Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 12:27
Static task
static1
Behavioral task
behavioral1
Sample
f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72.msi
Resource
win10v2004-20241007-en
General
-
Target
f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72.msi
-
Size
2.6MB
-
MD5
055047fe65e1d28dd3bb2e53a9bbcf31
-
SHA1
126af029786aae23fb19e4ab3b71d50a04880393
-
SHA256
f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72
-
SHA512
94da78ac9c85e16e628872ba1d318db1733bb917711836df73b30b5d9825d6f04db5418c094220a20886ecd892e5721238ab47e1ca7b7674c163fa35a91c0ddf
-
SSDEEP
49152:sBRNlatz55q6jzoz//stPEqQpTIQW8MQ6M97ouRUbFFOV47S9gonUI:MRNlap55qAczWgW9MxcFFOV42+
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Blocklisted process makes network request 5 IoCs
Processes:
msiexec.exeMsiExec.exerundll32.exerundll32.exeflow pid Process 4 1636 msiexec.exe 7 1636 msiexec.exe 79 4828 MsiExec.exe 119 4236 rundll32.exe 145 2684 rundll32.exe -
Drops file in Drivers directory 6 IoCs
Processes:
DrvInst.exeDrvInst.exedescription ioc Process File created C:\Windows\System32\drivers\UMDF\SET284E.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\drivers\SET27D1.tmp DrvInst.exe File created C:\Windows\System32\drivers\SET27D1.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\SET284E.tmp DrvInst.exe -
Downloads MZ/PE file
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
AgentPackageMonitoring.exeAgentPackageMonitoring.exedescription ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 64 IoCs
Processes:
MsiExec.exeAgentPackageInternalPoller.exeDrvInst.exeDrvInst.exerundll32.exeDrvInst.exeAteraAgent.exeAteraAgent.exeAgentPackageRuntimeInstaller.exeAgentPackageProgramManagement.exeAteraAgent.exeAgentPackageHeartbeat.exeAteraAgent.exeSRManager.exeAgentPackageTicketing.exeAgentPackageMonitoring.exeAgentPackageSTRemote.exeAgentPackageADRemote.exeAgentPackageMarketplace.exeAgentPackageAgentInformation.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\SET2552.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\SET26BA.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.PNF rundll32.exe File opened for modification C:\Windows\System32\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\lci_iddcx.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\lci_iddcx.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\lci_proxywddm.inf DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File created C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\SET2552.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\SET26B8.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\SET26B9.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\SysWow64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\x64\SET2551.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\SET2562.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc} DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log AgentPackageSTRemote.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64 DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\lci_iddcx.inf DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File opened for modification C:\Windows\SysWow64\SET27E3.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\SET26B9.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\SET26BB.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\x64\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{61f8c23a-12f9-f84e-bfea-394ea3024d64}\x64 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\x64\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{d62b0373-bda9-354b-be7d-4ab1241bcbbc}\lci_proxywddm.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Processes:
resource yara_rule behavioral2/memory/4508-1054-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/4508-1053-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/5964-1071-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/5964-1072-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/6088-1121-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/6088-1120-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/4508-1696-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/4508-1695-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/4508-1904-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/4508-1903-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/5964-1997-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/5964-1998-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/4508-2108-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/4508-2109-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/5964-2147-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/5964-2148-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/6088-2380-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/6088-2379-0x00000000725B0000-0x00000000726CC000-memory.dmp upx behavioral2/memory/6088-3072-0x00000000721E0000-0x00000000725AD000-memory.dmp upx behavioral2/memory/6088-3071-0x00000000725B0000-0x00000000726CC000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
msiexec.exeAteraAgent.exeAgentPackageProgramManagement.exeAteraAgent.exeAteraAgent.exeAgentPackageInternalPoller.exeAgentPackageAgentInformation.exeAgentPackageInternalPoller.exedescription ioc Process File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd64.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\installWin7.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Memory.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Pubnub.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.TypeConverter.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.ValueTuple.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\avutil-55.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.CompilerServices.VisualC.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUpdate.exe msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Runtime.CompilerServices.Unsafe.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\7z.exe AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\DIFxCmd.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\XDColMan.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Console.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\servers.cfg.bak AgentPackageInternalPoller.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\install.bat msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch AgentPackageAgentInformation.exe File created C:\Program Files\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\LastSyncDevicesTime.txt AgentPackageInternalPoller.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\stdpms.sys msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\http.cfg.bak AgentPackageInternalPoller.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\driver\mv2.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.inf msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\plugin\SRAppED.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\Atera.AgentPackages.CommonLib.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Http.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Numerics.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.sys msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x86\SRCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Data.Common.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\System.Buffers.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\clist.exe.ignore AgentPackageProgramManagement.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cup.exe AgentPackageProgramManagement.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\http.cfg.bak AgentPackageInternalPoller.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\CommunityToolkit.WinUI.Notifications.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe.config AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\IdleTimeFinder.exe.config AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyPath.ps1 AgentPackageProgramManagement.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1 AgentPackageProgramManagement.exe -
Drops file in Windows directory 64 IoCs
Processes:
DrvInst.exemsiexec.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exesvchost.exeDrvInst.exerundll32.exeDrvInst.exedescription ioc Process File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSI1C01.tmp msiexec.exe File created C:\Windows\Installer\e58128b.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5CB4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID26C.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE097.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFC60.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI462.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1325.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e581292.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI462.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI1325.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI1325.tmp-\AlphaControlAgentInstallationDialog.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e58128c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID26C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID607.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\e581290.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9E87.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA86C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e581292.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID077.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID607.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID607.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID26C.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID607.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5D52.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8774.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA3A9.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4} msiexec.exe File opened for modification C:\Windows\Installer\MSI1325.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI7AFE.tmp msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID077.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIFC40.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIFE94.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI1BF0.tmp msiexec.exe File opened for modification C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI462.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI462.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\inf\oem4.inf DrvInst.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e58128c.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File opened for modification C:\Windows\Installer\MSID077.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID077.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIE144.tmp msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File created C:\Windows\Installer\e581289.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSID077.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID26C.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\e5812a0.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSI8706.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID077.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID26C.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIFDD8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI462.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\SourceHash{CBA43497-7E9E-482E-9EAA-627F0559FF83} msiexec.exe -
Executes dropped EXE 64 IoCs
Processes:
AteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAgentPackageAgentInformation.exeAteraAgent.exeAgentPackageAgentInformation.exeAgentPackageSTRemote.exeAgentPackageMonitoring.exeSplashtopStreamer.exePreVerCheck.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is5F61.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is7183.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exe_is8867.exeSetupUtil.exeSetupUtil.exeSetupUtil.exeSRSelfSignCertUtil.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exe_is9F0E.exeSRService.exe_isA410.exe_isA410.exe_isA410.exe_isA410.exe_isA410.exe_isA410.exe_isA410.exe_isA410.exepid Process 1076 AteraAgent.exe 4868 AteraAgent.exe 2676 AgentPackageAgentInformation.exe 4488 AgentPackageAgentInformation.exe 3332 AgentPackageAgentInformation.exe 228 AteraAgent.exe 5004 AgentPackageAgentInformation.exe 940 AgentPackageSTRemote.exe 5028 AgentPackageMonitoring.exe 2396 SplashtopStreamer.exe 1392 PreVerCheck.exe 5176 _is5F61.exe 5224 _is5F61.exe 5256 _is5F61.exe 5288 _is5F61.exe 5328 _is5F61.exe 5416 _is5F61.exe 5448 _is5F61.exe 5492 _is5F61.exe 5528 _is5F61.exe 5560 _is5F61.exe 5464 _is7183.exe 5200 _is7183.exe 2976 _is7183.exe 4720 _is7183.exe 1376 _is7183.exe 5528 _is7183.exe 5560 _is7183.exe 5668 _is7183.exe 5636 _is7183.exe 5756 _is7183.exe 6072 _is8867.exe 6028 _is8867.exe 6136 _is8867.exe 3840 _is8867.exe 2232 _is8867.exe 5212 _is8867.exe 5276 _is8867.exe 5300 _is8867.exe 5224 _is8867.exe 5424 _is8867.exe 5480 SetupUtil.exe 4128 SetupUtil.exe 5620 SetupUtil.exe 1920 SRSelfSignCertUtil.exe 4112 _is9F0E.exe 5964 _is9F0E.exe 6084 _is9F0E.exe 6056 _is9F0E.exe 6028 _is9F0E.exe 5140 _is9F0E.exe 5184 _is9F0E.exe 6016 _is9F0E.exe 2784 _is9F0E.exe 5256 _is9F0E.exe 5104 SRService.exe 5364 _isA410.exe 5484 _isA410.exe 4580 _isA410.exe 2976 _isA410.exe 1516 _isA410.exe 5544 _isA410.exe 5596 _isA410.exe 5612 _isA410.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid Process 3840 sc.exe 5096 sc.exe 5992 sc.exe 5192 sc.exe 1508 sc.exe -
Loads dropped DLL 64 IoCs
Processes:
MsiExec.exerundll32.exeAgentPackageMonitoring.exeMsiExec.exeSRManager.exeSRServer.exeSRAgent.exeSRFeature.exeSRUtility.exeAgentPackageMonitoring.exeMsiExec.exerundll32.exerundll32.exepid Process 2232 MsiExec.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe 1516 rundll32.exe 2232 MsiExec.exe 5028 AgentPackageMonitoring.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4828 MsiExec.exe 4508 SRManager.exe 4828 MsiExec.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 6088 SRServer.exe 6088 SRServer.exe 5964 SRAgent.exe 4508 SRManager.exe 4508 SRManager.exe 5964 SRAgent.exe 5964 SRAgent.exe 5964 SRAgent.exe 6088 SRServer.exe 6088 SRServer.exe 6088 SRServer.exe 3644 SRFeature.exe 3644 SRFeature.exe 3644 SRFeature.exe 3644 SRFeature.exe 3644 SRFeature.exe 2556 SRUtility.exe 2556 SRUtility.exe 2556 SRUtility.exe 5004 AgentPackageMonitoring.exe 5780 MsiExec.exe 5644 rundll32.exe 5644 rundll32.exe 5644 rundll32.exe 5644 rundll32.exe 5644 rundll32.exe 5780 MsiExec.exe 4236 rundll32.exe 4236 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 50 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
taskkill.exetaskkill.exetaskkill.exeSRServer.exenet1.exeTaskKill.exerundll32.execmd.exeSRService.exeSRFeature.exeSRAgent.exeMsiExec.exeSplashtopStreamer.exeMsiExec.execmd.exetaskkill.execmd.execmd.exeSRUtility.execmd.exetaskkill.exeSetupUtil.exeSRService.exeMsiExec.exeNET.execmd.exetaskkill.exeSetupUtil.exeSRSelfSignCertUtil.exeSRManager.exeSRUtility.exeSRUtility.exerundll32.execmd.execmd.execmd.exeSetupUtil.exeSRService.exeSRAppPB.exerundll32.exeSRVirtualDisplay.exemsiexec.exetaskkill.execmd.exetaskkill.exerundll32.exerundll32.exePreVerCheck.exetaskkill.exetaskkill.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRVirtualDisplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe -
System Time Discovery 1 TTPs 4 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
Processes:
cmd.exedotnet.execmd.exedotnet.exepid Process 1920 cmd.exe 3600 dotnet.exe 2916 cmd.exe 1776 dotnet.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
DrvInst.exerundll32.exeDrvInst.exeDrvInst.exevssvc.exesvchost.exeDrvInst.exedescription ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Filters DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe -
Kills process with taskkill 12 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exeTaskKill.exepid Process 5656 taskkill.exe 5820 taskkill.exe 5904 taskkill.exe 5188 taskkill.exe 5300 taskkill.exe 5672 taskkill.exe 5740 taskkill.exe 5988 taskkill.exe 6064 taskkill.exe 6136 taskkill.exe 2232 taskkill.exe 5728 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
Processes:
AteraAgent.exerundll32.exeDrvInst.execscript.exeAteraAgent.exeAteraAgent.exeDrvInst.execscript.exeMsiExec.exeAteraAgent.exeSetupUtil.exeAgentPackageMarketplace.execscript.exeSRManager.exeAgentPackageMonitoring.exemsiexec.exeSplashtopStreamer.exeAteraAgent.exerundll32.exeAgentPackageAgentInformation.exeSRVirtualDisplay.exedescription ioc Process Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMarketplace.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" AgentPackageMonitoring.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SplashtopStreamer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs cscript.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000\Owner = 1c0c0000c53a0b87d931db01 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SRVirtualDisplay.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" SRVirtualDisplay.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ SetupUtil.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exeMsiExec.exeSRService.exeAgentPackageTicketing.exeAgentPackageTicketing.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\ = "URL:st-streamer Protocol" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\Version = "17301507" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command AgentPackageTicketing.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\URL Protocol AgentPackageTicketing.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF1292B61C97FBE4184B6C604D5EEB4F\INSTALLFOLDER_files_Feature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\PackageName = "ateraAgentSetup64_1_8_7_2.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\79434ABCE9E7E284E9AA26F75095FF38 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\79434ABCE9E7E284E9AA26F75095FF38 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\ProductName = "AteraAgent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\PackageCode = "F2E9E119D83B20D41A84E594CFD99834" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\79434ABCE9E7E284E9AA26F75095FF38 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 SRService.exe -
Processes:
AteraAgent.execscript.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f7e00000001000000080000000080c82b6886d7017f000000010000000c000000300a06082b060105050703031d000000010000001000000052135310639a10f77f886b229b9f7afc1400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf2119183620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab553000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d0020004700320000000f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa42000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeAteraAgent.exeAgentPackageSTRemote.exeSetupUtil.exeSRSelfSignCertUtil.exeSRService.exeSRManager.exeSRAgent.exeSRAppPB.exeSRServer.exepid Process 3100 msiexec.exe 3100 msiexec.exe 4868 AteraAgent.exe 4868 AteraAgent.exe 4868 AteraAgent.exe 4868 AteraAgent.exe 4868 AteraAgent.exe 940 AgentPackageSTRemote.exe 940 AgentPackageSTRemote.exe 5620 SetupUtil.exe 5620 SetupUtil.exe 5620 SetupUtil.exe 5620 SetupUtil.exe 1920 SRSelfSignCertUtil.exe 1920 SRSelfSignCertUtil.exe 5812 SRService.exe 5812 SRService.exe 4508 SRManager.exe 4508 SRManager.exe 5812 SRService.exe 5812 SRService.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 5964 SRAgent.exe 5964 SRAgent.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 6052 SRAppPB.exe 6052 SRAppPB.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 4508 SRManager.exe 5812 SRService.exe 5812 SRService.exe 4508 SRManager.exe 4508 SRManager.exe 6088 SRServer.exe 6088 SRServer.exe 6052 SRAppPB.exe 6052 SRAppPB.exe 6088 SRServer.exe 6088 SRServer.exe 6088 SRServer.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
pid 4 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid Process Token: SeShutdownPrivilege 1636 msiexec.exe Token: SeIncreaseQuotaPrivilege 1636 msiexec.exe Token: SeSecurityPrivilege 3100 msiexec.exe Token: SeCreateTokenPrivilege 1636 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1636 msiexec.exe Token: SeLockMemoryPrivilege 1636 msiexec.exe Token: SeIncreaseQuotaPrivilege 1636 msiexec.exe Token: SeMachineAccountPrivilege 1636 msiexec.exe Token: SeTcbPrivilege 1636 msiexec.exe Token: SeSecurityPrivilege 1636 msiexec.exe Token: SeTakeOwnershipPrivilege 1636 msiexec.exe Token: SeLoadDriverPrivilege 1636 msiexec.exe Token: SeSystemProfilePrivilege 1636 msiexec.exe Token: SeSystemtimePrivilege 1636 msiexec.exe Token: SeProfSingleProcessPrivilege 1636 msiexec.exe Token: SeIncBasePriorityPrivilege 1636 msiexec.exe Token: SeCreatePagefilePrivilege 1636 msiexec.exe Token: SeCreatePermanentPrivilege 1636 msiexec.exe Token: SeBackupPrivilege 1636 msiexec.exe Token: SeRestorePrivilege 1636 msiexec.exe Token: SeShutdownPrivilege 1636 msiexec.exe Token: SeDebugPrivilege 1636 msiexec.exe Token: SeAuditPrivilege 1636 msiexec.exe Token: SeSystemEnvironmentPrivilege 1636 msiexec.exe Token: SeChangeNotifyPrivilege 1636 msiexec.exe Token: SeRemoteShutdownPrivilege 1636 msiexec.exe Token: SeUndockPrivilege 1636 msiexec.exe Token: SeSyncAgentPrivilege 1636 msiexec.exe Token: SeEnableDelegationPrivilege 1636 msiexec.exe Token: SeManageVolumePrivilege 1636 msiexec.exe Token: SeImpersonatePrivilege 1636 msiexec.exe Token: SeCreateGlobalPrivilege 1636 msiexec.exe Token: SeBackupPrivilege 1796 vssvc.exe Token: SeRestorePrivilege 1796 vssvc.exe Token: SeAuditPrivilege 1796 vssvc.exe Token: SeBackupPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe Token: SeTakeOwnershipPrivilege 3100 msiexec.exe Token: SeRestorePrivilege 3100 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 1636 msiexec.exe 1636 msiexec.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
Processes:
SplashtopStreamer.exeSRServer.exeSRAppPB.exeSRVirtualDisplay.exepid Process 2396 SplashtopStreamer.exe 6088 SRServer.exe 6088 SRServer.exe 6052 SRAppPB.exe 6052 SRAppPB.exe 5468 SRVirtualDisplay.exe 5468 SRVirtualDisplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exeMsiExec.exeAteraAgent.exeAteraAgent.exeAgentPackageAgentInformation.execmd.exeAgentPackageSTRemote.exeSplashtopStreamer.exePreVerCheck.exeMsiExec.exedescription pid Process procid_target PID 3100 wrote to memory of 4364 3100 msiexec.exe 103 PID 3100 wrote to memory of 4364 3100 msiexec.exe 103 PID 3100 wrote to memory of 2232 3100 msiexec.exe 105 PID 3100 wrote to memory of 2232 3100 msiexec.exe 105 PID 3100 wrote to memory of 2232 3100 msiexec.exe 105 PID 2232 wrote to memory of 1516 2232 MsiExec.exe 106 PID 2232 wrote to memory of 1516 2232 MsiExec.exe 106 PID 2232 wrote to memory of 1516 2232 MsiExec.exe 106 PID 3100 wrote to memory of 1076 3100 msiexec.exe 107 PID 3100 wrote to memory of 1076 3100 msiexec.exe 107 PID 4868 wrote to memory of 1508 4868 AteraAgent.exe 110 PID 4868 wrote to memory of 1508 4868 AteraAgent.exe 110 PID 4868 wrote to memory of 2676 4868 AteraAgent.exe 113 PID 4868 wrote to memory of 2676 4868 AteraAgent.exe 113 PID 4868 wrote to memory of 4488 4868 AteraAgent.exe 116 PID 4868 wrote to memory of 4488 4868 AteraAgent.exe 116 PID 4868 wrote to memory of 3332 4868 AteraAgent.exe 118 PID 4868 wrote to memory of 3332 4868 AteraAgent.exe 118 PID 4868 wrote to memory of 5004 4868 AteraAgent.exe 122 PID 4868 wrote to memory of 5004 4868 AteraAgent.exe 122 PID 228 wrote to memory of 3840 228 AteraAgent.exe 125 PID 228 wrote to memory of 3840 228 AteraAgent.exe 125 PID 4868 wrote to memory of 940 4868 AteraAgent.exe 124 PID 4868 wrote to memory of 940 4868 AteraAgent.exe 124 PID 4868 wrote to memory of 5028 4868 AteraAgent.exe 129 PID 4868 wrote to memory of 5028 4868 AteraAgent.exe 129 PID 5004 wrote to memory of 3288 5004 AgentPackageAgentInformation.exe 131 PID 5004 wrote to memory of 3288 5004 AgentPackageAgentInformation.exe 131 PID 3288 wrote to memory of 2412 3288 cmd.exe 133 PID 3288 wrote to memory of 2412 3288 cmd.exe 133 PID 940 wrote to memory of 2396 940 AgentPackageSTRemote.exe 137 PID 940 wrote to memory of 2396 940 AgentPackageSTRemote.exe 137 PID 940 wrote to memory of 2396 940 AgentPackageSTRemote.exe 137 PID 2396 wrote to memory of 1392 2396 SplashtopStreamer.exe 138 PID 2396 wrote to memory of 1392 2396 SplashtopStreamer.exe 138 PID 2396 wrote to memory of 1392 2396 SplashtopStreamer.exe 138 PID 1392 wrote to memory of 3604 1392 PreVerCheck.exe 139 PID 1392 wrote to memory of 3604 1392 PreVerCheck.exe 139 PID 1392 wrote to memory of 3604 1392 PreVerCheck.exe 139 PID 3100 wrote to memory of 4828 3100 msiexec.exe 140 PID 3100 wrote to memory of 4828 3100 msiexec.exe 140 PID 3100 wrote to memory of 4828 3100 msiexec.exe 140 PID 4828 wrote to memory of 5176 4828 MsiExec.exe 143 PID 4828 wrote to memory of 5176 4828 MsiExec.exe 143 PID 4828 wrote to memory of 5224 4828 MsiExec.exe 182 PID 4828 wrote to memory of 5224 4828 MsiExec.exe 182 PID 4828 wrote to memory of 5256 4828 MsiExec.exe 146 PID 4828 wrote to memory of 5256 4828 MsiExec.exe 146 PID 4828 wrote to memory of 5288 4828 MsiExec.exe 147 PID 4828 wrote to memory of 5288 4828 MsiExec.exe 147 PID 4828 wrote to memory of 5328 4828 MsiExec.exe 148 PID 4828 wrote to memory of 5328 4828 MsiExec.exe 148 PID 4828 wrote to memory of 5416 4828 MsiExec.exe 149 PID 4828 wrote to memory of 5416 4828 MsiExec.exe 149 PID 4828 wrote to memory of 5448 4828 MsiExec.exe 150 PID 4828 wrote to memory of 5448 4828 MsiExec.exe 150 PID 4828 wrote to memory of 5492 4828 MsiExec.exe 151 PID 4828 wrote to memory of 5492 4828 MsiExec.exe 151 PID 4828 wrote to memory of 5528 4828 MsiExec.exe 152 PID 4828 wrote to memory of 5528 4828 MsiExec.exe 152 PID 4828 wrote to memory of 5560 4828 MsiExec.exe 153 PID 4828 wrote to memory of 5560 4828 MsiExec.exe 153 PID 4828 wrote to memory of 5604 4828 MsiExec.exe 154 PID 4828 wrote to memory of 5604 4828 MsiExec.exe 154 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1636
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3100 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4364
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 255AAD0E4CFD73B2DB7D00628B9BF6D82⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI1325.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240653343 2 AlphaControlAgentInstallationDialog!AlphaControlAgentInstallationDialog.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1516
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="4" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId=""2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1076
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F7578A6F89F32861DDFBDB0AADA9FC04 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4828 -
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{780B913C-02B2-4331-B0B4-9238CCE39CF9}3⤵
- Executes dropped EXE
PID:5176
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5793354C-EAF4-4A93-A09C-6A1DF9FC2F2E}3⤵
- Executes dropped EXE
PID:5224
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5CBC7C1A-F805-4F4B-AE18-83D82B317A60}3⤵
- Executes dropped EXE
PID:5256
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2BA7BB16-7117-4449-BDD7-61647048286D}3⤵
- Executes dropped EXE
PID:5288
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{79851274-6B2E-4727-AFC0-7D7188DB25CF}3⤵
- Executes dropped EXE
PID:5328
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A73BA58B-AD43-4144-8ACD-FE953B178D7D}3⤵
- Executes dropped EXE
PID:5416
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2F9D98B-1492-4765-B67B-9E075AA00D4B}3⤵
- Executes dropped EXE
PID:5448
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C4C3258-380D-4F61-8CC5-0351AB7E2268}3⤵
- Executes dropped EXE
PID:5492
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DE27299-8869-44A8-B1AF-86D6693CE487}3⤵
- Executes dropped EXE
PID:5528
-
-
C:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exeC:\Windows\TEMP\{EE690F3D-977C-4A2A-9959-9A114E493A90}\_is5F61.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{61848100-146B-403E-A069-A7D32C18D0E7}3⤵
- Executes dropped EXE
PID:5560
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5604 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5656
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5688 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5740
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5768 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5820
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5852 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5904
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5936 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5988
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:6020 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6064
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:6092 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:6136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:3320 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1772 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5188
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:5248 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:5224
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5300
-
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9EC222DE-898F-477B-A6A0-B1BDDC2C654B}3⤵
- Executes dropped EXE
PID:5464
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46246606-EF32-45D8-89D6-447E46D272A8}3⤵
- Executes dropped EXE
PID:5200
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{507E001F-CCB4-4A35-B7AD-ADEBA3E387A0}3⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{238DDF01-9DA8-49BC-86E1-7D68ADD87451}3⤵
- Executes dropped EXE
PID:4720
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA5047D0-3887-4F86-ADD5-65EA54FFE1F7}3⤵
- Executes dropped EXE
PID:1376
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A1007B6-427D-4F7D-980A-CA7F4F141405}3⤵
- Executes dropped EXE
PID:5528
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91BB9DFE-038F-4ABB-87C1-970C68849937}3⤵
- Executes dropped EXE
PID:5560
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1BFEDC48-4643-4559-A0A9-BE653EE07B30}3⤵
- Executes dropped EXE
PID:5668
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4BDEFA85-D6A6-4FDE-807F-623108219526}3⤵
- Executes dropped EXE
PID:5636
-
-
C:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exeC:\Windows\TEMP\{4F0C614E-0341-49FE-82C9-68BE41014E7B}\_is7183.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FFBCCE10-DF8A-496A-A99E-FB7E238A3594}3⤵
- Executes dropped EXE
PID:5756
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8E30BE4-30A0-4FB7-B2CF-5927827469FA}3⤵
- Executes dropped EXE
PID:6072
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9BA5E38A-2F83-4E8D-A49D-9A3D99312E45}3⤵
- Executes dropped EXE
PID:6028
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B08E72C1-5D14-4188-8B8F-4EA6B1E1115A}3⤵
- Executes dropped EXE
PID:6136
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F45A9061-2ADF-44DD-B926-10D437B656DC}3⤵
- Executes dropped EXE
PID:3840
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CB800FC3-2098-4BCE-ABF8-5C4174B47628}3⤵
- Executes dropped EXE
PID:2232
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AC105185-4EE6-459B-BB03-DA8793C5DC93}3⤵
- Executes dropped EXE
PID:5212
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BEC7C3BC-22AF-4701-B003-3BAE0861A3DB}3⤵
- Executes dropped EXE
PID:5276
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0D85235D-6DB1-4509-979E-7BC78AE51294}3⤵
- Executes dropped EXE
PID:5300
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0238C6E-8945-43E3-A242-FE38FEFBD486}3⤵
- Executes dropped EXE
PID:5224
-
-
C:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exeC:\Windows\TEMP\{E2C80CA5-D085-4067-9B93-11549C6E1525}\_is8867.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8477E5AB-3F37-45A6-A761-B304DC22B5BB}3⤵
- Executes dropped EXE
PID:5424
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5480
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4128
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5620 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5668
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:5976
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1920
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD5EE09C-F611-4A34-A791-2F96D70D6874}3⤵
- Executes dropped EXE
PID:4112
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{35F933B5-214F-47F8-BCE0-C66DA8895B28}3⤵
- Executes dropped EXE
PID:5964
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5CF7CF2-3F9E-4BF8-9674-826F45B381B6}3⤵
- Executes dropped EXE
PID:6084
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A556A169-AEE0-4E27-8350-62C02ECBD49B}3⤵
- Executes dropped EXE
PID:6056
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{444CDFFD-252A-421B-83EF-B1EEF5E7E730}3⤵
- Executes dropped EXE
PID:6028
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{840867C8-4B92-4B76-A699-6C2BB2103059}3⤵
- Executes dropped EXE
PID:5140
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8FAC427B-1A6F-435C-BBA6-73D5F12D4358}3⤵
- Executes dropped EXE
PID:5184
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AFEFA06D-FCAE-47CC-BE87-58F285F6E51F}3⤵
- Executes dropped EXE
PID:6016
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{233BA58F-329E-4B20-B08A-B8A30BE87074}3⤵
- Executes dropped EXE
PID:2784
-
-
C:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exeC:\Windows\TEMP\{A0991835-4AF3-4837-B163-94A230A034B9}\_is9F0E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8DEC5C36-B227-4FD5-A4F6-7A5B8785D356}3⤵
- Executes dropped EXE
PID:5256
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5104
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4756C6C-86E7-488E-B0C7-5FF6D28C2D4D}3⤵
- Executes dropped EXE
PID:5364
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7F56C9E4-4AFE-40A7-896A-010A1391918B}3⤵
- Executes dropped EXE
PID:5484
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{99ABC0A6-C6BB-44BE-B5F5-9A2DCE446F07}3⤵
- Executes dropped EXE
PID:4580
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00CEE12F-BD5A-41BE-B42B-163091157377}3⤵
- Executes dropped EXE
PID:2976
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9BDD322-284B-4576-B5C4-B8F4EBA97BB3}3⤵
- Executes dropped EXE
PID:1516
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A36C411-3846-49EC-9FF8-EBFE9621C7F2}3⤵
- Executes dropped EXE
PID:5544
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0376D02A-B8C2-4FF2-BBEB-F4D531C79B86}3⤵
- Executes dropped EXE
PID:5596
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D63905AB-EB93-44B6-9324-AF1F76FE62BA}3⤵
- Executes dropped EXE
PID:5612
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3BD54284-0B9F-496B-B4FA-ED2C903FB58C}3⤵PID:2684
-
-
C:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exeC:\Windows\TEMP\{3FF5E0A2-3495-48AA-B5E5-27339966B86E}\_isA410.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E4650DAE-CA04-4417-91B5-C7F8E35807D4}3⤵PID:5704
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- System Location Discovery: System Language Discovery
PID:5784
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7F9B6216702C89913521466E236CD053 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5780 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID077.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240701796 439 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:5644
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID26C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702046 443 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4236
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID607.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240702984 448 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5776
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:5188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2580
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5728
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI462.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240714828 476 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2684
-
-
-
C:\Windows\system32\NET.exeNET STOP AteraAgent2⤵PID:5072
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 STOP AteraAgent3⤵PID:216
-
-
-
C:\Windows\system32\taskkill.exetaskkill /f /im AteraAgent.exe2⤵
- Kills process with taskkill
PID:5672
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
PID:5052
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="6dd3fa4d-1bad-489d-a490-fedabe15ec0e"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4420
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1796
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:1508
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "7fbe50a7-192c-47fe-9804-68c9b3393926" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:2676
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "dd4c055c-5c35-4aeb-8f00-7f97f144a32d" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"2⤵
- Executes dropped EXE
PID:4488
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "e0c86c9d-f467-455b-ac67-8cbea9cf9f13" agent-api.atera.com/Production 443 or8ixLi90Mf "identified"2⤵
- Executes dropped EXE
PID:3332
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "b9238f76-f001-4920-8940-d46a8ee894fe" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:3288 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:2412
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "954fe380-fe94-4405-b710-41cc7f1f4f0d" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0="2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:940 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:3604
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "3cbb20f3-fbef-4bc2-bc13-e191793e6fdd" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:5028
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:3840
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "9e182a13-064e-4d6f-97ba-b81759e6b6ee" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo"2⤵
- Drops file in Program Files directory
PID:5488 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:3016
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5080
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "882f5855-715e-461b-ab98-912f08eb2b37" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates"2⤵PID:5760
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵PID:876
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "a5eadcc6-3b9d-4923-ba90-ff493bdfe528" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded"2⤵PID:5848
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=d53a732f7e632d7b39f50f90927dc8e1&rmm_session_pwd_ttl=86400"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2556
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "9dd812db-c06c-48bf-9f4e-1b3c330edd45" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain"2⤵
- Drops file in System32 directory
- Modifies registry class
PID:1620
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "6e3eac87-9857-42ab-95d6-76c67fbcc567" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat"2⤵
- Drops file in System32 directory
PID:5892
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "92b052ed-702d-487a-b212-5c9215562a0a" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5516
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "411e38b5-8f56-448f-a3d0-e8e76f7a5e51" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ=="2⤵
- Drops file in System32 directory
PID:4572
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "8d4d3e26-5058-42fc-8cf7-55e1badd9c2f" agent-api.atera.com/Production 443 or8ixLi90Mf "probe"2⤵PID:5544
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "17110bc5-688e-49d7-9d4f-e69d2b50153e" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3528
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "a43f5ccc-07c3-433a-9ef7-8df42b5e9809" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2680 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4360
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "ef8accdb-d5a3-4f60-9a28-dfbbb85e7d2d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9"2⤵
- Drops file in System32 directory
PID:4108 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:1920 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:3600
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "73518d6a-8a08-492d-9e2e-4a0d43e734b9" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates"2⤵PID:5280
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "c6bd9641-aad2-4d27-8bda-91e1c17d3ca1" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ=="2⤵PID:2288
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "6a691292-a69a-4201-af97-e475793ddee7" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor"2⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Modifies data under HKEY_USERS
PID:5004
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5812 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:4508 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h -t3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6088
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5964 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:3144
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:6052
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3644 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:4360
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5468 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey4⤵PID:3984
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver5⤵PID:5384
-
-
C:\Windows\system32\sc.exesc query ddmgr5⤵
- Launches sc.exe
PID:5992
-
-
C:\Windows\system32\sc.exesc query lci_proxykmd5⤵
- Launches sc.exe
PID:5192
-
-
C:\Windows\system32\rundll32.exerundll32 x64\my_setup.dll do_install_lci_proxywddm5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4060
-
-
-
-
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -Embedding1⤵PID:1516
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2784 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:5096
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "48d9f57a-d360-46e9-b86d-f436144d3512" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 0013z00002pMd9hAAC2⤵PID:3840
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:3604
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5804
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "7d99e435-2766-4705-b679-10897e9b5dcd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 0013z00002pMd9hAAC2⤵PID:5832
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "21ffed2e-54b4-4fe1-ac15-206c84d2b000" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 0013z00002pMd9hAAC2⤵PID:5828
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "54d0960f-cf8b-46de-9c4f-fb587262ff85" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 0013z00002pMd9hAAC2⤵
- Drops file in Program Files directory
PID:1592
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "79cc8d03-4464-41e5-9d6b-cd6ed5e98893" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 0013z00002pMd9hAAC2⤵PID:372
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "429082b1-b3ad-416c-bdab-97eec81944b7" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 0013z00002pMd9hAAC2⤵PID:5340
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "1cbd0fd7-74f0-484b-9a98-22872adbf90f" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 0013z00002pMd9hAAC2⤵PID:1812
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "02404627-6107-4d97-9d57-36f3e68562ff" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 0013z00002pMd9hAAC2⤵PID:4232
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=d53a732f7e632d7b39f50f90927dc8e1&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:5552
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "51cd98b0-fd34-4eed-baa9-822f7a4087e9" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 0013z00002pMd9hAAC2⤵PID:4664
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "bb02492f-a1e1-453f-a161-ea1e9bf4f3ec" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 0013z00002pMd9hAAC2⤵PID:5924
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:2916 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:1776
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "14ae9b4e-e8b7-45ae-add2-6efb94631378" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 0013z00002pMd9hAAC2⤵
- Writes to the Master Boot Record (MBR)
PID:5384
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "3ba3263e-1f76-429b-9ba6-1720257ed7b3" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 0013z00002pMd9hAAC2⤵PID:3388
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "0c724d85-4fdb-41ee-b78d-6e0ac6db4965" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 0013z00002pMd9hAAC2⤵
- Modifies registry class
PID:1812
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 0b1e6948-366c-4ca8-9346-3deb276ac81b "e89735b1-d9fa-4319-829e-8686040cc3a3" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 0013z00002pMd9hAAC2⤵PID:5280
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "0b1e6948-366c-4ca8-9346-3deb276ac81b" "e89735b1-d9fa-4319-829e-8686040cc3a3" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "0013z00002pMd9hAAC"3⤵PID:5528
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5752 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:3840
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "000000000000016C" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5276
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "000000000000016C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:2856
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"2⤵
- Drops file in Drivers directory
- Checks SCSI registry key(s)
PID:5544
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
1Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51de0641c549ab9996f4e365fa6ddc1bd
SHA13bd7618c9bf5c016d66e9d809391dfb47262303f
SHA256ac5ab2a481eed560c5d7ebb4d04f78a3b1549bc814eb918fcbdd5d601111a0d9
SHA51248a52fa9d0fdc3bde05df0d925376af8e54743d450724eb0daf7d828bc8c1a5e155a8559b21526c2a5132419979b690915ebe9a869147bd8604f612906825a34
-
Filesize
74KB
MD5fe2b0cf5853269b3680ff458af277bb4
SHA18afe653cc0940763927fca8874b7ff69d3fea570
SHA2565cee505b3a365016cb3b6f3fb3cb15b9961491fc34bd531ed210b8746f024a47
SHA512b741ea9d852cadac5dfd73cfadcdb95aff8f601e957c7f8fa9998913e5a0d27f11c61a4c71ad6ea496d724ee2327cb6c3b909284ba746e977cf59619a0ca2add
-
Filesize
464B
MD5cb827bd023acf6d6938d2cbe229f9a8a
SHA11dd4ac65726b82fa2c4117977a8c6a42e4b9ccab
SHA256f19d56c6c96097b3d1b37a970b5e96b80a7f4bb0d41b80dbe4b4e7031637f3cc
SHA512bf36b0f969e34cc8de468ea3501764076e6f8eb46e7a462395b9c0b41d9302e05ed09d99966b92c0450fa7bf2ede72ddda857be7e3b5bf54021810dccf9cd6ae
-
Filesize
9KB
MD56e59d3bd2610624bb16cab71ad0982d8
SHA1108f4e9ffc317024a9f0b05a9dc8e59ec274efc2
SHA25608bbb1198ed6fdd1935f3c7c300af2d0fda644f2422b5cce677b0b7c0e5b990f
SHA512acb72856e3eabe3bfb46c7f3b86857fa6b10802de6e08ca3aee15c73b6161ae8dc4155a47ee9523874787f9a1a3c2a63564cf985888f339954e954e8c51663a6
-
Filesize
8KB
MD558fa32f11dc8d01b0983a8eaea4f8107
SHA1ef0e02a13bafa21bf4acb1366bd595452a3c4b76
SHA256fe19caaf4baf096f56e83d2af9b1aea1bae8c628c234c075c7161fd49dc18868
SHA512c44efc6f629b810017df752c49663a0acc08e38a6560b169ef2f7239d7cb9899f669889240aa43b8304895feb3623b61e61a12b0a7abab3f6258afd1b666e6eb
-
Filesize
1KB
MD53840b31c383fdf49bfd6740d945c9032
SHA1a6f50164a69718bcef4664d7c47534f0d721866a
SHA2561f119f4fda8028b420e70ee1637c65e2b4198b41eb3eb44d911afa6f1a0bbc64
SHA512f5315421d4bc5f08fef4e1449e5799ddf311f08eda317a9eaad8c88c2e7b7c26182bd586c0221ffe5f4112e5d6e05f5d45d2d0382b0ed51ca25aa94d4d95a84d
-
Filesize
138KB
MD58dd350bb44e45c0b89d0c2cea8e1fd9f
SHA1298ccacd3f218f8d98709a43df09acc82178cbf2
SHA256127fde9b3c238f66232d0f0db1d3ff62d2c46d16f50aa92073d26977f36f463a
SHA512ec8c638a8c616c7fa7989585cd5c577c3bff88801789c5b975e016ec888c0d2a1d3f492d12bbb3618ee93c79c80dc1f666ed9e21ffe595dd7b2f3c9f601e03c0
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
209KB
MD5b322ca965d1571b468b8c49d387d7f84
SHA1cc1c2fd52c081e36c2b01f05fb2995d0807fcb19
SHA256e45af7598efae14255851cf7d23c669af1a0e89fffa64e4e12c59960542ad0da
SHA51250cfb1240491efe00760c37150f2f8a7dc6769f58fbeccc811eea9574917f383c510af3bce181efe7515e417fc211314aad48326a296f6c1093ca23ff76c9318
-
Filesize
693KB
MD5fdde119bd5c37341879e1bd1bfce033a
SHA1e7228d4dd8a2a0fa7d60f50f68e32560932c3a6a
SHA2569a7f775a3d2569ee6a830a7814f1b6068613153b14bc5515ea7644dd51e5972e
SHA5128f91ae407ae1998d86e2edadf9b871e31f8b46b24f7285d17e6f221c33ed19623cbb16f4b73f94dde860dd47ad122f38cba7f5810350b049f79d89c417f53ab8
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize157KB
MD5242d415e238789fbc57c5ac7e8ca5d02
SHA109c1e25e035be67c9fbfa23b336e26bfd2c76d04
SHA2567f3ded5bf167553a5a09ca8a9d80a451eb71ccecc043bda1dd8080a2cbe35fa2
SHA512ac55d401951ecf0112051db033cc9014e824ab6a5ed9ea129a8793408d9bf2446cb3c15711e59a8577e0f60d858a4639e99e38d6232315f0f39df2c40217ea40
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5dc63026e80d2bb04f71e41916f807e33
SHA16cda386d2c365f94ea3de41e2390fd916622eb51
SHA2563b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85
SHA51261da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize173KB
MD531def444e6135301ea3c38a985341837
SHA1f135be75c721af2d5291cb463cbc22a32467084a
SHA25636704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571
SHA512bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD59d8b5941ea5b905e8197a175ef2b15a9
SHA186a078e94b5578ec4125f50f78c8518a8ce1d086
SHA256c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d
SHA512fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5ba66874c510645c1fb5fe74f85b32e98
SHA1e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c
SHA25612d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9
SHA51244e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD5e010d1f614b1a830482d3df4ba056f24
SHA15873e22b8c51a808c06a3bbf425fcf02b2a80328
SHA25698a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b
SHA512727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.INI
Filesize12B
MD55796d1f96bb31a9d07f4db8ae9f0ddb3
SHA193012724e6cc0a298838aede678806e6c0c6517d
SHA256a90d255cce3b419641fa0b9ba74d4da464e0ce70638a9c2eba03d6b34fca1dc4
SHA512890112ddcb3b92b739c0dd06721efa81926ce3aab04c55cdadb8c4e6b7a28c9796f08f508249db189547dc4755804aa80cc8b104dd65c813a0450aad2cdda21c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize389KB
MD55e3252e0248b484e76fcdbf8b42a645d
SHA111ae92fd16ac87f6ab755911e85e263253c16516
SHA25601f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e
SHA512540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe.config
Filesize1KB
MD5c6ecf24757926eba64e674bff8b747d1
SHA13a46083826c20e8e085c42bbfdfeef4f9e2b90d9
SHA256c3ec04142c15b0a237e72ce1c3c85d19cd1231b9824f7a9854e7909a74b7becc
SHA512efabb9883adb098a90115e8938c92b76bbb8d2eb5de170ecfa205ee949a2d722e0f97f6e01f9a71ac8b5fa2108b9ff82fa0171759d50e30d0ab5fc1948bdce15
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackages.CommonLib.dll
Filesize93KB
MD50e5155ecbe5a1797644f1610daa15583
SHA189677e0f9443d52c73d4e0b91c5aee5215ec4e88
SHA2569baf23c814dd100b2ac9511c9a2e5302dee1ffb1807dea021e1d317ba36901ca
SHA5123f80a871547bdf47f0a5b58f54b9597d0894580fcee8f53dd08c8a80658697fa9c9426ab8d47a40b0cdcf53d11769c654d26a3b530ad39a3a6e37d468ca309d3
-
Filesize
151KB
MD512572f87ccf0e40406b3554a1a6d3905
SHA1c9e238ef065d38400d084265ee056b2abb694224
SHA2566fdb589ebadf91a869eaa3a850b0fb17a8ab96bed78422e28f7efaf63bc040f9
SHA512d397888aacb1b787662b1678a24e24ddfa7a42c5363ac673706934a1a42e13f5ed55956d478faf0998c77891a64f5f26e85dcfa7ffc0a6ae87df26b3c24c4314
-
Filesize
863KB
MD5286642cd396c5b6cadc906b112b493ee
SHA1cb625fdbd26798b3042bc5cffd010f4e73cdaf1b
SHA256004bf709595e808ae59558ae7510a40277b7e31d99a5580b0e07f136eae09130
SHA51249773e5ad432f893c559308da144596ce1dfb967db5fcfb1805528cc7535e70a181ed8801cae43a47b58656c9925a236b06a4f2c67802a1a875a3dce3c9002dd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Newtonsoft.Json.dll
Filesize693KB
MD5b61a163ec8f1e6a3a3572a90ba23f7cb
SHA1467fba9f1c171b58b76f4e9e24aba1ce5c91d02f
SHA25687da900259bea3bb65d984fb6fcd3134661e3eb0883ebf24981d50ca5d36f51a
SHA51287eadb61d95ef67cea0ec8cf15c2e285aff8c92941adb47dbce6886796de45b4940efa803d2a9333fadd09473e1b1a34660042d12562fb07eaf4a59c401244ca
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll
Filesize286KB
MD53362fdb62a7980ca70c44b4dbda5be9b
SHA177b328fd868e9be19165c39b541e815bad1fe13f
SHA256a6b74a797384f89b692f2e1027a3f73b4fad2a97914208158869a33068132a1c
SHA512d0441e5c747707434c02a64e8ff3a49edf33cff2c9d22f2c22e8bdfebc30a3cdf79b2ed96b8abd819ecd042876baa77c32e119ebb05ba0ecac73dfe2bf971e86
-
Filesize
270KB
MD566c97a4217593113658977f5aefc18d8
SHA1a7e4ff9bdb3800c1e93a0d521b53e344a10699ff
SHA2569ad65cc593bfc60815124c6377a8f3ea4f031bca01c688fb543b50a2b6418764
SHA512d2a474718a38aa0ea738200d7584a5c21552dc76428176026c5509ae606fea534f4aeabedf93d5bae5735754d82b2d93e4cfb67bcfea9a435147d7bb4b1f0722
-
Filesize
277KB
MD5a6d30251ed124d7656f523a7df177d09
SHA148092d267e067c1967b5acf1aebd9a18f0b91515
SHA256ec81827b885c0b109aaa3882469bb41d26871274b2e39d3b227fbd18858bf6a3
SHA512466809068b5813ac5531d9e5c76ba080a3a15b0d1aff2a7187149cd5366d990dfd07df1d51eeb8fcc656ed5c2d1c099ac32e0416f219fc38b64bd1a2351ee502
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll
Filesize399KB
MD55b3639406abb5ad7f16a90124b708862
SHA1466db9d6bc5f2a8eb205e5f3a7f2ec8c52809597
SHA25683717328623f05f5987dc258332bca21c1f2858b7ce6b834af5da687b0948847
SHA512f10717408e0140c8dbefcce9501cf03b86cecd32f2b55770879c28e21d793e45bd8b7eeed52e56e3386000a7beef7f0bdd05ebeff99a44d1056512f48063f71c
-
Filesize
48KB
MD5cd6af04995c443aeb37523e6c826dd4b
SHA11df2cf7e4d5c58f273cd360f9bf1cfa49929ba18
SHA256978e96534f36dc2ded9255abe9198cd4aa2f390dbf600f91fb8cf744a483a46c
SHA5126f87259e395b352fc92d8fe58b4b1183f3c5618a5204836e3c09aca5fced0313285abc68120d616faaa161ada1ab4bd30bb510ad5d3218ad3b338e4fe0b5a369
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x64\SQLite.Interop.dll
Filesize1.7MB
MD5cba9d50085ee939b987cf758c727dd62
SHA1ddc0faf68995883ac754662c59c4295bb0a64e3b
SHA25675e47a697a46e31811fab8c5d9fe1aba6ba095b6d13dc79a8c848be308917c37
SHA512a5f3d1b96535e0b523ecd71dc36fd3af157c630874ff11da29066c545114d256b14a5ee2ba725679c4192182d37df6900aa69ece228bafce909a482dff43a1e0
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize196KB
MD55f782d0cb0f717ae9dfd1b4da1295f15
SHA1b33575e428e19940f0585c747e054ca70a12d454
SHA2560f233bd5fe96cf5f7efea0fa0634f98c37a3a095f72acc79a3544590bf228b43
SHA512e373be20e06f31f81a8c0368e8fbee0bd7e98095a6e1f85ecb8969a35caf32e22194e2448de9213bb86478f454e708363ea6ab990648422b57f057a0516959ed
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize55KB
MD5a739b889642ca9ce4ad3a37a3c521604
SHA118bcf6fd14c5aece67ae795a3c505a0c1a9d5175
SHA25644b96244b823052fb19509b1f9576488750c4edab61840af24b10c208b47fc92
SHA51292243e80fd77b9c3f9231c750935b34d9adcdc76e1a45a445c47888a1e98faca1c26f617459db0c1af4860a5172401f03e64039888e6f84726d2457cc550bae0
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
Filesize9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.2680.update
Filesize9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
Filesize8KB
MD5c64defc8b048da7f4d94e84fd2185933
SHA11f83e0fdf4b9908021beb7b604ab8777241760a8
SHA2566af0c39e95c072b87de42f3007ad0ce1a7721287f1436cd7e83e0c904c02e901
SHA51276188098628f99ec5aecc46ec441ed94583128a75fd2703b2785e446ebaa236d76769bda58815638a10843c92b52895f9a8438eddf5b233bd4d4b3478001bd64
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
Filesize
334KB
MD5b3e14504a48bed32c53ec7aab2cb2c8f
SHA10bc0d486a5ed1c4cdf2390229883ed3473926882
SHA256adea6001759b5604f60bbaec8ce536a1e189adebc7394f9cff3921cae40c8c9b
SHA512e5a5c09355eb9cb45dc872b59edbd54f62f15445ca6caaa3187e31e7928ef4453ae8405d9eee5d2aec4fa34965d3006dcf61c060b8691519a2312382612c683f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.INI
Filesize12B
MD53d66ae5ed06891e8ce75a39a24070844
SHA1368064119835d4376727a14706c41384446183e8
SHA25673dba8242fdb4de1393b367a239f730aca6713e6658be69f1d8992ad26479176
SHA512c0b61f92bb61a7bf90225d1ba5a1bea0fc077c2481a2149663b546296421855ab3147c3a1f5372ebc920731624bc8578595c18ca9d138691c720fdcb86d03f8a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize72KB
MD5749c51599fbf82422791e0df1c1e841c
SHA1bba9a471e9300bcd4ebe3359d3f73b53067b781d
SHA256c176f54367f9de7272b24fd4173271fd00e26c2dbdbf944b42d7673a295a65e6
SHA512f0a5059b326446a7bd8f4c5b1ba5858d1affdc48603f6ce36355daeaab4ed3d1e853359a2440c69c5dee3d47e84f7bf38d7adf8707c277cd056f6ebca5942cc5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Atera.AgentPackage.Common.dll
Filesize94KB
MD5ebbe06f612e1c8b87e3d4aaca15a29b5
SHA1d2b1317ed96ec0c92ccaf7e85f68ee24f289413f
SHA2566cd16dce27e724c2daa098f131343ffdbbed0da5b7ef62542b421a0817de3a3e
SHA512eb079eb409925516118db4980be734a645b7444bc51862ce7c95d52e0697b7b937bbacaf421fc5af1a01d3262c1b19a3cf9376adb0a5537de0973e0b7dde63df
-
Filesize
693KB
MD53b395830460c2f72bc6cd12dd096db0c
SHA173063c63d2b562310af76abef2a8b7e697389c94
SHA256f7bb07b7c1718dbbcb692aa4296ebefd7ccd1e55f27be00703a3ce623ad38d5b
SHA512dbcaedddc4d99586f1e04fda97e1c706fbc6be7bb766e0fe73addad3116517010a3c1c92d7f54d71533b4c4459631966d8d0cf370ecf1f789f7d25fcb2f5a64e
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD5c0f02eaa3eb28659d8f1bcba8de48479
SHA15be3c69e3f46daff4967484a09eb8c4a1f4a7f0f
SHA2566befb51a6639cae7e25570f5259f7b1f2d9b9b6539177d64d2ed8be50dde6268
SHA51247b536fa628608a58f6f382bbc99911eeff706becfaf4b1c5ff904ca768917f40c2e916ba5a31992df0335ba5a57755f047f70aafaac414fc655da0cd6f95e34
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD5f531d3157e9ff57eea92db36c40e283e
SHA1d0e49925476af438875fa9b1ccfb9077fa371ecc
SHA25630aa4b3e85e20ada6fe045c7e93fee0d4642dcabd358a9987d7289c2c5582251
SHA51227d247ab93ef313ce06ff5c1deca4b0819b688839c46808a6be709c205c81b93562181926a36a45a7da9570baea3b3152b6673a3bcce0b9326c7d3599a3d63c8
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize54KB
MD5d11b2139d29e79d795054c3866898b7f
SHA1020581c77ed4bc01c3f3912f304a46c12ca443e6
SHA25611cdb5ec172389f93f80d8eff0b9e5d4a98cfeab6f2c0e0bc301a6895a747566
SHA512de5def2efcba83a4b9301dd342391c306cf68d0bb64104839dfc329b343544fd40597a2b9867fd2a8739c63081d74157acfc9b59c0cb4878b2f5155f582a6f09
-
Filesize
588KB
MD5d39533ae3451324100a8be62845799e6
SHA131af6d7acac3ff2b67a3b6d5dca6ba22809988d3
SHA256fa52b413bec029179f4dc476b9198f53d9034b0de59ae2439a8882403b61d07e
SHA512ce69bde9859ba32aa24b09538e5ccefa8766f2f264bf637fae2d0ec1419e306f767e3343793448d960880c82d328fa6e7b75e14cbc2de3403fb21c80f03318bd
-
Filesize
167B
MD56531153d66e55b212320321dc39dd9b9
SHA169d7d7cb9ff0c036c9be3131fd494867f9f6ad7d
SHA256afe26d2003c54167d43c173fa67d904bc90db50629cceb4a61c45da528f8c203
SHA5122330382123f0b1bcfc4152cb6c6b6a5ea88c56b51388fa9dd8c49093d4f567781594aa557eb658e1023b734690fc50724719ed9d28abd0d5b4dd4f31d6b875ab
-
Filesize
205B
MD55bee251dd33f487a36635534c9c7f81a
SHA1958f1d162957af39446951b4260790ccbb8977be
SHA256cb98d6262ec039179bad185a1ca1f039344e308ffa0512e2edc1f1c27653a4ca
SHA512e7df95ebd535c94e3cc5646fb7063758fd693dd523fd396a65f5c8db61f2162614f46f85ac1e77d798f63865b2be4b8096925e093cb4049e7d1441f7686f2d02
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
287B
MD5fcad4da5d24f95ebf38031673ddbcdb8
SHA13f68c81b47e6b4aebd08100c97de739c98f57deb
SHA2567e1def23e5ab80fea0688c3f9dbe81c0ab4ec9e7bdbcc0a4f9cd413832755e63
SHA5121694957720b7a2137f5c96874b1eb814725bdba1f60b0106073fa921da00038a532764ec9a5501b6ffb9904ee485ce42ff2a61c41f88b5ff9b0afde93d6f7f3d
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.9MB
MD58de5a7a19d882820893d8b911c1710fb
SHA195cdf5855bc5e454c8944952697ab142f77124f7
SHA2562bee5835a45e74f454648c57fef0d6fca40d64308f813cb759ccab1b2ab576a9
SHA5123056784d9a1ae5a8a5dd92d7ed6ad1311e863e41a6ca5971aac5d626da1338da44d0828448aa9ab1f9edb88afbaaacd57660c4c102812bc94240654b8d5237a7
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
375KB
MD53c93b399b417b0d6a232d386e65a8b46
SHA1bb26deae135f405229d6f76eb6faaeb9a3c45624
SHA25629bc4577588116cbfea928b2587db3d0d26254163095e7fbbcde6e86fd0022d7
SHA512a963f5cf2221436938f031b65079bea7c4bafbd48833a9e11cd9bdd1548d68ed968d9279299aa2adfc23311a6744d516cc50e6537aa45321e5653755ed56f149
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini
Filesize11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
Filesize
48KB
MD58c3998a3c2ba9500d4d939765dbd460c
SHA1a882b78b5f0e182898f1da624957c8dacf331acc
SHA2569dde140fb482b58a0c58c1ce36a6235e0b55f0190b9b798e94569cbda9285b03
SHA51284f80872e6e39b6b71adcc78fab7061bfce468491e8b141374cd4d9c92ddf51ae4948373e1bc665a9f7b5e08b0a698beae804318a04b3a3e968c0356c57f5174
-
Filesize
48KB
MD5dd6b5a7d60ca666b460c912d07e58c5d
SHA1901e722e1692296e5b0a601bd40423cea36d13d9
SHA256a9388e7fc7d66e5b3ea96b3e8923db205276904d1b6588bada56616e04c26e09
SHA5126a1617c82dcb4f44ca357b81fa9ed4b7e99ff9e99ce52f0ee4d02124d3f0dca3d085e6f8b62d23f73b61be72fa2eb6c8299367c1ce99e73b122580004ee9f538
-
Filesize
2.8MB
MD591453d3e1e2bc9586cf5495073fb3cf7
SHA109cfa9dc27545fb600dd7a60e44258c511eb43c4
SHA2565d398c6ce0636eadd4b7f6920dbd6127388f698e9bc1a440cb7db3992acb6557
SHA512462d59453ed01d8ddf54e06319aaefc0ab5ef70ed7b0a45ffd4d3f049692044acf0dee3599173e58a4c281bc69af63d8b64f9586a1b2f04991adfa6747f19bdc
-
Filesize
2.9MB
MD5384d6da5c34ff401b18f0af41e3a2643
SHA13ddfbcf79e55904df77df2125f2112cfe7703eec
SHA2560699c4ccaa2f9e6768475f7fbd0dd93dab1a0a0dc8859e9ee8f8a48ad1075d7d
SHA5125b63245bedfc7260b27254a33f621a8b626a36c13c8f8ad516f51013bd6751770d37afdc1ff8f7646d9f972081acd24776314405cc397762a4f58d6dca0a7f32
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
Filesize
646KB
MD57895698867d1ad33934a8553b4806dc5
SHA132704df55deaff9bf0b4ee0b887541856578938b
SHA256ef5854b5e800a534a08c083d4a3956dfc0a474ff540cae9bf0a9077a213b2ff9
SHA51220337093ddc5322c4b96c7bf26f1a0b966fafde70a96f7e9b5e9d36acac7d862bd2a50cae9a63731b23904a9256c94cd3bb4e19768130580511ec4c408536a58
-
Filesize
3.1MB
MD585e1898362165fc1315d18abb73c1b37
SHA1289a48ba5ee27c0134f75e243c55a90d32c11a05
SHA256d0594b261e16394244c64289dac00367fdc853a1a8e542e0e814a57494c5228a
SHA51249fdbef67c2a85b5d319c26e6e55456c94d294b836c946b9966c8746fb33de4ede62b93ba91ad657df4db24fdb3ee1de7395652ae1086c876b7d0b85000d594a
-
Filesize
569KB
MD59614d1da18956de06747c03068208d66
SHA1fea2680ddb9e4ceea8489a132df9a1542febfe88
SHA256dde9e0ca3fd274902f1a4c22cfec6870c6c4dbbccad17d2189477ab60f769dab
SHA512d8e46a5819e9dced61471966646de153bf3480933054c50190d50de4900685265367b12c9147630f184ce8809786fc010bf6fcd1884035fb4c77cfde660a8b9d
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
625B
MD59a92c42bfc511f3972d0632602695d70
SHA161737317ad4173a630771eaaff501ac80141ae85
SHA25664d6bfafe3820c60bc477bfe32d8d453516fa9b5be6a7b470fe23cb1fadef50c
SHA51228e6c71262477b2112d44229c58d4b98e65654ce4a1d4d8d64bed3b23ea849397b4694e9bee3496f079624ddba6ca3e45db9717d4575a5408d1c060e2e46c36f
-
Filesize
6KB
MD550e408551916ecfffb8f361c6edf20b6
SHA1a78ba3ebbd7338e086f74cef158490768aaa3438
SHA25660a940f016ac2fb4e1c859bbdefe7812a6b146cf2108678f0dbbb9c640501903
SHA5124a418a05e8faef55bd1d1de61b907c610ca692f7b2f5c2021cb6b04d6d0d524eaa1b481c24d55964b6f02adf7d742a379b673288e6baa61326426bab19c19539
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD57795df33fc7dd3aa62e0bc052f9dfbad
SHA1ea227ec994561b5bce01c5228f9c337286fbec9c
SHA2566ad47d714f3dd55b2fe9072e829542851d2ecf60cb88254002c60449e8aca736
SHA512de11027f0ca32119ebbb17976ecbe6582ab6af8caa7ce522d75c4185da722550f1f981064db9be6074eb1c6c096c933c2de7ee42b1f31b4fedc9982f87157f9d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize727B
MD5043fc0ff529996b681d9677246420c3b
SHA14e5fe5b8407e1fc953ca459d1f25e271e7b8f819
SHA256ca1b6b17d41eebcd503c186a777404136480328bb3fd4783b4e5bda7f9557c88
SHA51222a04c039c37cde623b03954acdc5587cabe99991809370aee60a87ceae428cd553b8dc71dde08d8e1b61938676a178171462ea8a084738f6392bb26d8028edd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5eb9a1d98cc4b6ac3d674a6621df5a758
SHA15e9bc182d48b8e86a61d8a3f4b5add9c88da6800
SHA25620d856d68dba3e2246ebb62a5eaedcefda221accfa1b9362b33afad33b6e48c7
SHA5121054d82e5e1b2f2c1416d31f01ff2c172aca8dcc31a622cdd959f918b78a474bd9b40a9b7316122a8262fac24d6236860e2eadd665030a61d56c5c0a153f81c7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5e3d5f306b19532c687f806fbf2cf0455
SHA1ab6c1d87015d6d3286fdfb3dd4b94d1f5fe36464
SHA256196abca8ed670e21d299cd14d4b7cfda9c2a9961caba651bf25205a0ef7e39ff
SHA512befc7b49187fe576cacd456db2cfbcee65fd5f137566f0cca247dd301d38421450f34ac453028fc3153bc51ea316251c1da803447a5dc06617a7df321a933c19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_D6781754937F132531C364D68914BDA9
Filesize408B
MD585e7a0af95c63ff4be2e4d5e54089a65
SHA1d13a95db0d32fab41398fc56d793e6fc61bac7f2
SHA2565d26bf7b90be58b64ac3047e10010c9c2791f7f7e3f6c2857f6134c2d8c1d719
SHA5123baf6a9e7b23537c657eb4d9dcc0e6243b7e8fc2173dd664c0ce3d4603bb3a49124addc7c601abe15ee1e46f9ec994be6f9afcf83c3e9ecacdc8eee805f3a893
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD509c3981e7244f69d1ad813c7a39c2ae8
SHA1855d27fa210d36e21b82da26810012e924623097
SHA256f4c23d3cc4041f03a93cc253b0e97b77e1c1bb55909eab0bca2ec3dc28ec1d51
SHA512d03f2a6f13b6480267d4efc530a618b62782957d5990a82cc90f3c76b68690bb6321642e56b1100c394708f67673dc5ce55a0048a7bde6051144b958202b8429
-
Filesize
245KB
MD5acf29f18088d57d255b2b5c859e6d844
SHA1cb0260ff6e7dd2189677d1c2afc9d25cd0c6f208
SHA256767b905a0af875fde991601e1ea86ce40af300e6054ea719cad02fe72df28fd8
SHA51229fe0a4159a7aabb7886475824c5b23310863304a315cf59b5d6bf44c0dc2c4df36521c38ff97e5336a8c7dda63a3f1b0405b493985c3ee4f308693bed9f638b
-
Filesize
6KB
MD523b4b8d7a19b6de1bf97308c084a31c6
SHA1cf8ac83896cfc180fe2f1c3d5db67adb25860038
SHA2565b47208bdd53b9d55efbb807063a783a992fb4aca3b7da15ac64f30930a4cbc0
SHA512b1ca3006d9aa1c25efbd84eb67d18dd0b88fd23190e296d0b005364223ef057c18d0ae6253d987fbca3e675646654557e897c9a9e5b354fb5b76d42775480830
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
4.5MB
MD52207f96731ce2f9d9327c0baaf4959ef
SHA1f56ea992c59ad669ec8ee5d6a827adc472159cc0
SHA256e4ceddd5c37c90f8fc7787663a9bed31518fba82413e80b21230425e380c42db
SHA5127e4bd781f879b593f722277839175aa895c863b2015d691c85c8eec4fe635d233cd94d2b0dce46cd058f08a005caa73888809df414983ff2a4c938770ef71fd4
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
2.6MB
MD5055047fe65e1d28dd3bb2e53a9bbcf31
SHA1126af029786aae23fb19e4ab3b71d50a04880393
SHA256f065892060e9e58460c920516e4c7257c265bf8b532e9782d5d73146ee936c72
SHA51294da78ac9c85e16e628872ba1d318db1733bb917711836df73b30b5d9825d6f04db5418c094220a20886ecd892e5721238ab47e1ca7b7674c163fa35a91c0ddf
-
Filesize
10KB
MD562458e58313475c9a3642a392363e359
SHA1e63a3866f20e8c057933ba75d940e5fd2bf62bc6
SHA25685620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562
SHA51249fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad
-
Filesize
4KB
MD51cec22ca85e1b5a8615774fca59a420b
SHA1049a651751ef38321a1088af6a47c4380f9293fc
SHA25660a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf
SHA5120f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb
-
Filesize
52KB
MD501e8bc64139d6b74467330b11331858d
SHA1b6421a1d92a791b4d4548ab84f7140f4fc4eb829
SHA256148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438
SHA5124099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5
-
Filesize
12KB
MD58e16d54f986dbe98812fd5ec04d434e8
SHA18bf49fa8e12f801559cc2869365f0b184d7f93fe
SHA2567c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd
SHA512e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029
-
Filesize
2KB
MD50315a579f5afe989154cb7c6a6376b05
SHA1e352ff670358cf71e0194918dfe47981e9ccbb88
SHA256d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d
SHA512c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af
-
Filesize
179KB
MD54dc11547a5fc28ca8f6965fa21573481
SHA1d531b0d8d2f8d49d81a4c17fbaf3bc294845362c
SHA256e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d
SHA512bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6
-
Filesize
135KB
MD567ae7b2c36c9c70086b9d41b4515b0a8
SHA1ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b
SHA25679876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69
SHA5124d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078
-
Filesize
119KB
MD5b9b0e9b4d93b18b99ece31a819d71d00
SHA12be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e
SHA2560f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf
SHA512465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53
-
Filesize
602B
MD56f7b2f8f78d13d0e90dd5710d976e056
SHA1c41a5538ed5073ee5c8b0ac7e887f24cef1eaff1
SHA256ff5258af181deea286ce1165b43ae32f8c639e2cff4acfb9cbdcd62e01b1d229
SHA512599badef73cb4d58bb79f6acf58c2e66061962a1719b07f0cab3b4d65344768c3e01d319b40a089e832c9b9235f04990c9ffe4d27fc85cf36d30fa832fa37287
-
Filesize
976B
MD545dc81b086c7f784398c77552a68cbd6
SHA1fd2d88a39e49339812058d41ad321551c15e6a07
SHA2569b66fc464a63af6a888a1d2cf648493ccd9f23b810f141fe68f6816f71f4ea07
SHA512cdab4a09e00f4dbbd2d94357be0c6f053d8086bb0ce3d811b9334a2a308f81afe2b792d1a553f0df595b5093e5f9e34d0584eb678349b4da6f0a29c915a873ab
-
Filesize
4KB
MD50cf8f4f78b9049eb3d3b7f0f9c133787
SHA1e45174f634eb620ba5362cc85aaecc06e5dca568
SHA256fa1bab870035ad5528c15b11f9f62a317f4abb170be99c3b5aa55f77a3672e46
SHA5123c7b579815d202b9703a246400d2fe152703d917092f87bfe4f559c4ec2d2911620426e574fc76cd1fb3c5be285dc394e5cd78fb1b7482688b52e6ee607a853f
-
Filesize
2KB
MD50cf97de414ace5f5811b6bd1c6b09435
SHA113671c8569b5b1337da6103f44938e39b25f086b
SHA256efe37d262947e1cf3558cef7054be27f97949eaf8ce2ddce2a2754dcc4dc4fb8
SHA5126fabfa1061bede0cfa24d67ba8d5ed829d658e513af2f7eb94d6ec138ee629b4e8413910a155454ce0e9cdd1ef4d90fa49d4cc2575a79954ab986859107509b7
-
Filesize
2KB
MD56e0032fb708fa014f0e10838420d2d5c
SHA1b41c497bb2dd4270c53dc71947d89a4904309f49
SHA2568e27779912d0a9c873b753316c20f7085ebe8f34de69cd746f4fc31736bdf580
SHA512e17598d270befd56534fba6cd17d1ad1407be095db22d36f8ba304962d77aee52f62418a45cb3d4bf690fc56f645cac8138accdb63dfdc4fdd08abacfcaaebee
-
Filesize
4KB
MD54de819ffba1770b8edb5023d350ede54
SHA1d29352aec2f912ad28bee6072ea69a45d3a228fb
SHA2562263807f504a92002a636d8008cd901df14a78e1179d858c83732ab63897bae5
SHA512512dd224041c129834241b443d1cfb4aba3888e16fd4cd448da95c620d6e87545514453b1be38388817da54da265384bfe0c5ff3d29af0d8dc60a059c862bdb6
-
Filesize
3.2MB
MD5a7ce785b6cd1c9657040ca9b6cbeed10
SHA14b254fee47cc8a9eaec6ce7b714a2ce05b6ed8ec
SHA2567ba6e401b8e78ab28e1ccf38d2cd05e12751f960661e159b4e35bc63d3544b4d
SHA51239202f477017daa9428a0c1bbe1daae30aa1b7b9f57b04832c44a7b28af0144ff47edfc1ad3d6a940ad1c49471dfe190077b594c337bacc115c552d91a24c2d9
-
Filesize
1KB
MD5fc5de1fea9170b61439922a367a12478
SHA196941d31908b0cb49adeabbdfcc43508f2b99b36
SHA256087ba98d89b1e1366d04a909ac09d109bb80a872b6d5c38e29568dbee5b116f1
SHA5126423294e13ea896ce12e8369101cdeaf6eb467cc60a2852e5145be12cd8ee1189a8508a59faf504bb4bc90593f451ec09291662e6bd43438bbcac57f2b69613b
-
Filesize
571B
MD538370175ce7d8dd5c3581030a9104259
SHA1bbc1b4254c3e3da692c2667b4c5092d687ad8dc9
SHA256ee90ca3f30aa75fe1c3b095ddd2b24680bd3b081829094c18d9c78ebed206b83
SHA512e11494869b04a2206d3dda67411be294106f6363408399d9363b27720c6fe88fd393ae90fc2ab7cd4909e940e98f273c8869532b65a1f0b0f4b8b18a24589748
-
Filesize
182KB
MD537a2c4ef0ff41955f1cb884b7790699f
SHA18e7dad0bc6ae65dfaec9fc29d0ef6e260dd83e9d
SHA2566b629fdf1520ba40bb0d7bc8d9a7bb231624fd190e03bcacc607f248222b3c63
SHA512fb3a109395872e6f116a75b39566f4b9efe0486512620deb33ef83ac0ac3165d96dbefbe3023ece1d3d0d6be7c8eb8abb58da90f01f225e1ed2d4add2b544d42
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD503009580320d047de9e98ae6125af1c4
SHA1b4be8a4b2ad6283b1b5c15b5291a59b99594968a
SHA2564cad4c812a4630b0f5f5bfe890f618378c44aa813eafdd8e308f08ceae458b06
SHA512846341e8798edd268387bc5e4ed923055e5ea74e2c733fc8e4818c0dc12b7e6d92da6bf0f715253dfbfc05dd44bc5bc8af305f10dbd7f6964d1fe810c0a0e8be
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Filesize1KB
MD59cad061ddf5ad182cfe7879190aeed71
SHA1cfd292d16d937f95b642527464403b7e5ef6af96
SHA256b2d273fa926ebf6946e69e8808ad332db42bc65f449748082e088aa732e408ca
SHA512df517d66358f441a7c4c690cd90e214f18d490e3de767dd76164effaa179b1dd865a0056d68ce3ab6aee55917465c7f39146e7694b1ac475fcc95c280fb29e92
-
Filesize
24.1MB
MD50e213960b90c1ff27f0213bc0d37ebf4
SHA1b52ba1c4020f8205004ab06fd09c30bd6088f094
SHA256ed8bc0d8725e01911abf7ec519a46911beb61cbb73fa8f78eeb1eec1d8bacda2
SHA512a13a2409a18d3cd8109b3074fae97ecd008873b7d576d6ffbca98913f619fd3c606145be36718e9b39b52933d166000889a3a2dc8e5e609e3ad574631c3a518c
-
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6a3628bb-e403-4b84-9f60-faffe953e504}_OnDiskSnapshotProp
Filesize6KB
MD52c13e525927b904010cd4727ca0944ba
SHA1a2cf4d6df6681aecaa409517f46f6800d181c370
SHA2565ee9f4dfb172a38d9135fac02ca8bd4cc6d86f89d198fed05c545a427c88a4f9
SHA512ccba2fcd3a029cf91b6c0106ed63e4aef609d498e8a8761b522dd6bd46d05b00f183e17871509889ff54bd844629029975fc5469b17fc25cbd207289b8ad1bee