3a634de3027355f8957b64e3abdbd7a46c46a1f08c9b5ac5fed52121
-
Filesize
48KB
MD5d4d28e08bddc6693bcdfe3fb0a2ea13a
SHA17f8d567d9958bbdeb675f8cd671bbed616a8d85b
SHA2562bedaf72404f77d72ee8ae654993a897b3b65a9358f7734906849b9f3c9f8a97
SHA512fb659543ca3513ff21c41a27687fb49cedd6b78c8c5fefb72ee57b7ddfe4455a783e10bb3a155596e7c458b81dc657189a8b989b2eb0f081e0704337405f54e7
-
Filesize
48KB
MD59789dca2c8e9ad3fbad751dd9a4a5dcb
SHA14878cd819d62691cbb89fe0ad424fdeb527bec00
SHA25635f56eeb7af75697ffbb8397dc3e40896729938e0a47bc5a048e382c5dc9e550
SHA512b09e1081f9dd27e35499264af5b69e6e828f05646bcbab48d68dfff39ade4ca1812a830c747cb00930a005b6e114a450a5f815e1a5eb0a0af59a549a48e1ebb6
-
Filesize
2.8MB
MD591453d3e1e2bc9586cf5495073fb3cf7
SHA109cfa9dc27545fb600dd7a60e44258c511eb43c4
SHA2565d398c6ce0636eadd4b7f6920dbd6127388f698e9bc1a440cb7db3992acb6557
SHA512462d59453ed01d8ddf54e06319aaefc0ab5ef70ed7b0a45ffd4d3f049692044acf0dee3599173e58a4c281bc69af63d8b64f9586a1b2f04991adfa6747f19bdc
-
Filesize
2.9MB
MD5384d6da5c34ff401b18f0af41e3a2643
SHA13ddfbcf79e55904df77df2125f2112cfe7703eec
SHA2560699c4ccaa2f9e6768475f7fbd0dd93dab1a0a0dc8859e9ee8f8a48ad1075d7d
SHA5125b63245bedfc7260b27254a33f621a8b626a36c13c8f8ad516f51013bd6751770d37afdc1ff8f7646d9f972081acd24776314405cc397762a4f58d6dca0a7f32
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
Filesize
334KB
MD5b3e14504a48bed32c53ec7aab2cb2c8f
SHA10bc0d486a5ed1c4cdf2390229883ed3473926882
SHA256adea6001759b5604f60bbaec8ce536a1e189adebc7394f9cff3921cae40c8c9b
SHA512e5a5c09355eb9cb45dc872b59edbd54f62f15445ca6caaa3187e31e7928ef4453ae8405d9eee5d2aec4fa34965d3006dcf61c060b8691519a2312382612c683f
-
Filesize
646KB
MD57895698867d1ad33934a8553b4806dc5
SHA132704df55deaff9bf0b4ee0b887541856578938b
SHA256ef5854b5e800a534a08c083d4a3956dfc0a474ff540cae9bf0a9077a213b2ff9
SHA51220337093ddc5322c4b96c7bf26f1a0b966fafde70a96f7e9b5e9d36acac7d862bd2a50cae9a63731b23904a9256c94cd3bb4e19768130580511ec4c408536a58
-
Filesize
3.1MB
MD585e1898362165fc1315d18abb73c1b37
SHA1289a48ba5ee27c0134f75e243c55a90d32c11a05
SHA256d0594b261e16394244c64289dac00367fdc853a1a8e542e0e814a57494c5228a
SHA51249fdbef67c2a85b5d319c26e6e55456c94d294b836c946b9966c8746fb33de4ede62b93ba91ad657df4db24fdb3ee1de7395652ae1086c876b7d0b85000d594a
-
Filesize
569KB
MD59614d1da18956de06747c03068208d66
SHA1fea2680ddb9e4ceea8489a132df9a1542febfe88
SHA256dde9e0ca3fd274902f1a4c22cfec6870c6c4dbbccad17d2189477ab60f769dab
SHA512d8e46a5819e9dced61471966646de153bf3480933054c50190d50de4900685265367b12c9147630f184ce8809786fc010bf6fcd1884035fb4c77cfde660a8b9d
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
7KB
MD56507970040b38a3192a8744692b7d401
SHA1d941ae92e8d8f2c37f205cbe53a9fdd418b57632
SHA256de96fb12fe458fabd542e10895a1b1f5aaca774920378f34d5f47e75d6076c71
SHA512d2bf400a82060c272c40d6732fff1a488bb0736c521c3fd67bb5aac4684b6773d42d1f777b5ac6cb8e191d74a382fd96e58d95d7740f72de8bf6153ef4912873
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5646afabf478eda786a8d5e0dee389b34
SHA1eac4daeba634957d051073a55e3b9a7c80991cba
SHA256ccb28545fc0777dc459b1e9c1b1eae508ffd640c399b8b93de03dee6ab1e9903
SHA5125b0770ce768d8aad0e5031bbc73c00a4ebbda78a43a77a20b7a4acc49acdd985e08f3b6bc631b25dde7e45edd81d51acd35a8f03ddd250f67deb8f613708ac94
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD598ba296b37c9c78c48d34c777950ab64
SHA1ba86dca09404b8990bf7e13d610d1a38e691d781
SHA2566281cdb569e64fc90164523b3ec2c07ab9132813210ea66abdfc66ac185c1c54
SHA51260112d95c7388ed9b9702b7aae668fc91324c1ca119e356b52bec90c0c35890b6a7ebe93adfc2f23d360bae42802ab6334337b30aaf35ed9ed31d59faeffc474
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5719b49661d0a10c36a9271d9507c808a
SHA17260d87a2df3f93d46aa430db45c7cc46c46de57
SHA2563d2935f485ba86c0baa174e3b0a0f116af7ccdd1442905d007ea96de1f27dc10
SHA512a53a4cfe3f12340737c015b40e08c7e3225d9561e91a6ed259a7c8151e67c5588c8864381504506a0deb06f1d4f766a35d264fa7996928056cadd2956d783b24
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5e9625dbb2bfc027ad992e741b516f582
SHA186cbb0cbe0ff5b0bb89b69792c9eb717d8d28ebb
SHA2569f63fcdcc11979451c483df7de589a5f49e690268d19f945f825b178009eb3ed
SHA5124815757dae8f5c6e26e7bbe2d92846e05685466189904281937f679c72a1704303e90d1b860be407cd880bc40fb67d5f4d6929a66c76ddd124fcd7887a94abca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD59b396862a74f17424034b49decdd73ca
SHA188f0f4868876c1535f53f52d86313da7716cd1c2
SHA25633f81ac4b379b70f2a391efd46f5d7703b3e5edd35dca2c5096725b22e479dbf
SHA512b2640debba6b8120a99066aec04fb4da5f4579f8e982ae81ada7f38d01ab18c43d57db84486e2b5b8e9573fcbc2afb0dd8093525cf36f4992d3061016bebaa75
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD54ca8598f07b178285cd3d12d319ab480
SHA1f55b6e8fd22f3ced75add6a6f9e10bfe67a84593
SHA2562766ef67b88e662ee06aa3a8c10602862212dc37a72d95cb3674eb9ba9827c31
SHA51221d17d403abf21553d45f4d28be01bd553dd3f4147a520eee506f2adb23973a4ca6c4c88dcfc13638815d83756431ffd504173c6883ed69b00e5a44e94051905
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
4.5MB
MD52207f96731ce2f9d9327c0baaf4959ef
SHA1f56ea992c59ad669ec8ee5d6a827adc472159cc0
SHA256e4ceddd5c37c90f8fc7787663a9bed31518fba82413e80b21230425e380c42db
SHA5127e4bd781f879b593f722277839175aa895c863b2015d691c85c8eec4fe635d233cd94d2b0dce46cd058f08a005caa73888809df414983ff2a4c938770ef71fd4
-
Filesize
60KB
MD5878e361c41c05c0519bfc72c7d6e141c
SHA1432ef61862d3c7a95ab42df36a7caf27d08dc98f
SHA25624de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40
SHA51259a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD5c5d6f1dbaaa149c1037f2e88d824a759
SHA146facb96e7a2332c44e412cc8aca7d2b9aca497a
SHA256e6d41a5c8b4ee4d298da209f75f5ff678bfec84d8ac4a4dbf11d17e6b6aa7007
SHA5125edf7f578c5cedd6cbd12f8904019a52a85ac819b2d87eb47e2300a0e95fd891a220b32790587eec6c93b4a0c88a0f554301e17bca2c78801fbb55381ad3c7e0
-
Filesize
602B
MD51948dbffff23e8bc2761478b37546bd9
SHA1afff950b54a043fb404cbaa4fd40b043ed96dd8a
SHA25644bd3227abfc12c3579eb89d7817908ddbe0fbbfad15319d509af01223d6ebf6
SHA512abd6a47cd9279bd631673326800faa1608b832e667137d9a9729b4f0735578759e6935a78a981c2835cb22849f156a1140e11f696374213f3b98923f0835f42f
-
Filesize
4KB
MD55d9e99c4c89f1d11aa4fecfdaab14a41
SHA157454eee0fff27619a6d1f779a68dde822528a54
SHA256b7e2be001a8688081cceae37f6cb84261825d19daf21c27ec9a9fa1ad08030f4
SHA51226e8e0f586ce98c57262eea91a77255632671907dcac39100c59dbfd2932ade36efe72dcd2011bb6f57727e39a7732df65a21eb531f2d50b822c4bf83060bc47
-
Filesize
708B
MD5c40c0600e978845d7a82f57bc9abb217
SHA1cd76f55f5a6874bf8383c9b5817161e4ac363625
SHA25654f08e6a708ac067272a0c19e948549274d58cf501d5f02343d42a5280490d18
SHA512a10ac76de3aa0e068f9574c740e84985fcd7087ce34e339faab2b55bb4412d3f5a3aa9141fd562573a88242e25ce2b57b534698c3f0ea4b18db15956a9924fce
-
Filesize
2KB
MD5a14aa4db8cb24316b5a76cade068c293
SHA13bb5cf956be1ba75d2c34da06ecd887f1af7c372
SHA256520aebdc5f74ed96c99eb4cb73b4143b4c94a017bc0556e100f728246372fa8d
SHA5129f33ff5aedafe576a5c68b6fa854e37897c23b9305c366be08fab19b6a53e428baeb58340e4257185f657d23d290059447d04522db109831513c0b24750d205c
-
Filesize
2KB
MD52f8b95cc346b476b813a1c6d9d030d4e
SHA1fb3634250ddc7471410efe9eeb1ab1585cfd3f2b
SHA256e47a5086890cdd08466e043a9d336771d55fa6ba6236f9525c436857136cfb8c
SHA5120ac2dc39bb93307a986d5ef28faefc00b5ebd7d52fb08123ca68fcfe104953ae7332eb40cc75657a53b50f8baccc41397cb6d2c3a4889ef08252db47dd7f0244
-
Filesize
4KB
MD5888eefd8d580fda9bf3049aff8c9cc9b
SHA12b2c27b9a8697d8deb00fd660448c397a6a55a21
SHA256c020f72c8aea805e69ce224271a170d062ecadaf34917350b1ca9bd0ef846bd4
SHA512753743d40ea064f381325dd41f27661590761dd46f63ebda2877445deccc2d80800b3d3da0e431292093cfa4ef4816e1805130326cda76034e4334759e6d10b6
-
Filesize
3.2MB
MD5a7ce785b6cd1c9657040ca9b6cbeed10
SHA14b254fee47cc8a9eaec6ce7b714a2ce05b6ed8ec
SHA2567ba6e401b8e78ab28e1ccf38d2cd05e12751f960661e159b4e35bc63d3544b4d
SHA51239202f477017daa9428a0c1bbe1daae30aa1b7b9f57b04832c44a7b28af0144ff47edfc1ad3d6a940ad1c49471dfe190077b594c337bacc115c552d91a24c2d9
-
Filesize
571B
MD538370175ce7d8dd5c3581030a9104259
SHA1bbc1b4254c3e3da692c2667b4c5092d687ad8dc9
SHA256ee90ca3f30aa75fe1c3b095ddd2b24680bd3b081829094c18d9c78ebed206b83
SHA512e11494869b04a2206d3dda67411be294106f6363408399d9363b27720c6fe88fd393ae90fc2ab7cd4909e940e98f273c8869532b65a1f0b0f4b8b18a24589748
-
Filesize
182KB
MD537a2c4ef0ff41955f1cb884b7790699f
SHA18e7dad0bc6ae65dfaec9fc29d0ef6e260dd83e9d
SHA2566b629fdf1520ba40bb0d7bc8d9a7bb231624fd190e03bcacc607f248222b3c63
SHA512fb3a109395872e6f116a75b39566f4b9efe0486512620deb33ef83ac0ac3165d96dbefbe3023ece1d3d0d6be7c8eb8abb58da90f01f225e1ed2d4add2b544d42
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD57910b26d97bed5d0ce4d7766ad891536
SHA1a1cdb94adac1ea92624ae66ec0ab1eb26361af1c
SHA256793967fc984183d18865aa9da675be5b8530c367a827fb2d8ae56971e5c12b8a
SHA51250e6decebce2920347287ce70c1f1323e51f011f5b9cf64de00baf3079ab30cf9ab6dfa08fac052d61c883ab3dafd4935975dba3ff1b1c215b16ed3d0212d802
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5c0a68452ea1ea90fc60911e1179d7f74
SHA1eb425ddf27995e1f806ad5e636695c3b962b3061
SHA2564337d06e96ecc384975b510cb4ab3c56ca31c9477751558414af6bdd52f5fd44
SHA51202edb47f2d018612c74eacf2d6bc7f1b1e0fbe7b14275186fe7bfc47c5c0adc810f2b56e4772b82ae90ee8bdb14799e8c2767f8ee4eba0b51dc5076cfae7bb84