Analysis
-
max time kernel
329s -
max time network
334s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23/12/2024, 12:40
General
-
Target
https://ucarecdn.com/d0c4cf7d-0494-4530-bf6d-46e955ab45ac/Processo00840.msi
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
-
Blocklisted process makes network request 10 IoCs
-
Downloads MZ/PE file
-
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE 64 IoCs
-
Loads dropped DLL 64 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Drops file in System32 directory 54 IoCs
-
UPX packed file 20 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Time Discovery 1 TTPs 13 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Kills process with taskkill 17 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
NTFS ADS 1 IoCs
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://ucarecdn.com/d0c4cf7d-0494-4530-bf6d-46e955ab45ac/Processo00840.msi1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd64e246f8,0x7ffd64e24708,0x7ffd64e247182⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2248 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5700 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5288 /prefetch:82⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6620 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Processo-[00840].msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Processo-[00840].msi"2⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,17030288724874269733,2092975205319845895,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5448 /prefetch:22⤵
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\Processo-[00840].msi"2⤵
- Enumerates connected drives
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 91DB739E4D3EB2D523EBB57F717DDC952⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIEC92.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643421 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIEFCF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644109 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF510.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240645406 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI21.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240648234 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7E1B702AF575ABB5147E93838225AC28 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OvoyRIAR" /AgentId="cf3eaf8b-024f-4641-aa6c-7f04aec8c88b"2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B0BD5C5A951A5D78DDD4DB48549D2A0C E Global\MSI00002⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5CA17B1-FAD5-4C5F-9D3E-CC6F0917E53E}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C3498A5-18A7-47EB-AC26-A7B6DF5592FA}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6F06322F-F690-4A40-BC09-ED0EB6D0393D}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70A1D9AF-C480-4B50-B764-9289767993B7}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1947049-E980-4A14-BDB9-8078655A3C93}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF7A810F-E762-486F-9163-7335832CA9FF}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A2445D1-26C0-4FE1-BEF0-4B659F3F8DF0}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F2B8B995-34AC-456B-A54F-26B48827313E}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F9281284-BC16-4DC0-90CF-88FDF9EE2A2E}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exeC:\Windows\TEMP\{00C4F967-3490-4EC0-BFBC-140F57A35D6B}\_is3A26.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2CF4394C-E2AE-4774-9E45-D643FE4D6344}3⤵
- Executes dropped EXE
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- Kills process with taskkill
-
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D32879C-0ABE-4EA7-905B-92EBB42F53AD}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{54402A4E-758F-4CA2-BB12-FA0EDB7D8DCE}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47D9687F-74D5-4566-A466-A43C8A58D0FE}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E967D1BE-EE53-47A7-BAD9-502064B7122D}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{96407E89-D747-49AB-8614-9B5B8F8669DA}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9E4E3980-144B-4A5B-A9E4-63E467BC4481}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{197B177E-3269-4F6E-9197-2FD30AA32621}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9A0B197-8FD8-433A-95AD-2A59676A900E}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6FCD7A28-C9F5-49D1-8568-E744B10B84B4}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exeC:\Windows\TEMP\{72FD2106-6BA7-4823-8254-58B4B8EE8F69}\_is4717.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B561561D-56CA-47B5-A455-46F8FF25FD13}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{549EDEB2-A261-4A73-9FC7-D773BBFAC899}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47470E8B-0370-40BE-9479-90F2CA78068E}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{19D353A2-0FAD-4D17-9F80-2FC6493D9AA0}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E4030E8-06EC-4FB9-BA5B-F7A01B3E4338}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CD08A595-3D5E-4836-85C0-7C861A16E4C7}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C2E4670C-6C51-4C8E-BDC8-6924555DC5A2}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F481A2A-9AB6-4E7A-8541-2259BA248EB4}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA98AA87-D167-450D-97E2-7F66222AC7C3}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{34F3D770-E378-415D-84CB-80FC66D5751F}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exeC:\Windows\TEMP\{06396437-362A-4023-AC30-0736C263775F}\_is5447.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B497113F-8AD8-4539-AFDA-28C84254A079}3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{64D232C3-7E63-486A-BC58-375A1FD0817F}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{05A05964-6A7D-492E-A490-5B725C1ACE41}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2574259B-6A3A-4B8A-9655-F6183803F908}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D538897E-4E54-41D1-AFA6-2437EF782130}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD9F1207-B1C6-4EC8-8F7C-8A27C0D4B9FA}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3B65A28C-8924-46EB-A96B-06F0266B2DA2}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BF34A554-A03C-4233-839B-F4AD39CB18F7}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A448F0A-5798-4AB2-AEC7-0F4F68D7944C}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A9412AFD-047C-4BA3-9A44-03AC7D0C0B72}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exeC:\Windows\TEMP\{4128C4A0-9226-4F3C-B49F-DD6611E34D87}\_is6699.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B6CD6A84-32A9-43FC-B491-1D4CC6675439}3⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5A325E6A-69C7-4F6B-BA36-685FDF8B40DD}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F988D9BD-1113-4736-9BAD-D08601951AC4}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{318C8A16-D1E6-47D8-8630-D18F8B584CCD}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4B2D62F9-B1A7-4E1F-8ECB-7F19CA544D00}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0FA66016-48EE-45C8-93CB-2E09EF404114}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83ED62C0-3463-4714-BCDD-592325173C33}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B435866-A936-43AF-AF57-C0FCC3469077}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D12E450A-30FA-44B2-A9C4-9C99A91EF1F4}3⤵
- Executes dropped EXE
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{354C01AD-821D-47D9-84DE-5171562617FC}3⤵
-
-
C:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exeC:\Windows\TEMP\{0B0EEE50-B4DD-45AD-A1DC-5BAE6D88C869}\_is6A05.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{240EEB2C-586E-412C-A93E-33EF89CD8F96}3⤵
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 36F8277B7FE78FDD99B1323DF1E15605 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBEF8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240697109 463 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBFD4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240697296 467 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC321.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240698125 472 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE7E8.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240707578 510 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="7c20f966-4b84-4af3-a830-5329537fccc0"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4E0FE93C3B9A4E0751BB7BED3234A9E2 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding B674572013208722EDA50D472A6F0D5B E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 523BAF5573F55FA4989229104C666540 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F74A9746B94ECCE3F41FE917EECF6AC22⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6CEA.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240872687 536 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI6E04.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240872937 540 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI70F3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240873703 544 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBA79.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240892500 578 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4DE35EA3F7FB590CC5B1E50D82AAF1E8 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000OvoyRIAR" /AgentId="40f9d7a2-4bc9-44c5-8621-eae3d64ae857"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 0DE36C99B9425348E2F75065799A0383 E Global\MSI00002⤵
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4E5D.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240930375 583 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4F1A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240930531 587 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI513E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240931093 592 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- Kills process with taskkill
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI7087.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240939078 630 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="65bcfca3-eb58-49d4-87cc-c7c59b0372da"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "4db0f626-d41d-4ccb-8776-4be5e70563f7" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "8dd84182-43f9-4968-9b86-9a1b18237498" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "8461d674-df91-4c12-b267-a53c604dd713" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "61d25999-8436-4171-8895-47b827340caa" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "b8deebb9-e3be-4778-a1f4-a19a3108778e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "9b4e510c-a4c4-4db1-a606-eb21c13b3ab6" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000OvoyRIAR2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "8009e5f3-bc5f-4f35-a157-e09ca4f6128a" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OvoyRIAR2⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "69d4eda5-55c2-4949-8835-358379efad99" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "99b2a65f-a091-468c-ab46-44fbd72696af" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "51d870d0-7512-4842-b088-ce2ce70b7262" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "7d8243ba-ad54-4478-a8dd-f0b1c0b12f21" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "58ca7cff-b33b-4949-8e95-1b3b8bd4e2b5" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "42f8d488-9061-401b-90c6-64a5c0efafe5" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b 42f8d488-9061-401b-90c6-64a5c0efafe5 agent-api.atera.com/Production 443 or8ixLi90Mf connect 001Q300000OvoyRIAR3⤵
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "1dbd1690-347a-40f6-85e8-c08d69b701b5" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "a3638ab6-cbfe-4883-8fac-686e803764aa" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000OvoyRIAR2⤵
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=0e846f005ae463f68a784544f87e3277&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "d64c184d-804b-4a66-b102-931cded704e4" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "ad7d5b6c-d172-47e5-b1a9-552f7e68e09d" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "d3fdefbc-dea7-473c-a4b1-c5fb813ef62e" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "1f890a3b-a34c-4794-b74e-20d0ab9a839e" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000OvoyRIAR2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
-
-
-
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet" --list-runtimes3⤵
- System Time Discovery
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" /repair /quiet /norestart3⤵
-
C:\Windows\Temp\{744A3B79-6C83-40FA-B110-92B56D3E1317}\.cr\8-0-11.exe"C:\Windows\Temp\{744A3B79-6C83-40FA-B110-92B56D3E1317}\.cr\8-0-11.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" -burn.filehandle.attached=720 -burn.filehandle.self=456 /repair /quiet /norestart4⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
-
C:\Windows\Temp\{52C3E1C5-99F2-408B-ABC8-B82A9B632B66}\.be\dotnet-runtime-8.0.11-win-x64.exe"C:\Windows\Temp\{52C3E1C5-99F2-408B-ABC8-B82A9B632B66}\.be\dotnet-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{BE04B8F0-A893-454A-8723-FA7AF3CC4B28} {6DEA7B46-80A3-4FD6-860C-665425801888} 13925⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System Time Discovery
- Modifies registry class
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "8dd0d6c4-21d0-4b7f-acea-b59a8beab950" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "75ee6e25-0fdc-4450-ad6a-a952a0583bdd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "b2ade618-5c8e-4025-8f1e-62a99f179695" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OvoyRIAR2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "cbac8b9b-dda5-4daa-8b58-101c72e95adb" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "1bfba625-0007-4ece-bb73-0c4a15ceb227" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "87812e9f-77cf-4302-81f0-fc9951102dad" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OvoyRIAR2⤵
- Drops file in Program Files directory
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "2d1117f1-a021-4fe4-aa7f-dafed0000a22" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OvoyRIAR2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "e6e438fd-ba07-4fa0-a8b5-d436c7668075" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000OvoyRIAR2⤵
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=0e846f005ae463f68a784544f87e3277&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "f53ca7f5-9208-47fb-b4cb-0e8d98c23b3c" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "6de44d99-8355-4596-80f0-67f1950c8bb6" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "dbb99d25-f390-4d02-84b8-3c41ed353c12" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000OvoyRIAR2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "b48651e8-1e96-4f0b-8e7d-f3a1585c4034" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "0f29baa5-41b6-4c69-94eb-47f2d17338a1" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "011b78be-f0e7-4461-811f-fea13232a897" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "8ed25d79-49aa-4373-92be-2c01351b2da7" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OvoyRIAR2⤵
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "cf3eaf8b-024f-4641-aa6c-7f04aec8c88b" "8ed25d79-49aa-4373-92be-2c01351b2da7" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "001Q300000OvoyRIAR"3⤵
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "75ee6e25-0fdc-4450-ad6a-a952a0583bdd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "75ee6e25-0fdc-4450-ad6a-a952a0583bdd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "2d1117f1-a021-4fe4-aa7f-dafed0000a22" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OvoyRIAR2⤵
- Writes to the Master Boot Record (MBR)
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "75ee6e25-0fdc-4450-ad6a-a952a0583bdd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "1bfba625-0007-4ece-bb73-0c4a15ceb227" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "75ee6e25-0fdc-4450-ad6a-a952a0583bdd" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "87812e9f-77cf-4302-81f0-fc9951102dad" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OvoyRIAR2⤵
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "09307146-6b48-40a8-a9de-6dad22eacfcb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000OvoyRIAR2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "b63d7cc7-e20c-4719-bce8-6701f2ac84e0" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "c7d509ce-387e-4728-bd7e-20d83a7e1860" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "03ac1410-ccba-43ca-a0ac-08f661b277b8" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000OvoyRIAR2⤵
- Blocklisted process makes network request
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "3020faf1-ecc7-4521-b9d5-6e4ea66b9340" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "38b87a60-27a6-49ef-83b6-0cc43b877eda" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "7ff3473d-617d-4372-bbb4-64c8b35f8b5a" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000OvoyRIAR2⤵
-
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "33691148-9a7d-4caa-b388-3d12e63b474d" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "44b8ceaf-3857-456f-a281-ddc154e039d6" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000OvoyRIAR2⤵
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
-
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "e1068b11-e124-4393-867d-f959cb201a50" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "1b098b47-231e-4ed4-bfed-72d4eba6ebf1" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000OvoyRIAR2⤵
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=0e846f005ae463f68a784544f87e3277&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "61af8ae0-2123-4665-8620-b7503cfcdfdf" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000OvoyRIAR2⤵
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "064df9db-794e-4a0e-82ce-2f15e48c1f11" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" cf3eaf8b-024f-4641-aa6c-7f04aec8c88b "bc1e35b4-c64e-440f-a9c1-a8dc08171613" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000OvoyRIAR2⤵
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50d70ac2e0954d54b6e73eb24d9f28d08
SHA121791022bf34cd507a786872fa2420d1346974e6
SHA256ea523d10cff4fbeafe6c13b7432ea9e66b5733b7ee862b121ef1eaef055e1bbc
SHA51218aaa9f7770c5ecc4e2a6601a1b05f499d973d9e4984c4613e8bd0a44b9763cc962cc594476e17514594db278fc55f44ca44e9509b23db5971021f75a373ba11
-
Filesize
74KB
MD5ecb4ea8c79ec8b291707aa9c0146ff65
SHA14f86dbd55cea8c1a9dcac617448627bdbfa80f16
SHA25638cb6330d5e09c283e3b5cef0f4f48582d6e35c2e1dfd3ab3a3ec2d9360148c6
SHA5120cb67dd4de70f35f3a54d6e4f038e39193dce7646b9d4f220dd4823659a436cee040bc6d3a44d36f99dec77f523a04ae5acc19b059c6d05e0c914d55df45c882
-
Filesize
464B
MD5ad0d2fec8c6f5a96c17b93a60e0bddc6
SHA1b8919286237fa8ba0dbd65e6fc113eeb597617ab
SHA25696c08c2b24103cf6a1ca562f81e4b99cdfc46ed8a5ea8640a3c50a4a562d3a25
SHA51242902adc8695715db157b5e2e1c3e26d5748101ce0c62e25d073997954d1f1eb3a80c92a33666997aeacc084136a5d2d51194b6d88b2b2ccf2e73bde4f74663e
-
Filesize
9KB
MD577ad63f65ff2152bbd78caf7fe422091
SHA1a447961624e45bfd0a423a637a4b2c315329b0f2
SHA25697d67212cf04567d3c19e8feff9f23becd8419e132785d60d2a9dda15d4fa66c
SHA51255e89fd508eedf1ae7343e5695afc10640200bebda8510574729714a269701c1e8d9145746ba85086b57578b5838c5606657e279fd45f5de43c1a74f50d2eb1a
-
Filesize
8KB
MD50b82f1fc649737be0fbaa216497f632a
SHA129c2a48414fa3d1253eb324794763a31e69a4d9f
SHA2561104b5b66f27bfe19e0aa029f4521153d4dafb3310fcf6dc89db9d94879dc447
SHA5128300012b43a2a68d96320fabd27f87a51b126f592d3491fb426f9972ae6f2b6be002967675fa59a27cadb5fe823f1cf468bb14410d5b4467489f738ef2b030cb
-
Filesize
48KB
MD58511ca3f66e63e635e22d24c7cb924f6
SHA133f92072c31054459af1c18fe16657d875be5540
SHA2565ddf2b02f140a8f9eacda47f527cf213d5d7a24645c2d30c109bb85dfc668863
SHA51261a95a8c142359460dd261f0d113237f81d3ab92d95600b0b84ad76a64554902c8649a1fb139750619f9318b1237b6f3e9fde712baf1254ad5fc6f23df3581fc
-
Filesize
9KB
MD57b5c7af5fda5ec098f9f9f479f4294f2
SHA17d042fe9c2a5aadcf5aedfe5ee758d6cfb50b65e
SHA256e0b3e76b8f504f15604796da629f68956398800461103a63b2263e9cb257060e
SHA5124a10c074b5ee5f8ab202f7d4ed52bde312eed63e65ff170e34a392ed41955f78b90b4a2fa31f652c85aaf0de00283a6988247c583811d2ad8f04f835b9b1a4ab
-
Filesize
11KB
MD56ab4192757f475fca14937f3cdc2a1fa
SHA1607ff437711e25153e14e6a4dc544015f54d721e
SHA25645116eb079f38b3493af99276b9f1cf0a9d33609e32b1b17e430020ad2fb189a
SHA5126a43ca352abd096bb84a90d8e8d523d52842596db6155808f21d13a56e91fbc56eb932ea4ae57b8fe4ede440171e0a621d90b84de43df14f1df25503f40c5f9d
-
Filesize
8KB
MD58b6f58ca5aeccb140cdd82f7a8703e4f
SHA1a66285b6f1f0f46e7d3cb28c843f477d4d4aadbe
SHA256fdb139359e9f32a780b920b29faaecda6cad8c12cc7e8942fd7296879ac59d19
SHA5126aee1de0707308fac81d2be66c8a10ab7cf5f432d0fdee22fdc2505ad2ee8f1ca22794d1e93414a71c46755ac555154e24442f090678c20c75300ba7f7e7c73f
-
Filesize
143KB
MD533b4c87f18b4c49114d7a8980241657a
SHA1254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA51242b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
9KB
MD55f278bd72cccccc5d9ef8542556ed4f0
SHA1165f315de0efd03b2843254cf68a8003ad150d3f
SHA25615c6a5bff3405dcca9d53fc8f68a347e5ac7fc7056fcf29f5111279e33f479eb
SHA512c531df937dd623c2649a4e4f28d719030127b135a069e054333e850eb066ea3499273f6ec59e6de8623fd15119a545b5af8fdbb5b6fe8ea663ae88269b94ef38
-
Filesize
71KB
MD5f4d9d65581bd82af6108cfa3dd265a9a
SHA1a926695b1e5d3842d8345c56c087e58845307a16
SHA256a3219cd30420ebcf7507c9c9f92fd551ae19999be247caa861a8a22d265be379
SHA512144c1195a440907592b22fc947f4284ca36869bdae495ec8ca5212af4f63e8e8492fb0ec3b37bf66db912af30864c69588d0e35ed9b3d24d36df3b09ddb5b6c3
-
Filesize
3.2MB
MD511cc798bafa45be12d27c68d6b59ba27
SHA14d1ca0c0f1bc3691f5f852cc8d3ed88605b70434
SHA256443a1c088e62810a954ffe9f0136f7a8d5e44928425d23b5284d936270d9837a
SHA512fa0aeaf5309fd1593db8af774f18aa9cda9b7abd3f32d34cfd1b615ee68ceca0155dfb0ab7351e182b1b9d872bf41b19e66d2b597d2ba6300af332a0f525c75a
-
Filesize
8KB
MD5edc288878e22a2988565f384285caa05
SHA1dc53e77555a582fdba2c11b95043573fb1fd99e4
SHA25617737bf97f502c0b82c0bf8731c37f2d88d7cca901435d3102e7f985fd962294
SHA512291df485479a314740b1666dc4a4d3e31ce3b92b7d81148380284fc870299c762f5720f90997e7ebf1f20a493d2a12d5cb9916707536b3dd5aad801269d8da67
-
Filesize
9KB
MD5f64865d158552c6253eeba667a184c66
SHA17ba4700f26c7782bcba4bd2582068249a91e0657
SHA25652a7241528e92eb1473f0337bac2cfd6ce233cd9cdb5599ba2d395957725b506
SHA512ffbc68fd964ba030d7293539103a1012a2db459bb5194de5dca589234524d886c24fca2b79cf23b0182e5a4519833777099204b19e03ec74f340e2201a69d04f
-
Filesize
8KB
MD5da530638c0d922b58f51b04921f5aab9
SHA1dbdfaa81a2e4b56d2def78906877b1e7f10e5064
SHA256fba9386fac5fcf2bc8694e4b2bc9d0c7e3f11347c3c41aaf6e84ccb10a2a5093
SHA512f6952e0817b9b76089ed1a3ac633376389e92682727b16169ad93a3b899a698ac03e22e68c54f50d1bb4ad5e66bd423cebdfad0a3c11d2d27e8b8a4d8a9ee864
-
Filesize
1KB
MD53840b31c383fdf49bfd6740d945c9032
SHA1a6f50164a69718bcef4664d7c47534f0d721866a
SHA2561f119f4fda8028b420e70ee1637c65e2b4198b41eb3eb44d911afa6f1a0bbc64
SHA512f5315421d4bc5f08fef4e1449e5799ddf311f08eda317a9eaad8c88c2e7b7c26182bd586c0221ffe5f4112e5d6e05f5d45d2d0382b0ed51ca25aa94d4d95a84d
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
Filesize
158KB
MD51922740d2479c7d0cd6fb57c3d739543
SHA1877a807a396156be1d0c2782391cabc29ea15760
SHA25620443f66e184311fd412158cb162e36b0172332cd6d401cec9ee5fe17df75e58
SHA512d624bad0fcd8afc190a5de241da341a3f39d6aaa0e5eacdf8b14e8e74515b688f06e2cdc75da0634880ea98238a1d26cd2d2bfaedb6d92067dace99d0963975c
-
Filesize
145KB
MD52b9beb2fdbc41afc48d68d32ef41dd08
SHA14a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c
SHA256977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1
SHA5123e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10
-
Filesize
51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
Filesize
11B
MD5530f2e4e5e3dda283db3c78cc0c13297
SHA1cf60b778d32c9562b94411da9dcd8fed2017ab84
SHA256447163a4a3f1f10afd9ec48f915085b3236f0fa7edc9973c16925edb5f6cf0cc
SHA512dd4f7af9a0f57707d1924bb504d3fc267b4898b909cf6e6ecd274bbc9b487a5ce5d8000e3fad6ec0061e565c728455965c91f1b4e380227264ad2ee3e2990e28
-
Filesize
174KB
MD583fd950ed584099a4125efba77e26baa
SHA1c686501c1cde18346b237c83450333e95570b844
SHA256073e4cb181df1d54b75277a52356a8d42573d61e878710bacda8f2b0931d08a1
SHA512c933c7c1fa3defe69cb1a86193a04533068c3695dcc14b235da9e9342c5a81245060c72669069f2a06410de7aea1cabdfbc41b410353c597a731250e00ccbe93
-
Filesize
12B
MD5f647bc6b4e05b062bde5a2f379b438be
SHA117ffc1b640a9ad0a8dc087cca6c99478197ebaa0
SHA2565f46695d90cffb577a2961a23be6dfac09b39bfb2b9cba13e5327407ee3557b6
SHA5127edb51cefc77a67ef55093aa31d5c8ac899a6681d53ae6300132d851644cb15a0762511c61378c4c8c8c02a1b83a704e834c627b0998673085357a04599280af
-
Filesize
27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
Filesize
13B
MD527ad88a291fc97d97fd773334de4e487
SHA104b5db46f05e02e2ec94b8a0a3447ea41fa4089d
SHA2564e7f8923223cb32e5d376ebc0c5361dd97db201848590c4877d586723142b49f
SHA5125b21a87e19d4e3d7a14dc05c815b8d06500695360aad1f54d2d3713cf05f646e9e7d559551bfe2cc2cdebce29a1991bc80ab2b11ddf79a4033897b34dca40521
-
Filesize
214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
Filesize
12B
MD5dfdd2eb77bbb74518bad98519a857d41
SHA15f4f91d73ea620cdf0e5ac458e80b71412b1bb9f
SHA2567655078305cc5b4f62569ef9868e1b04fcc491d33fdad1f8e4610c038bcbac8d
SHA512481cda97c03294ebab036f99727828983c8d0e4c137af05fdea7fd296d11378904bacce2d58d44f932a0bf7f2a30a9b44f4cbc05e253f132b1ef641f648c8df0
-
Filesize
37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD5e010d1f614b1a830482d3df4ba056f24
SHA15873e22b8c51a808c06a3bbf425fcf02b2a80328
SHA25698a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b
SHA512727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6
-
Filesize
389KB
MD55e3252e0248b484e76fcdbf8b42a645d
SHA111ae92fd16ac87f6ab755911e85e263253c16516
SHA25601f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e
SHA512540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699
-
Filesize
12B
MD55796d1f96bb31a9d07f4db8ae9f0ddb3
SHA193012724e6cc0a298838aede678806e6c0c6517d
SHA256a90d255cce3b419641fa0b9ba74d4da464e0ce70638a9c2eba03d6b34fca1dc4
SHA512890112ddcb3b92b739c0dd06721efa81926ce3aab04c55cdadb8c4e6b7a28c9796f08f508249db189547dc4755804aa80cc8b104dd65c813a0450aad2cdda21c
-
Filesize
48KB
MD5b4a865268d5aca5f93bab91d7d83c800
SHA195ac9334096f5a38ca1c92df31b1e73ae4586930
SHA2565cbf60b0873660b151cf8cd62e326fe8006d1d0cbde2fad697e7f8ad3f284203
SHA512c46ee29861f7e2a1e350cf32602b4369991510804b4b87985465090dd7af64cf6d8dbfa2300f73b2f90f6af95fc0cb5fd1e444b5ddb41dbc89746f04dca6137b
-
Filesize
48KB
MD5cf89080500ff331d89bc0838ecdd5843
SHA16cbf6fbc4292199416ca52951387e63ab8391b4d
SHA256b81c30dbe5e81f32a4e73b1c530e8a24eaa6451c2b02533f8e49c09dcc870a62
SHA512fe456ed96f0c8a8569171b85c9d5d15cea09a308bb8e537b382ec688793d8129f9a6aa6ff34ed984521e3cc0ff3edc962c928d0f2f973ea9d6ab3f5c2ede3b8d
-
Filesize
197KB
MD5d0d21e16e57a1a73056eae228da1e287
SHA1ab5a27b1d3d977a7f657d0acdf047067c625869f
SHA2563db5809f23020f9988d5db0cf494f014a87b9dc1547cf804ae9d66667505a60c
SHA512470bac3e691525ff6007293bac32198c0021a1411ba9d069f88f8603189b1617c2265fe6553c1f60ef788e69afcb8aa790714c59260b7c015a5be5b149222c48
-
Filesize
12B
MD59a5e9a329e4e73e0c499371205a810db
SHA15b6d85657d4acd89867283fbe372e9e85c30686f
SHA256d109087c4ca318cad74b7560c32594d37181885adbdc9348ba1dd35d47b35b92
SHA51202bd5261b9e795ed5a07badd65a6cf71d18751452fb44bdd424dfcc6c50ba7441e0066b125e731018fd6f1a8a002ac4e6961c7eff21c36fbda58c8015a100c43
-
Filesize
56KB
MD5cb9890b01a396f64d702ad10f441003a
SHA144c086ce6bb8078e252f41f5becc1cb650ff2f33
SHA2561a7194e86b266261501b7ed1ad3ea13fe73dfeeddcd1ba884894a0155bdbe2ea
SHA5126cea4a2e31bd33cc13a9f5ea4d162b75bed863db2569b0ed46c7389f3bcdba3333cdddcf2ea83c95ce3678458796d4a476f151705cf256e0f4edba6cd1cac952
-
Filesize
12B
MD5b59798490d7fc941b65d9d167bf653b0
SHA1847d3b03fcc645d7decb28202e6f81b4d74df41e
SHA25643908848f40428c43f5e14ee3936e05bbb34b25b1ab02649c1b18a9b865e5f5b
SHA512e90fea91f738c54c834a17feedc34df9aeb9b998b650c0046fcd5398ae25a003b6cf1069340cbdde8ba5c85dc525a50e1967e5508c75e031018d9ac4e371ed3b
-
Filesize
9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
Filesize
9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
Filesize
8KB
MD5ac6ef623579603628661e59d6e3846b5
SHA17ac013243288e6d3b332964a247522de8f868bc7
SHA25697167da37f265098e9cd6799e0aa6d6d9fd8acc4059bc1f436556eaeea664a5f
SHA512995e96fea5af43068ba0b3e12c8feeeee28eb7cafc139264531499c90590e830cf1154ebfc9271f0123de9dce350eb05ad3d4d6047d8ed9070d14d7cc0200bab
-
Filesize
2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
Filesize
54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
Filesize
334KB
MD509447f135f7f4486c165061cf443c569
SHA13ad4264db3112f845d35c112aabea9cbb2e21afa
SHA2560142e2ca4f93c9631591065dc53944a86e4b961620f4faf1fe8b61a8b2867c9b
SHA512be678fb5ca389198a5cc474c8e9e9d0c79a92a582cb81325b13d8be226725ad04faa6ecc3b4b7cecaedaa6f15ec13f01c0276100ee19faaf0a1b1dd7d061f31b
-
Filesize
71KB
MD567fef41237025021cd4f792e8c24e95a
SHA1c47a5a33f182c8244798819e2dc5a908d51703e8
SHA256c936879fbb1aa6d51fe1cdc0e351f933f835c0bf0e30aef99a4e19a07a920029
SHA512232015fe6bee6637d915648a256474fc3df79415ac90babdfc2e3ded06c2f36fce85573ec7670f2a05126aa5f24a570b36885e386061666d9eaa1f0da67a093e
-
Filesize
50KB
MD55bb0687e2384644ea48f688d7e75377b
SHA144e4651a52517570894cfec764ec790263b88c4a
SHA256963a4c7863beae55b1058f10f38b5f0d026496c28c78246230d992fd7b19b70a
SHA512260b661f52287af95c5033b0a03ac2e182211d165cadb7c4a19e5a8ca765e76fc84b0daf298c3eccb4904504a204194a9bf2547fc91039c3ec2d41f9977ff650
-
Filesize
13B
MD5eb0865ebb86960ec4069dececbf43abc
SHA19ba2e92ab9f9db9242efdc5fa356b2d7d1f52d7d
SHA256befabb04180ac3da1d823d4cdf9f3636832f5115bc42f7e39cb26a56fb794ca4
SHA5125e8bda4ca7b3c89fd38be682db8d5bb1b5567ce1a25116d539a1510bdaf11e3ebfae835ec1b54bedf5d38dace58eee63afcd8049874dbfbb02a34b368aa25322
-
Filesize
32KB
MD5db1db66ebd9b15b7dcd55374ea56ee5e
SHA1c22897eb20900a66cf62023c37d6a7d1192aec3d
SHA2560263a627bbea55a66deecd7a43f8537bb68b5f95bb3d4269d3e594bd1d851e64
SHA512b56b2143a60e6153e7fb752029c72d78547d5253f32ecbd0dda5a8acc5c3859292e860162b11a041a37b4f618f4425484b4e2385d7e2c621c8cbced073e3a67e
-
Filesize
12B
MD56473ed6d0d25b902fd8b7cee34b2d260
SHA15d0890cb19224079f6581d88c15b24e554364771
SHA2561beaab7d9b210d794011d33238aa883b2a9a60fcd58a7fd6c29203289363392b
SHA512543699eeb71f06df84b401fc98afb8ca6ee3a9e9d5f9b6fcce54277caba6cdce100cccfd2e310a30f274e73f2bba161c5886d5599defa99ccc324540f074b265
-
Filesize
56KB
MD5e9794f785780945d2dde78520b9bb59f
SHA1293cae66cedbc7385cd49819587d3d5a61629422
SHA2560568e0d210de9b344f9ce278291acb32106d8425bdd467998502c1a56ac92443
SHA5121a3c15e18557a14f0df067478f683e8b527469126792fae7b78361dad29317ff7b9d307b5a35e303487e2479d34830aa7e894f2906efff046436428ada9a4534
-
Filesize
12B
MD539df0bc698f203a4fef18a68a7b0eadc
SHA10ea8d556af659e0c8d6406b5b3e7e56ee6a10188
SHA256f8dd3cec3612c302b45ea9539002625e58e528a5cb68b4b0e6c3c2a378122c1a
SHA512e6ff51381293bfd52eae39b9868968a76d94bc993bad5566c532a30e5ee5fe121c2f5b8eaed7acee59e3f6b8c1b3bebb53b07b46f572f3498b1800b0deac128d
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
219B
MD57244fc1c5f88620507a0d2345f01cbb3
SHA15dce025a2cd9688991b212b3ff24d7181c0bb2fb
SHA2564ed421a7026efacd35d48a8a7ae72aa4cb936763b4166af1dfbffb148d0039e7
SHA5121782f3368825b6f153d5272f3ca2d64986009499f6ec283ffa2d7b83f4edfdb6a063228327ec1070eed99708ee47e2d32d4c4be646c880d5aaedc0a6ebdbec3e
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
96KB
MD5b9b8c95ec8686a6f3e205efdaccd8dff
SHA18740af4e83716b1f06e939b37ae9acd08a55bc4f
SHA256e8f09fe6de61415188b4d101f81eae287fafe9b04e8a8afbd22bf8e71d8cb0ff
SHA512fb8efec788b988f2b208817d8c28abf1e8b15e913be7a9779933c2102476cfe92af04ba09a6df47ef683bf13d99bd389d379eed08d169a9bda6bcabd1d9c12b4
-
Filesize
433B
MD5cf5f69533151675ab4f248fbc8cdedeb
SHA1eb736e17118ac79e341b49eb29ea04433e65e66f
SHA256e774620005d8e57306dcad1f2b427044f0be3da21897de56258fed1f8c565486
SHA512e9954bab77bc76a3b85bcd988f05356c8dfa1f109c5fd58e5f2d214ed266ddbc520159a416fbfb0a4e24133b143e873ee3d9e88d62db4c486403215d76394f84
-
Filesize
717B
MD5ef0a07aec4367a64c16c581da2657aa9
SHA113011a5abcbadb3424fb6ecee560665556bb1d24
SHA256f8c02541eba2fde1b29b3ce428cbb0f1913110d4bba9b52f7252f728e9fce987
SHA51235cfaedb4e5f754dde69f4cef508bbd6127408c405baa5ee2e20104f9aaa1ff2a228f0bfa42d51dcd1006e026ce238bd7042906e449ca78ef91e4d00b08c5c46
-
Filesize
1KB
MD5902547f0abd683d012972add0359fcaf
SHA13e3161f74e21271c4d41e38c15cad4b64c288b7a
SHA2565debb142adde4358fba36ed6729c966bb548ac6e7407552d10bd61ce4edfbcf5
SHA512cbd951c7bf008dcfedaa158e042841b31928630e327873e18cfc632176d86d7e45528d864d5c60b5032af4c9cb54e1c7da129fc7ecdd2b324fd5aa81d27793b9
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.8MB
MD55ed9543e9f5826ead203316ef0a8863d
SHA18235c0e7568ec42d6851c198adc76f006883eb4b
SHA25633583a8e2dcf039382e80bfa855944407bcba71976ec41c52810cb8358f42043
SHA5125b4318ddc6953f31531ee8163463259da5546f1018c0fe671280337751f1c57398a5fd28583afba85e93d70167494b8997c23fee121e67bf2f6fb4ca076e9d9f
-
Filesize
13B
MD5f9769bb20bc8a0f137207ac2fa70e73a
SHA113a5ade4adc04d610cefd3bace0b749e33f6faee
SHA256f117e5835146fcdf2013c5554138c304b5376a1f3e3f1b6c6d1db0dcd6c998c4
SHA512be47552f6b063fff51102ec421b3860773fa9f51800f6c2988c5c67ba56db8e374c2fb048ef6bb0d988620fdc04a2a6adfbf2a06465e4d4f34ba623b92e5f01b
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
375KB
MD5aba4c6047cfec27b6db13e0f103f4bdb
SHA1916cb99bf2828286034ba6ef63891aaba24770ef
SHA256b88271e1a2df3fb14fa862922ece74e403c6135dde18bd58ee1f2003992f1d38
SHA5126ad7d25781edd630e2dd187a2523acd3623ada5af5bbb822aede3643ba4a04e191b7e2b31de78e362b9ac44a38a917b19c19febea4ebc1e963f9f85bea61dca6
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1KB
MD52502c222fb57472ef469557b24c5c4d5
SHA10ca7ffa5964d8187756a972d9067a1ca91749776
SHA2563b43c679adbeff5413ce850e305c9ff70010d8c87e2d712c54dd32c5d58c109e
SHA5121c8433822bf359cd2b383b6c7e60bcfb6f3ba99e45a6a52d41c43876841bea41597b877a6ed32bc9af5e7ca98b8b1b51fc4d36d74ac0f627a34e8782e1124e92
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
Filesize
11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
Filesize
48KB
MD512013653b8d62ecd2848186ca83ed3b2
SHA1f747ac43522912771d97e12fa77cce4100d67765
SHA256a1280794b1dac3ba01bf51088915cebcb10fe1d65e6c04a44f103ca09116e01c
SHA5128497329fe830b35f4d172c2e8761b0b3d580fe78003d623ab026702ed8475a829560f73cfe4246f983c53f7ae691d22a1fa5e0380ad6e4604244385fff6c9b64
-
Filesize
48KB
MD52df3aaa0149cfd975ba04ccfc21d2e6b
SHA1dc6f40b4fcf078c8fe8e413c3cc902d7679a5c84
SHA25613d3b10370a86c820db4351d7b69d0c33aa4fef6244f12a1b387b68ea58cbbd3
SHA51205ff868e94514a0da16df0b2a8cec7a45dae1e581ff4968f89fac14f60dbe43e2c041fabf6df52da2f1348c9ac12d6e89ed5572a3d8cfa71717c5d070e2dcde1
-
Filesize
48KB
MD589319cb7994994214e8faa459de0b932
SHA193125c0e3f809a5626d8ee8e3877a6c3e8845dd9
SHA2563bcb5bb9bff951bad48712be7296add4098ae33e1430129fd2860b29f94d9537
SHA5128b3642f48f2e272a36bba032d2382b7ecd8af0ce74cc76de5d8d9fe581cf0f4c13f2cd7fe0562a2b0d0e19f59e5dcbf7aa926f3f7979b8eb684efa44020c941f
-
Filesize
2.8MB
MD5ab8d85c093d6f0180bf09ec0f466b78b
SHA11daf355d14d45b1e411f96fa394a98a84c09e53e
SHA256d1e08c8dbf3bfc34e3fdfc390d2e7f5b871f95376e7dda93e3dd0051d580db40
SHA5122882292301e1fb85b410570ece6cf05f3e89968a02450dba192a1f97282f1c08ed30819e3d36c524fba3baeb6a2c22a10a762c8313e8823c07554b4b975cc00e
-
Filesize
2.9MB
MD5108bc29224053a4735170bcb644cc73c
SHA19a4b8929e890443dc8204fccbf4bdb6c6c853a3e
SHA2567c7c62702b5a6ca58084c1ec776116d1a7d697d7a104f2bb705676088c8614c8
SHA512883d76dd6b1395bb545461ec0a88cf797524f922e8787abb27ca681ed72fe75c57732c5e17c7181509f98242871b7afc0398f69d7b04a043edc21b57dc88482a
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
Filesize
541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
Filesize
12B
MD5b22628235c1f44ae054091c8fdc82d23
SHA170c8e5abd9d2d8a18b769f6e71819fb53b273b9b
SHA256b31673e38897d5d84558e2745d02c553649a50063a9f0e7de7e71bba89916232
SHA512c1097690938f3edcba20802dfb77880fb29d1f8b70c62fa76d1828613d57355fd04c0b3d26da90128db2df2e63e4e30c8e195b84452c0931b8cb2f043d5bba98
-
Filesize
670KB
MD596e50bbca30d75af7b8b40acf8dda817
SHA14b1255280dff8de8b7be47def58f83f6ec39ded6
SHA256a3ad00ccb61bc87d58eb7977f68130b78a0b95e74d61e6a4624ac114ccde5736
SHA5120034c08cb878b703f272e3fd2734bb928ff1bdba85cf79a151519b019c83bd4d199c80af0aa30db28ef82f7ee68a9d59dcaede92f83bfe8787f6a5d4d5e9817c
-
Filesize
3.1MB
MD5ff671b6085ba35e1bbebd5d2389ab7d6
SHA1d7719a66e303c4e854faba873b781e0084f36998
SHA2564f2a43098f6eff50a03fde9e134a4c8b7df6fe7e9a9c6913afeefe0deeb1463e
SHA512f5a63eeb6a239d7be9935ceb1240aae7c9f3a8d5740d665b5fde6f28a7667feb345f88bc440ebe7d6a0512b448f4e3772a49823bc6ad8ba7372e0a31b5f9f200
-
Filesize
570KB
MD5b50834694383960830cf48d9836e1108
SHA1adc80813181b98a8296befa2960a55f939f3bfee
SHA256370a259808052366888284b0cc4c91ff8f23e8008003959b8d0efb1adbf00cd6
SHA512f87be933e87275b000be031aa5df7536dfd5fe9b99a607ce0904f206e074d3a0687a00654b9b78edaa2fccf3d30526e0ee5bd7dcba4a5daafd6fc60eeaaa15c5
-
Filesize
143KB
MD571026b098f8fb39c88b003df746d9fa0
SHA1013ca259f551ad6f33db53fff0e121e74408e20e
SHA25611058e8c2cd05f30dcf1775644bf19d2913c9a6d674c12f91d1896d95d9cc5c2
SHA5129830be3444225a4b2f9fa4aedbc8af4f45fdb2548f0b6a2eba2a2a407ea3c7d8fd78c0e37fac66cafbdfad781ae78b076d225fd5c836a451f57a54053ccef9ad
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
6KB
MD5e2ccbf31a63438880b67a08338064c36
SHA1e205f5e828deb66c7a04ea56094928eaac0667ec
SHA256881a99d9e664d00efb5b46f18fcd8410ee7fc8d38143355f0715f36699b09b23
SHA512c4afeb037aa38898c6a5c68d02888f746d995c9b69027a12a91121a9b95167700150b53cda6a508309331ca297826ec5b9a437998e5a10e28f1d7a840513ced6
-
Filesize
471B
MD558fa9b9b540e3e1c392349df6799966e
SHA118e5547a9cf8fab8477c1d6fb9c2dcdf5a2179b9
SHA256b8b2ed04f08661ea288ade875a86bdd1270c345a231941a880fe3d6694704824
SHA512bcfbe56c1e0affaf7bd1a809609948a9b5ff0bf23517b753cc7c4c037b9fd99664d8ebc7f7fcf1a26b70f821770d9866aaad8e34fa740dd5a53992f8db8b41ce
-
Filesize
727B
MD5808759a9e684cd7dfb169fa5887f4101
SHA1b07c8e554248f16435da7586816860c3c3b81737
SHA256a4faebf7a700acce9aa39b44c4ac4d5c50a820db6a3baf5fca9ef17006bc7a9c
SHA5125163616289f120abc96ee3cef2de3b15f67d14772c765fd6046009c38e2f1958fed6dae6939ec7d6a302f0987c3f84da069fa6df0a9ef49860f6121607c92138
-
Filesize
727B
MD5ed7e4f41fa2f053c3492e911d0947e8a
SHA1b7f0e66d0ce03ddd3ab23a3776868f8a85495830
SHA256f5028353b742e070dfb98a45183d5e3aade9afe6fbabe7e1d04e607bc5e1c726
SHA512260146d435cc799ddcfd353c3e66c65d533e7352c9df648d7cfc04a01c0918d853368e0890b3f77e59a10b8d67030daa1adf0b58d1b1da5131c788623959dc55
-
Filesize
400B
MD5b7fbfcf6739193fd47579a51cad6eb8a
SHA15acc6f6b0517650fbc6731f9c0a54b5d2d81ee26
SHA2567c5032761999b35a01365fe9d12cad11b49cfc7d5fa5e26e8beb1e435c87f3a1
SHA512eb40ea9340bf9b73c6c84a554fd9ae10abe2d4dea6520486c29717d83dadc595cc6fad34697ce1d9d47c8d06eb7e4d8294d284ac63042bcc60c983ca110f1b3e
-
Filesize
404B
MD5fbdc4f07cf6f8fa3d8a2a484d5e53252
SHA12c46d20437ade512d2d39e19051a0c7b015c4ca5
SHA256986119a14dab3cd387df49a7b56e21af0749f8c32ceb60687d1ebe2ce8a2779c
SHA5122002ba11c69d4402643ec02f760472d7080a47aa821384df6c5eef85d2fe62a92fcb5beb08fda96f33d1971fabcf2a2e4a06b3e798c17def77fb8d91469007ed
-
Filesize
412B
MD50fd3f346d308e43ff36cbc72d439e79b
SHA1dbb2825c2907b922c64e70db4c7e53fc77de5999
SHA2561ef4941b5363edde892468d34f2f3f5ba9caca5cf19db3be018beb5fbf1b4ab5
SHA512f64936a8a8783123c4359922df49705c17fb3745092fb935f12758893ad75341f7825564efada13ef6c9e9b4e1117bbc169bd5494f4ba4abadc6dd9855bb50a2
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
180B
MD5b50cd3b73107c6d6b8bf260993880e4c
SHA10bbf2d4e9b0c3edc8a9f1d594c996ce000a38586
SHA256d740bfcd4aca6d0c5ffc2359f5868ec20c134862b8ca9c833c52c0c7ce0b684f
SHA51278db6db3cbaef585191bac5a51e8a168fc3b58557d7ab2ee0fe32faf3acae53ad2e48df8bd79ff1c99a4336abc7efd9bf3b2d9c6100824ef6a40e631f870a006
-
Filesize
6KB
MD5aac7198d4646f708b73dd33ec9037143
SHA11bf8d5ee7935951ed9d4a251c41f1b1745d68886
SHA2563267b463a40cb5ce74ed30880bc42fab6a212f80c5a886734a1fb97e74208f93
SHA5125ef84d9bd9bb0588377a7f8fd850bdd4b080cd2eb0ada05c005783a18d80963670cba02e0829d6a782cfcaaece60aeeeaa4911e1e847be331d381e2bef9fa3e1
-
Filesize
5KB
MD510c4a8acb4fec0da4d39c40507b813a0
SHA144144fa3b61c9e8b8722e5323521b97a270a6835
SHA256f161ba8648a2a111fdfef2d771e9568c557d7b08c01a45dd6faef05dd112b180
SHA512985f2b00daf3e53c62ea96cf7192561cd9817e1f1541dff0a31b2982d8a615bce03972fff1360f8c251fabce0d5c7736defa62a05db90808072033a5d803ed7e
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5bfa15dd05d8d6fe7a2d6d57557967ab1
SHA163dfeb30c924795da8729e30c6a7e8172d6ea06b
SHA256fbb05a6c1125a6b8887e345260705c44c3329ac19f7ff77cb947867b1f56cff0
SHA5125476fc8f5768dd7c61c0cb652712059a7b21af52eec44a394504fcb8588c66ee11f91170b7275460441f437aa55af29cc499e050e6eb3ff95dcfcb70d1b7388c
-
Filesize
10KB
MD5fee418be64dba386bcc6c73e844f21de
SHA1c21e4ba9b41e057eab93c304ddd501849576bc3e
SHA256a4c3b9b4dec4e4a124407cbeddea61a0ff1e058af785e61245402e39f6375192
SHA5122e03739b09c0867b261f6cb67dbc223dab40cc231533e8e522bdbd81669ad3d8d26be44d589a6cc38e7d6de849270476bfdf4d27f21e0bb2428d1198003afc9a
-
Filesize
2.9MB
MD591c89cd32747eec2764a801625a0ea9c
SHA16610a1d97e121c07eb258ff7a0ab336273700122
SHA25650bed1c7d7eaa781472f7bd46bf59aa3706528c394bed0203f921c7f9e1890ff
SHA51276ba1484366ce4f517180f5ff23c4e484dfccc8f7315609d22a8bedf409aa8a65d8515644bcf184f9b54ccf4b7543a845c88ee021290d9bc91b3a0e458aaf976
-
Filesize
4.5MB
MD508211c29e0d617a579ffa2c41bde1317
SHA14991dae22d8cdc6ca172ad1846010e3d9e35c301
SHA2563334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621
SHA512d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f
-
Filesize
60KB
MD5878e361c41c05c0519bfc72c7d6e141c
SHA1432ef61862d3c7a95ab42df36a7caf27d08dc98f
SHA25624de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40
SHA51259a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
219KB
MD5928f4b0fc68501395f93ad524a36148c
SHA1084590b18957ca45b4a0d4576d1cc72966c3ea10
SHA2562bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae
SHA5127f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372
-
Filesize
26.3MB
MD5b9c6d23462adef092b8a5b7880531b03
SHA19e8c4f7f48d38fb54a93789a583852869c074f2d
SHA2562e23da54aa1ff64de09021ab089c1be6d4a323bdf0d8f46f78b5c6a33df83109
SHA51218623991c5690e516541eaf867f22b3a1a02317392178943143bedc7f7eda5e02e69665c3c4a5fa50ade516a191bbbf16fd71e60f3225f660fb10ebc25cd01a5
-
Filesize
772KB
MD5d73de5788ab129f16afdd990d8e6bfa9
SHA188cb87af50ea4999e2079d9269ce64c8eb1a584e
SHA2564f9ac5a094e9b1b4f0285e6e69c2e914e42dcc184dfe6fe93894f8e03ca6c193
SHA512bfc32f9a20e30045f5207446c6ab6e8ef49a3fd7a5a41491c2242e10fee8efd2f82f81c3ff3bf7681e5e660fde065a315a89d87e9f488c863421fe1d6381ba3b
-
Filesize
1KB
MD5bbe625903f24392c2a25bedce9fabd66
SHA15980c02f4570b749bcc0bed56ee9ff0dde1b1ec2
SHA256fac60b5633a0094427f5c5916611912330def57e1418040216be71ee928d69bc
SHA512480f79d8dfe1555431e2579b8b8fdbdbe5e0f064c316dc5caba50976436850ba6d2b413477096e97f0c5c76a21a6e38eefbf46b6e8e2f08ffe875fa3279062c6
-
Filesize
602B
MD5738235c919567fc9af2037f5dfd7b5fe
SHA1bc24663bc17ef17890d769a43946cfbaeacee9bf
SHA256700c544dcc0cfe82a2c20fcf8af3993d32d611df56f6238b79b4b6195db5935b
SHA512a1f81aa0445631696a0b3971456ad3e01b28d30e482c83c6a823c142b178bffd05d960920304025a37c270d568ba6f03b60a8fb27e721a2bb223c6d05d70fb1f
-
Filesize
708B
MD56ae678dc31d177fad36092c0ea908663
SHA16c919988853ca919d48405f62ff4a7544bf40eec
SHA25667854a9ecb542a4793c4850dff276464f4497a079b5e1dd21f2a330050d9d2f0
SHA512be88b896b8bc39c495d49f18c328a3e6cc767675459f21e2fa1915cf15f3a00877a33083aed6263a95309cb7f47b70d47b4906cd5fe1632d293f3204ba5cd9e8
-
Filesize
1KB
MD59dd65a5ecfe2b241312e68f8b6ad5031
SHA1a8526d73fa3dcec7e152c759b4d2b1987f76ef92
SHA256cfcba558a19d60e3e12c4cc0ab0e633773c10d02eac812501dd238c676bf41ad
SHA51272070ec274f7c42be9815d8224e9a408b9c963a60742008f25813bc1372f00bc571ed5e8f6f9be5fe5fabb8520d32b7cbef979c3bf53796a507909ff8d4fa2b2
-
Filesize
4KB
MD528d90e8fb6c17511921241f085de56d1
SHA161b82f3d6c71316e268f78dc33b8e396edade306
SHA256bb3ac46574d434a3f03477ef7966b364d414aa39567be5aceb348d2a900c6984
SHA512a31defa38acb4a1bbcdddf8fda09e873febb0801b4da27beacea673cd14d74fe9285930ea0dea7d9b563a335ddce35af55c5434198583c65f913400732361a26
-
Filesize
2KB
MD5d58d35d8199c32f281622c0da6325b9c
SHA1b5abf98813d4e64a13a63904df5b234157f625e6
SHA256139667d5115199a06a9a2a0dc7480e46a8798908b45404ad1183898619b50b73
SHA5121e5138680e514850b69f20292bf27d51b7da5e9077889c8cee1a14420bb6157c78d9be86fa6563d7b523cfc36ffba5e2adb81168fb4eb8cf14d68c8d52abb70c
-
Filesize
3KB
MD5560af444a6a7faa0b0ca94dc16ca2a58
SHA1df31453fafde354870a0a9a8ca50b18e284c32e4
SHA25694739ca46676bd602a78671257fbfce39feaabc9664c6326bf4970a0108e3429
SHA5127c853176c088d56a517e52c6687b6debf08f6f9726376720ade9d13fafc9be0ca72f0f2b35562a61ece653aeb789c838c60447f463b2bbe70c21bfc8c039b681
-
Filesize
3KB
MD53780f6c5a6fd5965e51060d35019fd4c
SHA11d32874f130d8d22ad77a2a8918e0527bd55f1d2
SHA256c3c4d510eb077c74f40ae6f1411a6fe995f9f532f037e5e3c0e6c546aed900e6
SHA51249e121c6507291020726da47e1b730430a52a692780dbe8bb7e873b87052880fef35a3a4938f7c5e366a920d712d4055edf56d7e51fadcbe52355e5f4ddf182a
-
Filesize
4KB
MD599e36f7ee48403f715d2561c3d8ea95e
SHA1f8c96456342466f70bc16508ec6270b90589a999
SHA256d18e2e5661e29c958589d9a4065b490066dd27a761b1ee84c34ee251481dce69
SHA5126533b49340be9a71a4fd0c648888395b9d0d055a26dc9683e687005fe6fd3b817e8d2e486ff018f3f3baf8e7c48c1085b3a1b30ebb4fbaa90b20caf9469067f7
-
Filesize
3.2MB
MD52c18826adf72365827f780b2a1d5ea75
SHA1a85b5eae6eba4af001d03996f48d97f7791e36eb
SHA256ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be
SHA512474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
607KB
MD5669de3ab32955e69decfe13a3c89891e
SHA1ab2e90613c8b9261f022348ca11952a29f9b2c73
SHA2562240e6318171b3cddcee6a801488f59145c1f54ca123068c2a73564535954677
SHA512be5d737a7d25cc779736b60b1ea59982593f0598e207340219a13fd9572d140cfbcd112e3cf93e3be6085fe284a54d4458563e6f6e4e1cfe7c919685c9ee5442
-
Filesize
571B
MD5d239b8964e37974225ad69d78a0a8275
SHA1cf208e98a6f11d1807cd84ca61504ad783471679
SHA2560ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73
SHA51288eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8
-
Filesize
182KB
MD599bbffd900115fe8672c73fb1a48a604
SHA18f587395fa6b954affef337c70781ce00913950e
SHA25657ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc
SHA512d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
712KB
-
Filesize
88KB
-
Filesize
136KB
-
Filesize
224KB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
128KB
-
Filesize
80KB
-
Filesize
64KB
-
Filesize
408KB
-
Filesize
712KB
-
Filesize
408KB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
336KB
-
Filesize
712KB
-
Filesize
72KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
712KB
-
Filesize
48KB
-
Filesize
96KB
-
Filesize
712KB
-
Filesize
128KB
-
Filesize
64KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
880KB
-
Filesize
296KB
-
Filesize
96KB
-
Filesize
296KB
-
Filesize
712KB
-
Filesize
112KB
-
Filesize
392KB
-
Filesize
208KB
-
Filesize
296KB
-
Filesize
880KB
-
Filesize
40KB
-
Filesize
112KB
-
Filesize
6.4MB
-
Filesize
88KB
-
Filesize
72KB
-
Filesize
64KB
-
Filesize
128KB
-
Filesize
712KB
-
Filesize
88KB
-
Filesize
112KB
-
Filesize
192KB
-
Filesize
704KB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
3.8MB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
3.8MB
-
Filesize
1.1MB
-
Filesize
3.8MB
-
Filesize
72KB
-
Filesize
608KB
-
Filesize
240KB
-
Filesize
160KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
48KB
-
Filesize
184KB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
3.3MB
-
Filesize
288KB
-
Filesize
232KB
-
Filesize
112KB
-
Filesize
64KB
-
Filesize
160KB
-
Filesize
712KB
-
Filesize
88KB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.1MB
-
Filesize
1.8MB
-
Filesize
1.1MB
-
Filesize
40KB
-
Filesize
104KB
-
Filesize
712KB
-
Filesize
5.2MB
-
Filesize
88KB
-
Filesize
232KB
-
Filesize
400KB
-
Filesize
712KB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
88KB
-
Filesize
416KB
-
Filesize
168KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
880KB
-
Filesize
288KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
304KB
-
Filesize
112KB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
712KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
112KB
-
Filesize
88KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
88KB
-
Filesize
88KB
-
Filesize
88KB
