Analysis
-
max time kernel
100s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
20-11-2024 22:19
General
-
Target
https://ws.onehub.com/files/uuz4u9iq
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
-
Blocklisted process makes network request 3 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 34 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 13 IoCs
-
Drops file in Program Files directory 21 IoCs
-
Drops file in Windows directory 39 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 14 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 2 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 23 IoCs
-
Modifies system certificate store 2 TTPs 5 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 41 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ws.onehub.com/files/uuz4u9iq1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcfcd946f8,0x7ffcfcd94708,0x7ffcfcd947182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2484 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5340 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6408 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6280 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6220 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6812 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6824 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6820 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6012 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9232505479150602884,13842188777040111561,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6500 /prefetch:12⤵
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_יישום הזמנה מקוונת.zip\יישום הזמנה מקוונת.msi"1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D8016A0B0865B5870CAEE7EF94F0C4102⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI47B2.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240666781 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4C76.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240667828 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5188.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240669109 11 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5D74.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240672140 33 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 75D4C8F4FC35BDFEE478C6FB18B600CB E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId="a776897e-28fa-43b5-8183-38d13ce9ee21"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CBF17C0F42B56B6D0EC93B705E8E1CEE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 30E0CF1B7F99E6DAF2FE3B71C74A0D9D E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000O3Ui7IAF" /AgentId=""2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a776897e-28fa-43b5-8183-38d13ce9ee21 "7fe0e36f-e206-4d40-9bb8-56d384f6cd71" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF2⤵
- Executes dropped EXE
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" a776897e-28fa-43b5-8183-38d13ce9ee21 "66f3c65b-1439-436f-85f6-e98f71d257f3" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000O3Ui7IAF2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Temp1_יישום הזמנה מקוונת.zip\יישום הזמנה מקוונת.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Modify Registry
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9KB
MD5e0cd66459848cc0d61f3881a8384c87a
SHA1eb4eec52bdae5700db8b52a8dce5d5ca29cb277e
SHA2569e7e58e33e0fe93066a8d177e0d443d75fef6391f06252e1e9aba71e0f77264b
SHA5125748afbaa71aa2f483303cf5d0168c120c9363a7e79d48be493420962b12a4f15cc1361df4cec4ff5f456f75ead2b51a134edae8f868e0b7165a2d6a88c81434
-
Filesize
3KB
MD527d1eeca3f976fb06ac9f7a930786c99
SHA1ce447585223afe4906e30fd184c9f03caca5a12f
SHA256441a11dd7173d34776b42caef1cc4c8eb10d5d2fa7f21e31f4adff8d4d990328
SHA5123aeebec1ff13d985a89cbac4a70dffa50767f529ca3c71087cabd230025b2f9ccebfc089761e64c1e2807f1325d88a1d8367625c1b20f97fb99b20054baddef2
-
Filesize
1KB
MD589ebebc9e136e2e2d8e104ae8ca4207c
SHA1333e67522cea1d92a1709219a1e964c8e384f7c7
SHA2563c3aa140d971c7ecada419528401c8314704ac945aaf673f4f2cba954de7a437
SHA512a68bf09a7192a14bb62455a3535d993fe0d9749bdfc54fcf8f3e4b53432aa775351ee159cab1b5d8211ef7036f146c86348d8feb1ddbf73a378fd31e5e054fe0
-
Filesize
1KB
MD54eacb8ed863fef6a3d09d47ad9c48e8d
SHA183ffd1497df662bc1573269a16d95b6ca24658a1
SHA256e293ecc7970e6de799f3d6f521b06a54e76d08dbfadcddee539ab5fed82d745c
SHA512cde41d36659f77f2596e77713ffdf2f1cb51f7550eee69c6512768448a1e26bdf29bf6dab6df27ff6d9d28e1a32518035c368a05781400525ddf93f76371b5a4
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
Filesize
173KB
MD5fd9df72620bca7c4d48bc105c89dffd2
SHA12e537e504704670b52ce775943f14bfbaf175c1b
SHA256847d0cd49cce4975bafdeb67295ed7d2a3b059661560ca5e222544e9dfc5e760
SHA51247228cbdba54cd4e747dba152feb76a42bfc6cd781054998a249b62dd0426c5e26854ce87b6373f213b4e538a62c08a89a488e719e2e763b7b968e77fbf4fc02
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
218B
MD5c65ccc00bba5253c17dfb87b1b1eee33
SHA1463d4e085a2785a651a77af0855e9d720546a4eb
SHA256f9bb152903375c5d7489539176a241f2a3c7468d184dcca51dc0231f6552409d
SHA512abf6d3df36a1dd71ebb3f5eac0b937aec9074fb2d06fae19f916e6404b34805cad7a9bdae7a90d9bd60f2136240272102fefcf95d5e7d5c875cf9e3cd4a30707
-
Filesize
471B
MD5a5b4a4a3dcbabb40be14d7ba96c4f1ab
SHA11276699a2ca4274dbd8dc76cc5a1f082cece2ed8
SHA256067b6ce40e30e9ca418b69ddc9b37b3cef26a12ff10ef0ea30fb94b91034c0fd
SHA512facd8230d6d590cd11910ee98597d440da583ef76461e2c2e1023617655a939ea49fbcee7e1e6eb87e41e91bdec62bc55de3b0cd599ae3772e63631cc1d641bf
-
Filesize
727B
MD535c4db15ae8134b1a3c98ea826093e05
SHA1e29e4bc58c86c0afbb1ed0ca27ffeddd5d4e0723
SHA256881e48818c3b760cd417c3f4bd5c267c882688dd97623c02bb9480468f224a1e
SHA5127362fb4193aa2c8de0c8f89de8e1ad74fc218b8e82633cfd73d2066659d50ae2e4bed648a9d553a121048e19cb07ce9e222ee22b302b3dc99b56fd7d79cc4b54
-
Filesize
727B
MD54f2f44acff5c280ecd26b5e7144aff24
SHA1d542052f27cf058cd2bd7d74e75deb8a009bb334
SHA256c9725747ce7f281ac09f3a2287a236369b00e99f310eb837c45b2b4f66b82030
SHA51233d4fcb341e625103b16af3f7b37f4fed5e8d56256980e341fff71356d1a1296192741b96be97de703d8f54af24e3438d0a514edb621ee6e42b1dc4d79089d45
-
Filesize
400B
MD52abb83ecda30dc76f88a5e030e3f65de
SHA1b21a6fb9d3166373f38e35c8e35832636c8bbf78
SHA2563d0cde3d913f3f3df4ac48614def4b3c721a163a833fea9206cf7f324bc4af1e
SHA512d38a036f9fa75af3bfe4c0b254e1fba245aee08157e613bcc82653deb31c7eb28b58fd5d7124f722fe5de4408c30aa6036b248cdaba66eec14b78cfdb4c128ce
-
Filesize
404B
MD5a862a554effbd899831ff7b9f5414fe5
SHA144b4be0db91793b54c34847a360bcedce67d9470
SHA25680373304e73b502182f9a7864cfc7facffb07bfa2fb5adc0e1a0804d371ae24e
SHA512a9c62b2d5c3b34d9a9b73722c45c149c11244582d504e64309a3da835b56c0d05152b2ca5e4cad60e8aaa04f40669d8346265a0556e65cddfc824224e65d051c
-
Filesize
412B
MD5da752e123a3f5a571d9a72e2d7b80b60
SHA159beb44a7465371508532e58bcd4384475fa99c8
SHA2562c4b943ff66f1486e620331985b9a0203bad0e39159151a66549529d02c21332
SHA512908638fe5e0d1b65c9e4079c670f2c23aca5b768af833ee5a7c619bb9a1e3caa9e2091da736914a5a8486f48f046f18f092d8df553d57aebc8b8d50b3762d135
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
152B
MD56960857d16aadfa79d36df8ebbf0e423
SHA1e1db43bd478274366621a8c6497e270d46c6ed4f
SHA256f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32
SHA5126deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe
-
Filesize
152B
MD5f426165d1e5f7df1b7a3758c306cd4ae
SHA159ef728fbbb5c4197600f61daec48556fec651c1
SHA256b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841
SHA5128d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6
-
Filesize
1KB
MD5149f93e69edc323e38d24a2d9ed9d256
SHA1b26a72f4354749156d2fe68d5d2ea30163c00844
SHA25619c4ed191d21a79971923a5fe6b69dc9cf8ae8acf6403e1728e1245d666c030b
SHA512dba090dbb639aa15104774b7f1804339e0b18c1a9229c26b5182edd6cb7a322a32e3a70434ee134db92c073153670cdad6442c9fda4f0eaaf81a755c4d824992
-
Filesize
408B
MD5b05b5009ea3804d0a6a69cdcbb55ada1
SHA187e4b385244af8a44736a1d85fbf1957481bfdd4
SHA25686ffcf4bc2700fcd865b3dfac99763c9835c1911c5d97674c082db18311f0f2d
SHA512c0122441689787e51b29076462ced1015e1dfc44d8fa68c59c589c77c75965d9eef74a2fe8240d21c9551e8653e8aa9725b2e450af20fbca5a8b43b219aed82a
-
Filesize
1KB
MD5d924a9b1cdc80ccb7bc14a631de58c22
SHA131e91ee33450e81a21f48c07e072c4cb203c555b
SHA25606da940e799b4bfd5de1be4d319eaa4cd37f138cc292355b5ea37efc540b6f30
SHA512ac8f3c67249989cb598a5f23fdb93b2f96edf11d909feb0fcb3f2bdb67e033447e04198134814cb10c8bc6a2972aa010ffce3ea90d9b9c71d5145e217f4afe37
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
7KB
MD5408bcc4270e658c5b38a963a457befff
SHA101f1e7eab6a37a65ea2f2a96f74b79ab98721bc9
SHA2565ca8c880c21e3034d007f1531672ca5722ebff506d01c18a539c51e8992a3e88
SHA512a1214807adaee2c4b473f4b58715ece47f44124736ec428cf42425234aac732e7c3cb5393c6b8ff00292e7a76af523803c5f2adcfdb77eee0c53c0f831f9ed7a
-
Filesize
5KB
MD5580dd4942041b01e52fea21952f84fe0
SHA19c2fae742f0515ad9a25912fdda2a33af600f15c
SHA2561f577023e2ef344906daf7a069e60ad69c5bae298c83faad189a4d9c592c703e
SHA512945765d1d1765a9999569d34aa6b83833b0da6799f0da9c3a3a2aaf9785d2ed2a376f50f3d6d12ead661de4cb22b508f79dc8d1a6cf6f239cefc6ef835490a62
-
Filesize
7KB
MD5e7dbc3dfa80b4d10ba8ea9ba85628299
SHA158caf0226e5e8d2fe713970b3d694a1bbdad308a
SHA256253c25b11bf260bec4f0accaee12e9bd1d5f1dc318dee39497a395409872ab53
SHA5121ec3cee6ff93e2850476495dfbb447abfa00d5538801c07b5653d2d434cadb16ad102e1576e938047ec1e5e4a70c44b494404a7007654ad38456e9fb357ba45f
-
Filesize
72B
MD5e8aa496151e2570a9210aa6307b42f64
SHA1c8a751d07b61a2582a9445de23942a07c85e7b54
SHA2563b8e112960b675703561a66d512de67216701cbab4a5b3ac1ef64353e11233f6
SHA5120b90861c179b2278527aca2f91dd1a9b87031a47ff91988ee2fdc8faddbc60b492cc731ee12f204bde5dfed3f77e474e07eb611dbbf5887e36acb1441a61d90f
-
Filesize
48B
MD507ba7be5983f739977c7b680a19d94b6
SHA115b7599b3083830b0623fc82d22384ad5bc59ad7
SHA256b627f906e0c89886e8d3adf1f0b3bf961f430794c63b8ef18ed4999df436d524
SHA51277d2c48c15f67b4417ac6e5ddf564295fb5fe6b1a50d11b68d08e835920330cefb8ccd84513011d54f3f3dd8857822d7a56f6f0b3a5afe4ca80b112731106f85
-
Filesize
1KB
MD5e4ffc44bc0357d917814136aecf1e784
SHA1fb64e8b6f9a5155011e4177771636d00581e9501
SHA25634b7f4e38e2d0b4349b51bf8782356e240852c4003c7121f4d3efdedaf1dc3be
SHA512492aefaeef7d8806e94a48e422f5c27440be2e006f929c7c32a3b55b10728e819cd299c589b7b517184ba3de7683266833039a1923e065e38528bea63552d472
-
Filesize
1KB
MD546983126d4314b5b46d0141b8fec8663
SHA17e78f8bf05629238ca3f3834b153ab445b897615
SHA2563343ec0702011ec9fe146bd28e782750a035e8d7adf2c11955f61999e0bc6efb
SHA512baca69ed7333f1cbe25d96807a1f9ac3f4ad6a4227f1126f80b576456c532cd88d9e641d404f6798ffffb5b60c98f956b428e39f8845074a94dfb4aa72eae855
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5e547cde07c0217c5d65aae7a9c74a4cb
SHA16060eba338c771c44dc06bfba310cc7a7c9598f5
SHA256490289583c690f266360c8decfb20f4b8959d87f780e1bfb1786404e55f0684c
SHA5121b59f087a5f02ea8e9ace14e87ed75b528ec7a8c293a823c0d0d6209ab5db15e882ab9d6c7642bf9beefe0b4ac3c13574ba6aa8764e7c44ba125a8cb3cec5668
-
Filesize
10KB
MD5e537b10213064bd4d3e75d8639a52b60
SHA14ed979d4b59b8a5f19adb070dddf2849195e7daa
SHA256bd4a25c516ce07a093a1b9153c73d68712bd155cc765c6829de3c48c49d77f62
SHA512a5616e7c3387e1abb35a552c9629a1e456d1bc20bf5065c19dec368c525078586d0430d990706a2f02c9cf87747b49795b5a8750fc95c34d2fba25abf6c9e2fd
-
Filesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
Filesize
2.6MB
MD5d6547a4a2112d04db9ad2036e82b4505
SHA1a5f2b967b8175f9eed0a27a0cc746218a5fa2637
SHA256090de75b51dc027660710e168c516fa0507e30fcf98d4ea2790395e9ab5110ab
SHA51227659fea5fe9841e7338d41fc05fe640419b6ade274f4442ba24952bd96555b94c488f4d80806106401c2b8a06760bf562833e122fbb587d95e2c95e95ea7099
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD537d7404f46d43eac22991c947cc7b1f0
SHA1abcc8525564e8264b539d685e826f957c12ef70d
SHA25606ffaabe4a1829177f078d1e6ad6bbc6af79d16729abcc8a21e4ec854448bb3d
SHA51217ba13c5306b76f41bf3467dd59d0de54c052789750efcf23f7e674f027fb53ccd1a1e5749be035f9a2c77dc8945ccc24444d20a838055daad611c578828263c
-
Filesize
24.1MB
MD5f48fb46d6364f98d3d0ed8f5c227f6cb
SHA149d2ea6a0a5f356767792abd04f003b6a45ea870
SHA256f3e78dacc8e3c853337491deac9c2cd7b1ea2b55a92a280545794fbd842471b2
SHA512cf6cee51df3275602adc55781f82d573249e15b7a72b1c39d79934c25e90d7d6547177ea8446cd7324b0a9031ead266bab7f2a60cc77814c8915a1725efb688c
-
Filesize
6KB
MD5bd365753f2648b9b992f9b6eedebd61b
SHA19d7e3232e26bd6c7c6780650de4e1c51d4fee1e1
SHA25612fb0ab2c868dc794f993a0f8844c2367b16ad044afd334ef2d2ec0fa08c7d8a
SHA5125b31e804126aaf651e4ff0ca25579b232ee0decd857e37d8a6787eb8d43bebf968ca317bc7e7c9e0857c7ea1e0a6f63d2dc47223960d426fad9c72a0be7edabd
-
Filesize
240KB
-
Filesize
72KB
-
Filesize
608KB
-
Filesize
160KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
224KB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
704KB
-
Filesize
112KB
-
Filesize
192KB
-
Filesize
48KB
-
Filesize
184KB