Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 03:37
Behavioral task
behavioral1
Sample
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi
Resource
win10v2004-20250129-en
General
-
Target
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi
-
Size
2.9MB
-
MD5
6032d2452e05a12f1449182deb3ab258
-
SHA1
03a992f9020a003fe86e477ac28698afc16a73d3
-
SHA256
394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46
-
SHA512
1318d1844efe031d05499e642c9509422a9f92977b8b4c76d38c6c614d81813af4ec927d2dd807e9b7b205ab06ea1800eb4a082f1a89a4e3721a37301165e28d
-
SSDEEP
49152:9+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:9+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral2/files/0x000b00000001da20-236.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
flow pid Process 2 4896 msiexec.exe 5 4896 msiexec.exe 29 4964 rundll32.exe 34 1128 rundll32.exe 74 3268 MsiExec.exe 116 5732 rundll32.exe 142 5348 rundll32.exe -
Drops file in Drivers directory 6 IoCs
description ioc Process File opened for modification C:\Windows\System32\drivers\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\SETCF6.tmp DrvInst.exe File created C:\Windows\System32\drivers\UMDF\SETCF6.tmp DrvInst.exe File opened for modification C:\Windows\System32\drivers\UMDF\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\drivers\SETC1C.tmp DrvInst.exe File created C:\Windows\System32\drivers\SETC1C.tmp DrvInst.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e883dae5-a63d-4a45-afb9-257f64d5a59b} = "\"C:\\ProgramData\\Package Cache\\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\\dotnet-runtime-8.0.11-win-x64.exe\" /burn.runonce" dotnet-runtime-8.0.11-win-x64.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 63 2968 AgentPackageSTRemote.exe 109 5180 AgentPackageRuntimeInstaller.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06} DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\SET93F.tmp DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\x64\lci_iddcx.dll DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\SETAB4.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\lci_proxyumd.dll DrvInst.exe File created C:\Windows\SysWow64\SETC3D.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\lci_iddcx.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\x64\SET92E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\SETAD7.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File created C:\Windows\System32\DriverStore\drvstore.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\SETAE7.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\SET93E.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\lci_proxywddm.cat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\lci_proxywddm.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd32.dll DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.PNF rundll32.exe File opened for modification C:\Windows\SysWow64\SETC3D.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_iddcx.inf_amd64_b68cf383a51d03e9\lci_iddcx.inf DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\SETAB5.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\System32\lci_proxyumd.dll DrvInst.exe File opened for modification C:\Windows\System32\SETC3C.tmp DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log rundll32.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\SET93E.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\SETAC6.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\x64\lci_proxywddm.sys DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File created C:\Windows\System32\DriverStore\Temp\{70fd5d69-d79d-e948-add5-4dbc394ea364}\x64\SET92E.tmp DrvInst.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\x64\SETAB4.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{148aa660-5dd5-a74b-8a57-99a56a670a06}\SETAD7.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\lci_proxywddm.inf_amd64_a909cab09ba387b1\lci_proxywddm.cat DrvInst.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
resource yara_rule behavioral2/memory/3168-1145-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-1146-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/2260-1158-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3752-1186-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3752-1183-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-1222-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-1223-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/2260-1244-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/2260-1243-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3752-1837-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3752-1836-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/4236-1862-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/4236-1874-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/4236-1873-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/4236-1861-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-1835-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3168-1834-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-2294-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-2295-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3168-2893-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3168-2894-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3752-2906-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3752-2907-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/3752-4654-0x0000000073110000-0x000000007322C000-memory.dmp upx behavioral2/memory/3752-4655-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/2260-4657-0x0000000072D40000-0x000000007310D000-memory.dmp upx behavioral2/memory/2260-4656-0x0000000073110000-0x000000007322C000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\NLog.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdnup.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\32bits\stvad.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe.config AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tracing.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\OpenHardwareMonitorLib.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Runtime.Serialization.Formatters.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-Hant\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.AgentPackage.Common.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Xml.XPath.XDocument.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe.config AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Linq.Expressions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Logging.Abstractions.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\information.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Drawing.Primitives.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\EO.WebBrowser.dll AgentPackageTicketing.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.DataContractSerialization.dll msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\tools\shimgen.exe AgentPackageProgramManagement.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.DriveInfo.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\install_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\devcon.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Configuration.dll AteraAgent.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\Polly.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.CommonLib.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Debug.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Atera.AgentPackages.Exceptions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\generic.cfg AgentPackageInternalPoller.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Configuration.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\generic.cfg.bak AgentPackageInternalPoller.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Atera.AgentPackages.CommonLib.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.DependencyInjection.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\log.txt AgentPackageOsUpdates.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\choco-logs\02-05-2025 03_38_55-log.txt AgentPackageProgramManagement.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Configuration.CommandLine.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.UnmanagedMemoryStream.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\my_setup.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\driver\mv2.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\CredProvider\x64\SRCredentialProvider.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Primitives.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-Vsix.ps1 AgentPackageProgramManagement.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIDDCD.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE74F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDDCD.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\e57dd38.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA392.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\MSIE4C4.tmp msiexec.exe File created C:\Windows\Installer\e57dd33.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File opened for modification C:\Windows\Installer\MSI5389.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9CAC.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBE45.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA7CA.tmp msiexec.exe File created C:\Windows\Installer\e57dd52.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE6DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID461.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57dd4e.msi msiexec.exe File created C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIDDCD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE4C4.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\Installer\e57dd31.msi msiexec.exe File opened for modification C:\Windows\Installer\e57dd34.msi msiexec.exe File opened for modification C:\Windows\INF\setupapi.dev.log rundll32.exe File opened for modification C:\Windows\INF\setupapi.dev.log svchost.exe File created C:\Windows\Installer\e57dd31.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE768.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI37A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F92.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA392.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC3B6.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F} msiexec.exe File opened for modification C:\Windows\Installer\MSIEB09.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE06E.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF300.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0 msiexec.exe File opened for modification C:\Windows\inf\oem3.inf DrvInst.exe File opened for modification C:\Windows\Installer\MSIDDCD.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE4C4.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA7DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIA869.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBFEC.tmp msiexec.exe File created C:\Windows\Installer\SourceHash{F59C11F0-D73F-452B-8D1D-8C33B82D8507} msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\MSIE06E.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795 msiexec.exe File opened for modification C:\Windows\Installer\MSIE4C4.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\System.Management.dll rundll32.exe File created C:\Windows\Installer\e57dd34.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4000.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI99CC.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI99CC.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA81A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE06E.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{6B2921FF-79C1-4EBF-81B4-C606D4E5BEF4} msiexec.exe File opened for modification C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\e57dd3a.msi msiexec.exe -
Executes dropped EXE 64 IoCs
pid Process 3120 AteraAgent.exe 1764 AteraAgent.exe 2692 AgentPackageAgentInformation.exe 1536 AgentPackageAgentInformation.exe 2940 AgentPackageAgentInformation.exe 4092 AgentPackageAgentInformation.exe 4412 AteraAgent.exe 4432 AgentPackageMonitoring.exe 2968 AgentPackageSTRemote.exe 4696 SplashtopStreamer.exe 1412 PreVerCheck.exe 2248 _is23B0.exe 2468 _is23B0.exe 3432 _is23B0.exe 4336 _is23B0.exe 1596 _is23B0.exe 3752 _is23B0.exe 2692 _is23B0.exe 4848 _is23B0.exe 4264 _is23B0.exe 4952 _is23B0.exe 3696 _is31DA.exe 3636 _is31DA.exe 3260 _is31DA.exe 2880 _is31DA.exe 4048 _is31DA.exe 1932 _is31DA.exe 3876 _is31DA.exe 3104 _is31DA.exe 5036 _is31DA.exe 1184 _is31DA.exe 3260 _is40DE.exe 1292 _is40DE.exe 4048 _is40DE.exe 2816 _is40DE.exe 1028 _is40DE.exe 5036 _is40DE.exe 1184 _is40DE.exe 1304 _is40DE.exe 3216 _is40DE.exe 4084 _is40DE.exe 3096 SetupUtil.exe 2060 SetupUtil.exe 3444 SetupUtil.exe 4084 SRSelfSignCertUtil.exe 3200 _is53BD.exe 2916 _is53BD.exe 1740 _is53BD.exe 3696 _is53BD.exe 3752 _is53BD.exe 4048 _is53BD.exe 4940 _is53BD.exe 1652 _is53BD.exe 3500 _is53BD.exe 1176 _is53BD.exe 4332 SRService.exe 4940 _is56AC.exe 748 _is56AC.exe 4456 _is56AC.exe 1896 _is56AC.exe 4984 _is56AC.exe 4540 _is56AC.exe 3520 _is56AC.exe 3260 _is56AC.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3612 sc.exe 4964 sc.exe 4448 sc.exe 2864 sc.exe 2864 sc.exe -
Loads dropped DLL 64 IoCs
pid Process 4952 MsiExec.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 1768 rundll32.exe 4952 MsiExec.exe 4964 rundll32.exe 4964 rundll32.exe 4964 rundll32.exe 4964 rundll32.exe 4964 rundll32.exe 4964 rundll32.exe 4964 rundll32.exe 4952 MsiExec.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 2952 rundll32.exe 4952 MsiExec.exe 4700 MsiExec.exe 4700 MsiExec.exe 4952 MsiExec.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 1128 rundll32.exe 4432 AgentPackageMonitoring.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3268 MsiExec.exe 3168 SRManager.exe 3268 MsiExec.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3752 SRServer.exe 3752 SRServer.exe 2260 SRAgent.exe 3168 SRManager.exe 3168 SRManager.exe -
pid Process 6036 powershell.exe 6100 powershell.exe 3444 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4896 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-runtime-8.0.11-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRVirtualDisplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Time Discovery 1 TTPs 11 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 5496 dotnet.exe 2716 dotnet.exe 5804 cmd.exe 5412 dotnet.exe 4940 8-0-11.exe 5564 cmd.exe 5264 cmd.exe 5776 dotnet.exe 4100 dotnet-runtime-8.0.11-win-x64.exe 3924 dotnet.exe 5600 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LowerFilters DrvInst.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags rundll32.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009437f937e63df4350000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009437f9370000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009437f937000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9437f937000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009437f93700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\CompatibleIDs DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Service DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\UpperFilters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000 DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\UpperFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs rundll32.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\LowerFilters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Filters DrvInst.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\LowerFilters DrvInst.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Filters DrvInst.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 DrvInst.exe -
Kills process with taskkill 13 IoCs
pid Process 3168 taskkill.exe 2080 taskkill.exe 3096 taskkill.exe 5100 TaskKill.exe 1292 taskkill.exe 5076 taskkill.exe 4048 taskkill.exe 4548 taskkill.exe 3696 taskkill.exe 3296 taskkill.exe 5896 TaskKill.exe 1136 taskkill.exe 5272 TaskKill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMarketplace.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\Sequence = "3" msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0000 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs rundll32.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0001\Sequence = "2" msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "7" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Dependents\{e883dae5-a63d-4a45-afb9-257f64d5a59b} dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64 dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\URL Protocol AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\PackageCode = "6A2CD1281BEA6974086CF7E70C729BF4" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{F59C11F0-D73F-452B-8D1D-8C33B82D8507}v64.44.23191\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{362B4D0D-8438-44DA-86B2-FEC44E000FCA}v64.44.23191\\" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID MsiExec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF1292B61C97FBE4184B6C604D5EEB4F msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\ = "{9C80213E-9079-4561-8D57-1FDD0D62251F}" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\AdvertiseFlags = "388" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Dependents\{e883dae5-a63d-4a45-afb9-257f64d5a59b} dotnet-runtime-8.0.11-win-x64.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\Version = "8.0.11.34217" dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Version = "64.44.23191" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" SRService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6DA04985925EAF493E05C325D562007 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\PackageCode = "F2E9E119D83B20D41A84E594CFD99834" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Dependents dotnet-runtime-8.0.11-win-x64.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\DisplayName = "Microsoft .NET Host - 8.0.11 (x64)" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Version = "1076648599" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\ = "{F59C11F0-D73F-452B-8D1D-8C33B82D8507}" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\ = "{e883dae5-a63d-4a45-afb9-257f64d5a59b}" dotnet-runtime-8.0.11-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe -
Modifies system certificate store 2 TTPs 11 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4 cscript.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f cscript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3516 msiexec.exe 3516 msiexec.exe 1764 AteraAgent.exe 2692 AgentPackageAgentInformation.exe 2692 AgentPackageAgentInformation.exe 1536 AgentPackageAgentInformation.exe 1536 AgentPackageAgentInformation.exe 4092 AgentPackageAgentInformation.exe 4092 AgentPackageAgentInformation.exe 1764 AteraAgent.exe 1764 AteraAgent.exe 3444 powershell.exe 3444 powershell.exe 3444 powershell.exe 1764 AteraAgent.exe 2968 AgentPackageSTRemote.exe 2968 AgentPackageSTRemote.exe 3444 SetupUtil.exe 3444 SetupUtil.exe 3444 SetupUtil.exe 3444 SetupUtil.exe 4084 SRSelfSignCertUtil.exe 4084 SRSelfSignCertUtil.exe 1896 SRService.exe 1896 SRService.exe 3168 SRManager.exe 3168 SRManager.exe 1896 SRService.exe 1896 SRService.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 2260 SRAgent.exe 2260 SRAgent.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 3168 SRManager.exe 4048 SRAppPB.exe 4048 SRAppPB.exe 1896 SRService.exe 1896 SRService.exe 3168 SRManager.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid 4 -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4896 msiexec.exe Token: SeIncreaseQuotaPrivilege 4896 msiexec.exe Token: SeSecurityPrivilege 3516 msiexec.exe Token: SeCreateTokenPrivilege 4896 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4896 msiexec.exe Token: SeLockMemoryPrivilege 4896 msiexec.exe Token: SeIncreaseQuotaPrivilege 4896 msiexec.exe Token: SeMachineAccountPrivilege 4896 msiexec.exe Token: SeTcbPrivilege 4896 msiexec.exe Token: SeSecurityPrivilege 4896 msiexec.exe Token: SeTakeOwnershipPrivilege 4896 msiexec.exe Token: SeLoadDriverPrivilege 4896 msiexec.exe Token: SeSystemProfilePrivilege 4896 msiexec.exe Token: SeSystemtimePrivilege 4896 msiexec.exe Token: SeProfSingleProcessPrivilege 4896 msiexec.exe Token: SeIncBasePriorityPrivilege 4896 msiexec.exe Token: SeCreatePagefilePrivilege 4896 msiexec.exe Token: SeCreatePermanentPrivilege 4896 msiexec.exe Token: SeBackupPrivilege 4896 msiexec.exe Token: SeRestorePrivilege 4896 msiexec.exe Token: SeShutdownPrivilege 4896 msiexec.exe Token: SeDebugPrivilege 4896 msiexec.exe Token: SeAuditPrivilege 4896 msiexec.exe Token: SeSystemEnvironmentPrivilege 4896 msiexec.exe Token: SeChangeNotifyPrivilege 4896 msiexec.exe Token: SeRemoteShutdownPrivilege 4896 msiexec.exe Token: SeUndockPrivilege 4896 msiexec.exe Token: SeSyncAgentPrivilege 4896 msiexec.exe Token: SeEnableDelegationPrivilege 4896 msiexec.exe Token: SeManageVolumePrivilege 4896 msiexec.exe Token: SeImpersonatePrivilege 4896 msiexec.exe Token: SeCreateGlobalPrivilege 4896 msiexec.exe Token: SeBackupPrivilege 4460 vssvc.exe Token: SeRestorePrivilege 4460 vssvc.exe Token: SeAuditPrivilege 4460 vssvc.exe Token: SeBackupPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeDebugPrivilege 4964 rundll32.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeDebugPrivilege 5100 TaskKill.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe Token: SeTakeOwnershipPrivilege 3516 msiexec.exe Token: SeRestorePrivilege 3516 msiexec.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 4896 msiexec.exe 4896 msiexec.exe 3752 SRServer.exe 3752 SRServer.exe -
Suspicious use of SetWindowsHookEx 7 IoCs
pid Process 4696 SplashtopStreamer.exe 3752 SRServer.exe 3752 SRServer.exe 4048 SRAppPB.exe 4048 SRAppPB.exe 5824 SRVirtualDisplay.exe 5824 SRVirtualDisplay.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3516 wrote to memory of 1652 3516 msiexec.exe 93 PID 3516 wrote to memory of 1652 3516 msiexec.exe 93 PID 3516 wrote to memory of 4952 3516 msiexec.exe 95 PID 3516 wrote to memory of 4952 3516 msiexec.exe 95 PID 3516 wrote to memory of 4952 3516 msiexec.exe 95 PID 4952 wrote to memory of 1768 4952 MsiExec.exe 96 PID 4952 wrote to memory of 1768 4952 MsiExec.exe 96 PID 4952 wrote to memory of 1768 4952 MsiExec.exe 96 PID 4952 wrote to memory of 4964 4952 MsiExec.exe 97 PID 4952 wrote to memory of 4964 4952 MsiExec.exe 97 PID 4952 wrote to memory of 4964 4952 MsiExec.exe 97 PID 4952 wrote to memory of 2952 4952 MsiExec.exe 98 PID 4952 wrote to memory of 2952 4952 MsiExec.exe 98 PID 4952 wrote to memory of 2952 4952 MsiExec.exe 98 PID 3516 wrote to memory of 4700 3516 msiexec.exe 100 PID 3516 wrote to memory of 4700 3516 msiexec.exe 100 PID 3516 wrote to memory of 4700 3516 msiexec.exe 100 PID 4700 wrote to memory of 4736 4700 MsiExec.exe 101 PID 4700 wrote to memory of 4736 4700 MsiExec.exe 101 PID 4700 wrote to memory of 4736 4700 MsiExec.exe 101 PID 4736 wrote to memory of 3276 4736 NET.exe 103 PID 4736 wrote to memory of 3276 4736 NET.exe 103 PID 4736 wrote to memory of 3276 4736 NET.exe 103 PID 4700 wrote to memory of 5100 4700 MsiExec.exe 104 PID 4700 wrote to memory of 5100 4700 MsiExec.exe 104 PID 4700 wrote to memory of 5100 4700 MsiExec.exe 104 PID 3516 wrote to memory of 3120 3516 msiexec.exe 106 PID 3516 wrote to memory of 3120 3516 msiexec.exe 106 PID 4952 wrote to memory of 1128 4952 MsiExec.exe 108 PID 4952 wrote to memory of 1128 4952 MsiExec.exe 108 PID 4952 wrote to memory of 1128 4952 MsiExec.exe 108 PID 1764 wrote to memory of 4964 1764 AteraAgent.exe 109 PID 1764 wrote to memory of 4964 1764 AteraAgent.exe 109 PID 1764 wrote to memory of 2692 1764 AteraAgent.exe 111 PID 1764 wrote to memory of 2692 1764 AteraAgent.exe 111 PID 1764 wrote to memory of 1536 1764 AteraAgent.exe 113 PID 1764 wrote to memory of 1536 1764 AteraAgent.exe 113 PID 1764 wrote to memory of 2940 1764 AteraAgent.exe 115 PID 1764 wrote to memory of 2940 1764 AteraAgent.exe 115 PID 1764 wrote to memory of 4092 1764 AteraAgent.exe 117 PID 1764 wrote to memory of 4092 1764 AteraAgent.exe 117 PID 4412 wrote to memory of 4448 4412 AteraAgent.exe 120 PID 4412 wrote to memory of 4448 4412 AteraAgent.exe 120 PID 4092 wrote to memory of 3444 4092 AgentPackageAgentInformation.exe 122 PID 4092 wrote to memory of 3444 4092 AgentPackageAgentInformation.exe 122 PID 1764 wrote to memory of 4432 1764 AteraAgent.exe 124 PID 1764 wrote to memory of 4432 1764 AteraAgent.exe 124 PID 1764 wrote to memory of 2968 1764 AteraAgent.exe 126 PID 1764 wrote to memory of 2968 1764 AteraAgent.exe 126 PID 4092 wrote to memory of 4980 4092 AgentPackageAgentInformation.exe 128 PID 4092 wrote to memory of 4980 4092 AgentPackageAgentInformation.exe 128 PID 4980 wrote to memory of 5036 4980 cmd.exe 130 PID 4980 wrote to memory of 5036 4980 cmd.exe 130 PID 2968 wrote to memory of 4696 2968 AgentPackageSTRemote.exe 133 PID 2968 wrote to memory of 4696 2968 AgentPackageSTRemote.exe 133 PID 2968 wrote to memory of 4696 2968 AgentPackageSTRemote.exe 133 PID 4696 wrote to memory of 1412 4696 SplashtopStreamer.exe 134 PID 4696 wrote to memory of 1412 4696 SplashtopStreamer.exe 134 PID 4696 wrote to memory of 1412 4696 SplashtopStreamer.exe 134 PID 1412 wrote to memory of 3472 1412 PreVerCheck.exe 135 PID 1412 wrote to memory of 3472 1412 PreVerCheck.exe 135 PID 1412 wrote to memory of 3472 1412 PreVerCheck.exe 135 PID 3516 wrote to memory of 3268 3516 msiexec.exe 136 PID 3516 wrote to memory of 3268 3516 msiexec.exe 136 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4896
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:1652
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7F710304E705B775E8ACDAC0DBCBA0792⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDDCD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240639671 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1768
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE06E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240640140 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4964
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE4C4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240641250 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2952
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF091.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644312 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1128
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 60459EE0791F400A3CEB579C3A132BCF E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:3276
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5100
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000QFoFLIA1" /AgentId="4accd7e7-6560-48a7-8998-7e9bfa056317"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3120
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C133141BB5963B3CF52018FB65E11C09 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:3268 -
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08ECF16C-C1EF-4F4F-B449-15664E0EB94A}3⤵
- Executes dropped EXE
PID:2248
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7955ECC0-6B77-464C-958E-9B4196B1E3DC}3⤵
- Executes dropped EXE
PID:2468
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BA7A7BCC-3A16-4D2E-BBD1-2125C4BA9F81}3⤵
- Executes dropped EXE
PID:3432
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B6B7B02-99AF-413C-A3E5-55A2B4CDF3B4}3⤵
- Executes dropped EXE
PID:4336
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B0F5B892-9D4B-40F1-9A4E-0925E36E2053}3⤵
- Executes dropped EXE
PID:1596
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AD869329-B964-4E45-8687-965F385879A6}3⤵
- Executes dropped EXE
PID:3752
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5161EF86-3C87-4E3F-B79A-A6938B89F3A3}3⤵
- Executes dropped EXE
PID:2692
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FC5BFBC5-E1A0-498B-B346-C43B2E14EEA7}3⤵
- Executes dropped EXE
PID:4848
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{114332BB-CBE6-47B3-B42F-9A2EC5441FE3}3⤵
- Executes dropped EXE
PID:4264
-
-
C:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exeC:\Windows\TEMP\{DECDC4E4-87D0-4B7B-A703-93782874F6FE}\_is23B0.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FE1D7598-C6CC-4997-ADA5-5475247BCF82}3⤵
- Executes dropped EXE
PID:4952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2648 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1136
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:3180 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3168
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1624 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1292
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4844 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4440 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4008 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4548
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵PID:4848
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3696
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4932 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2080
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1236 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4324 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3296
-
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{24C12F12-91DC-4C25-B9A6-0B90392AC000}3⤵
- Executes dropped EXE
PID:3696
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{74FB5E9D-7C43-44C4-85F6-03A7B25687E5}3⤵
- Executes dropped EXE
PID:3636
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{17544601-1AA9-4476-A103-5BDFC27C4A58}3⤵
- Executes dropped EXE
PID:3260
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CEFC7EFD-CDB0-4FB4-85E8-CBD1E68E7C9F}3⤵
- Executes dropped EXE
PID:2880
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D5977469-91DA-4A04-9608-2D91C06087A1}3⤵
- Executes dropped EXE
PID:4048
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{964430AB-A86B-4EB1-9B2E-6DB40F1193FB}3⤵
- Executes dropped EXE
PID:1932
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{61084C42-4BA1-486E-BC95-E3BCD97CBF30}3⤵
- Executes dropped EXE
PID:3876
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C9F7EB1-97A6-41C3-84C6-70034E9173AA}3⤵
- Executes dropped EXE
PID:3104
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1C659AAE-29E4-499C-B786-05A94F08CC81}3⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exeC:\Windows\TEMP\{B09D7DD6-DC11-4B03-B058-A778425D73B8}\_is31DA.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{72372FA0-E53D-40EA-829F-A95C8A0A0B16}3⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F1441A8-3AB8-4385-9F49-5B6059B4A23F}3⤵
- Executes dropped EXE
PID:3260
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF6CC754-0757-48BF-BADE-FE63462A8A86}3⤵
- Executes dropped EXE
PID:1292
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3ED8019D-89A1-4AB6-B02E-551599E78474}3⤵
- Executes dropped EXE
PID:4048
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B31785D-5FF4-41A1-A149-BE42A30CDD1D}3⤵
- Executes dropped EXE
PID:2816
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F862782F-B168-48D2-85B9-8EA439E5526E}3⤵
- Executes dropped EXE
PID:1028
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9F5F1B08-EBB7-4B08-9A6D-6697226BEDE3}3⤵
- Executes dropped EXE
PID:5036
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5C052AFA-2233-41FB-9075-0D5346D73A52}3⤵
- Executes dropped EXE
PID:1184
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7A24331D-BBD9-42CA-BC1C-DE410E05E4FC}3⤵
- Executes dropped EXE
PID:1304
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{78F6CD85-9C91-4445-8430-8C72EF8C12F4}3⤵
- Executes dropped EXE
PID:3216
-
-
C:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exeC:\Windows\TEMP\{BB86DFE8-BEDC-4E37-A04A-A073A058C214}\_is40DE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6102657F-0762-47C9-A604-E5149E1A4D1D}3⤵
- Executes dropped EXE
PID:4084
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3096
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
PID:2060
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3444 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:1136
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:812
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4084
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8B94959B-5D7F-40FB-9276-6FC1910C2697}3⤵
- Executes dropped EXE
PID:3200
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DA2B5B3E-A43A-4183-B4BB-BFCE5A16B12F}3⤵
- Executes dropped EXE
PID:2916
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CAFE3812-E32D-4182-A742-566C8FA60699}3⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAF8D29A-101A-4A42-9246-74F3F1EA8F5A}3⤵
- Executes dropped EXE
PID:3696
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EC6BA255-E3CB-4DEA-8230-FEE86246948B}3⤵
- Executes dropped EXE
PID:3752
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB1D940D-9A3F-4098-85F4-9BDA7EE00F0D}3⤵
- Executes dropped EXE
PID:4048
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B5FBE03-F72E-4ADF-B278-9F0BA0E59376}3⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EEDB4128-601C-4928-8B45-2CB1F2B116C6}3⤵
- Executes dropped EXE
PID:1652
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2081EDA5-FDFA-43CD-A48C-7BD1A1EF561B}3⤵
- Executes dropped EXE
PID:3500
-
-
C:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exeC:\Windows\TEMP\{3D9C8837-D52D-4DF6-A6C5-5DDC46D4C205}\_is53BD.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7B127001-171B-43ED-93D1-B585E843E773}3⤵
- Executes dropped EXE
PID:1176
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:4332
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81F82378-B751-4DD8-9B8A-64C2E60F9EE8}3⤵
- Executes dropped EXE
PID:4940
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{204813E8-B924-4603-B35C-A7D177CEC883}3⤵
- Executes dropped EXE
PID:748
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81039644-BE6C-4D68-849E-13822ECD69B3}3⤵
- Executes dropped EXE
PID:4456
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0357356-773D-4EC2-A899-94E135F71078}3⤵
- Executes dropped EXE
PID:1896
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7D6CBE4C-0448-4E17-B996-AECFB59BEBD2}3⤵
- Executes dropped EXE
PID:4984
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{17D6C673-29FA-4C5F-8D21-1174CF60C799}3⤵
- Executes dropped EXE
PID:4540
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{03B16106-60C5-4060-B1B8-DE262B68523D}3⤵
- Executes dropped EXE
PID:3520
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{251CA570-CA70-436B-8870-C792C90ED9F3}3⤵
- Executes dropped EXE
PID:3260
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{74ED5318-8A09-4CC0-93D0-649708C07A11}3⤵PID:2920
-
-
C:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exeC:\Windows\TEMP\{292454D1-91C0-42E4-B178-FA200E626F8D}\_is56AC.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B240C0EF-2378-4BF6-8CA6-65414CC7D74A}3⤵PID:4940
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- System Location Discovery: System Language Discovery
PID:3012
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FAF13B919824F4F833E122483A30A9C8 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:5760 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI99CC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240687734 463 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5268
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI9CAC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240688281 467 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5732
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIA392.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240690046 472 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5372
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:5452 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:5404
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5896
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:4728 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:5032
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5272
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC3B6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240698265 510 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:5348
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
PID:4156
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="2c917860-9125-41ea-ad8b-d181476a8e11"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:5676
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding FD6DA02FEEACE3D21DE31ADAEF785AE9 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:3732
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 70B36C59177CBA1B537DDBFBBEFD3503 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:4928
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4700B05C0FF47331B063E1D8D7A24E84 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:5796
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1764 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4964
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "e8998491-2005-42e8-ae3a-53a3988c888f" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2692
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "9035afd8-817d-431e-8dfd-100ec4829539" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QFoFLIA12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1536
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ada0092f-85f6-4c22-ac5d-8bfdebf96e6e" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000QFoFLIA12⤵
- Executes dropped EXE
PID:2940
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ad404902-c582-4685-a8c1-321b98a247d1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000QFoFLIA12⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4092 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3444
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:4980 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:5036
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "e7030aa7-0d2e-49cd-955e-6f56a41854e8" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000QFoFLIA12⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4432
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "54031d3a-b234-4ec0-a596-cea61ebe2116" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000QFoFLIA12⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4696 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:3472
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4412 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4448
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ee72a818-7d5a-4baf-bbce-645f3fb7fc37" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QFoFLIA12⤵PID:3568
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:6036
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5704
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
- Modifies system certificate store
PID:5444
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "8c3feaa4-76e0-49f8-9f16-a36176d85c15" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000QFoFLIA12⤵PID:4976
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=e8f31dc1db31d492f470158bb1b2eee9&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:4236
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "f7b3f916-14d5-4e02-a823-b9d4d389b29a" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
PID:6100
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "947951bd-cd3d-44c8-8107-cdcc2b8cd786" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:4940
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "c42d350c-00d9-4022-ac84-b9f9c2d930a1" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QFoFLIA12⤵
- Drops file in Program Files directory
- Modifies registry class
PID:3788
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "725c945a-fbb5-418e-912a-ea227324fff7" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QFoFLIA12⤵
- Modifies data under HKEY_USERS
PID:4420
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "6ba16b03-3d54-4dee-851b-70750f93567a" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QFoFLIA12⤵PID:3592
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "7bfa2241-b3e3-4a8f-b6e6-6eca3e012b01" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QFoFLIA12⤵PID:5184
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "3ee8bfde-f561-4e86-801f-fa383d661841" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5532
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "28d1c4b2-5f01-471e-962c-b7f1294cb256" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:5692
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "03683c7f-ecd1-4d37-847b-7b3ef544f1d4" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
PID:5768 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
- Modifies data under HKEY_USERS
PID:5488
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "9a34dc7f-8551-4879-96aa-2b4bd7f3aa0c" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
PID:5860
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "e338be39-53c9-47cf-81ea-f88f564f81e0" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QFoFLIA12⤵
- Writes to the Master Boot Record (MBR)
PID:5956
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "bb4f9c3d-f4e3-4e62-b491-877f7783d8fd" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000QFoFLIA12⤵
- Drops file in System32 directory
PID:5980
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "a100ec83-adae-4b9c-a551-3914185b3566" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000QFoFLIA12⤵
- Downloads MZ/PE file
- Drops file in System32 directory
PID:5180 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:5804 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:5412
-
-
-
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet" --list-runtimes3⤵
- System Time Discovery
PID:5776
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" /repair /quiet /norestart3⤵
- System Location Discovery: System Language Discovery
PID:5788 -
C:\Windows\Temp\{C1969E0F-F8A1-41D2-9BFF-9254CED2AD52}\.cr\8-0-11.exe"C:\Windows\Temp\{C1969E0F-F8A1-41D2-9BFF-9254CED2AD52}\.cr\8-0-11.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" -burn.filehandle.attached=720 -burn.filehandle.self=724 /repair /quiet /norestart4⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:4940 -
C:\Windows\Temp\{3FFD50C1-3EC4-4D8E-9206-566355B7CC21}\.be\dotnet-runtime-8.0.11-win-x64.exe"C:\Windows\Temp\{3FFD50C1-3EC4-4D8E-9206-566355B7CC21}\.be\dotnet-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{1A8A3FB7-2DAF-431B-9B89-7CB26B0EEF15} {6D4EA6F5-71BE-44AF-B76F-E5E5331DBFBB} 49405⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System Time Discovery
- Modifies registry class
PID:4100
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:5564 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:3924
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:5264 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:5496
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1896 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3168 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3752
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2260 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:1028
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4048
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3476 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:1596
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5824 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey4⤵PID:4492
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ver5⤵PID:5436
-
-
C:\Windows\system32\sc.exesc query ddmgr5⤵
- Launches sc.exe
PID:2864
-
-
C:\Windows\system32\sc.exesc query lci_proxykmd5⤵
- Launches sc.exe
PID:3612
-
-
C:\Windows\system32\rundll32.exerundll32 x64\my_setup.dll do_install_lci_proxywddm5⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2336
-
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:2896 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:2864
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "58eff35f-c7eb-4d01-beb1-9ca6e167dd94" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QFoFLIA12⤵
- Drops file in Program Files directory
PID:5312 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:6100
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:4792
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:1408
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "679b075e-5daa-41b4-8ac5-4412c6406cfd" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QFoFLIA12⤵PID:5260
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ad1add88-5bee-46d1-a069-7e6c66ca5d89" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QFoFLIA12⤵PID:3564
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "1c000924-f912-48c0-8c1c-04ebfa1c0723" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000QFoFLIA12⤵PID:3300
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "998ab737-ab92-436a-9132-4b82448658b3" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QFoFLIA12⤵
- Writes to the Master Boot Record (MBR)
PID:6044
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "72bc589c-b7e9-4cd3-967d-6c70e135b95b" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000QFoFLIA12⤵PID:5720
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=e8f31dc1db31d492f470158bb1b2eee9&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:2632
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ebfcd71d-d547-44d9-9eb1-233573de395f" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QFoFLIA12⤵PID:948
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "f425aa93-ac45-421b-9109-708716038481" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000QFoFLIA12⤵PID:5340
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "74d9ef12-0387-42ef-af51-76e4249b93d2" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QFoFLIA12⤵PID:512
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "d8874e9b-8319-46d4-b090-2ae919a35353" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QFoFLIA12⤵PID:5748
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "bb0742f0-18c4-41bf-8fea-4b6f0103e128" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000QFoFLIA12⤵PID:2940
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "e18fa489-35ed-4fa3-af8b-f72a8c264ce3" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QFoFLIA12⤵
- Modifies registry class
PID:5856
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "cb5bc73e-fff2-4815-9b6b-f4a3813603dc" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000QFoFLIA12⤵PID:4916
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:5600 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:2716
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "64d38eea-7651-4b03-8b12-c2e0e10860a4" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000QFoFLIA12⤵PID:4940
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "ebfcd71d-d547-44d9-9eb1-233573de395f" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QFoFLIA12⤵PID:5472
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 4accd7e7-6560-48a7-8998-7e9bfa056317 "32ad38b6-1ae8-4c96-b5f0-70b730b34d7e" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000QFoFLIA12⤵PID:5376
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "4accd7e7-6560-48a7-8998-7e9bfa056317" "32ad38b6-1ae8-4c96-b5f0-70b730b34d7e" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "001Q300000QFoFLIA1"3⤵PID:5732
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5360 -
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2120
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "000000000000010C" "WinSta0\Default" "0000000000000164" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"2⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:5076
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "000000000000017C"2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:5316
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4880
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD50d8459d7d8507a78afe5c7eed39daaa9
SHA1adb135e21139257f5641eb175b146c995288bba6
SHA256611647c784d0016ae1028e0521e8103008af303c60234de3322d04cc414967e2
SHA5125bc8a7dfa4a90f8647a87ae422e24332e6f45dde394ec89d12b5b3137255d934523b92465b35028f4ac2435813de12b7d99525714376ebe2ccfe68d00855c302
-
Filesize
74KB
MD55ab09f2f5fc9fe3627429f2347d7dda1
SHA1e67adbf3d3c4f3b4e2f583b2abd8fa6dd9053183
SHA256d6592c1eb480a0dbcf7ef75362f5ae7daa5f662f76d7034876e0fcdbbc746b57
SHA5125958c58316f66644ee1bddca78105753eaf5bcc0178c7ee23df7587dcb8a07dd88d66882f61b27e40e8979059a4cb8e53ee06ddfeb478fdcf879c0512cb3fad1
-
Filesize
464B
MD5604ce6e1818a17fa466949493a63668a
SHA15bdbb21d4e6b9739709ce8164c711c483946ed7a
SHA2568633bfb2db8e58e5ca26cb826e634970bbb065303357b3b68c273a6124f53bab
SHA5121248ff23fb018f5218383b9672c30330e876423b43473072873d2d18230056fe4d4b3c30ad4237f484ef01131cf4557bc0d8a9bec4d30621efa5d3c8995d7ed7
-
Filesize
9KB
MD58152c829c0450239c0bc5658ffa9b220
SHA13e2a2dd11ba7d193d38f55b606b2b5a65b401cf7
SHA256bf3fcbb5560f64b8ec286700e076c69f4810044f62a0939f4d4c6d127db9aca3
SHA512d7ee96194642f504fbcd0df7ab51c116d397a897a107787879246075509797c0e84b66569beccc438c3a888c5e611a1dca07d96f6a2b030d3ae9ecaecb1e6d48
-
Filesize
8KB
MD5992d456046e894955e5e24c94173bc1c
SHA17d6671fb8fa54b24d0ac1c6410ae726a3c6cd169
SHA256cf38a5d13d5a00c55ac4dba2247b4c7a95ff155d9a4ec8ffc17595c750e488ce
SHA512c7eeec15adba80d42e1682595eebdbb2f3eaf0627017eac4491a89cec21907ceaba9828c5f0528821f059067f72a0299984355312f9b74a0cd27d7b39c496299
-
Filesize
48KB
MD55ef1da6ea8661f112aa8973b5de89a97
SHA1b75344e485ded6634f76f72bfe88c5bac480cd3c
SHA2565d9c731d2e3a16e8b1a4ea191be5a942f8bb44461407b8f424fdf2e7c3be475c
SHA512794cfae6a5187d78a60ed0cbfc11252343a86e760e0ccda67dd5524309d3e33840fe0e0bf63e1cbbfb70ddfe9c56b34cf16e2d5f00fd4b85598deed84f5a3064
-
Filesize
9KB
MD5db8ffee51ce602c7d82d34c7496e9d91
SHA102c1aef03492415071c5bc727f62a5e0ce41d079
SHA2560df1fe29c155c742bae0b34fd33829beec59c6c77d7374c8e2f7a04ecdcc5d8e
SHA512b04fb3d229f93911da002a773c612fb22346e8f6e8ff371a904d7bc1530a2f099a7f3992db4099451e435f00bd0d99b36e731350cf48bd247f928e5b2154f95b
-
Filesize
11KB
MD5c22f6b1f9aa30d1830bf063468684d34
SHA1e49d76d06d45f800764fcd1d21321328d4767e60
SHA256d73b2b74b0966a812aca5b898fe0f6914fc90f313198f67300f9f4e71a237b5c
SHA512ef2c64f8d69c88f862a43c58055b63c2ab18056bfaf819c32129319a7d3f928485c005484029589a5bc190e43790eec8a1b0ea69ff397d0be98d51573d26a40b
-
Filesize
8KB
MD5fb6ab1ebac7fdc22d914716c45d6ad10
SHA157f3bf3ab13c6bfc5d758d59f84d6d49a41fa09a
SHA256e6b78e88803c57e853350119a64049ef6d3cfacdd8c3aabd74f8daa1e0ce1038
SHA5127bf01aece0256e5a495d02308ae03add210f0d4653e9fb959323c6120dc05d125eaab5b789552871915fcb97ebf86c1f0cadb79f67530a81d0877d55a0e5a911
-
Filesize
143KB
MD533b4c87f18b4c49114d7a8980241657a
SHA1254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA51242b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
1KB
MD53840b31c383fdf49bfd6740d945c9032
SHA1a6f50164a69718bcef4664d7c47534f0d721866a
SHA2561f119f4fda8028b420e70ee1637c65e2b4198b41eb3eb44d911afa6f1a0bbc64
SHA512f5315421d4bc5f08fef4e1449e5799ddf311f08eda317a9eaad8c88c2e7b7c26182bd586c0221ffe5f4112e5d6e05f5d45d2d0382b0ed51ca25aa94d4d95a84d
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize146KB
MD58d477b63bc5a56ae15314bda8dea7a3a
SHA13ca390584cd3e11172a014784e4c968e7cbb18f5
SHA2569eec91cdd39cbb560ad5b1d063df67088f412da4b851ae41e71304fb8a444293
SHA51244e3d91ad96b4cb919c06ccb91d3c3e31165b2412e1d78bfbaca0bee6f0c1a3253b3e3ddf19009cebf12c261a0392f6a0b7091cf8aba1d0cc4c1ed61c1b6dc42
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize145KB
MD52b9beb2fdbc41afc48d68d32ef41dd08
SHA14a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c
SHA256977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1
SHA5123e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD51e065e191e89cc811ff49c96fa8fa5e6
SHA1bc50ff2a20a8b83683583684fcac640a91689ed4
SHA256d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e
SHA5125a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize247KB
MD5aa5cf64d575b7544eefd77f256c4dc57
SHA1bd23989db4f9af0aae34d032e817d802c06ca5a9
SHA25679c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920
SHA512774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD5c69c7690482c75a8fc70df2990d7afc6
SHA179d72d32a03151823bbf0953d5c2ce6bc2bde4b1
SHA256580415595e5936d5f3945e9eeee63f6f4dbacd327aa46e2b7625b638715c27f5
SHA512ed80ade3519345552ca74958efc9c122de840d2844baa08c94400f15168b6fc25377628a55ed12488ea790aaa40bc5bb77b6586de4f1ecd296902bbe36fba4f4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5111e2e63bccead95bb5ffc53c9282070
SHA1eaae7df21e291aa089bc101b1e265ca202be1225
SHA2569615fe5fe63c48b13ffd8c9bc76170a9ed1cfea6a3d0901e857a1c6c6edaea76
SHA512ffc818615fb30e24633c90b8f5a55c100b5f307414ec54e5a2914bb4ea36d3fb3aa6ed0e5815976a2f6d1b7f056e7da1f108a8eed81b458decebe721ad30b920
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD593e4c198656fc267f392de11dee01cd0
SHA1e92cb59486745ee7564f5b374e790a065e1f4678
SHA25688b220f9f9bf25f856dda714aa1a1ae998720780cd3ec5b968154e03834fa965
SHA5123a04a02982dbbbb9d54b6c5674f2f2c10e0cbce580e3974cd924cc9131cd94aece71c7b975c9abaae82f057c70243fb016d31339e8700c96bd55c434bb98105f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize397KB
MD5810f893e58861909b134fa72e3bc90cd
SHA1524977f32836634132d23997b23304574d8d156a
SHA256b83b6c1f64b6700d7444586a6214858a1479c58571f5e7bf4f023166c9016733
SHA512db463d34a37403a9248d463ae63989b40a0172d9543bda922dacb10a624eb603700628a67d9c86df2605c36d789902ec79228aa29f26c49be0195c54a9e4a191
-
Filesize
48KB
MD5d4526e189dc14cdc5797fa646d9faa21
SHA1fe9f3503ebcbeed6c87f1977a1ad79bf6002f0cc
SHA25691d411b598afad3b7ac3ab720b9b464b3e2a079218965d208746883ce91bf095
SHA5124ae4d4d0d04dd1fb2a82bfac711067287213dcfe40a014163b04525fd955ecb0af34ca958f8579db531db77a7087692c093fd4439e883e54cd96c107707fccaf
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize197KB
MD5d0d21e16e57a1a73056eae228da1e287
SHA1ab5a27b1d3d977a7f657d0acdf047067c625869f
SHA2563db5809f23020f9988d5db0cf494f014a87b9dc1547cf804ae9d66667505a60c
SHA512470bac3e691525ff6007293bac32198c0021a1411ba9d069f88f8603189b1617c2265fe6553c1f60ef788e69afcb8aa790714c59260b7c015a5be5b149222c48
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize56KB
MD5d0aa95693d78fd438552bd9df01fec78
SHA10e7173c1af5d5543d5a41aed690e59f3ae4bb0b9
SHA25611201ece7c3ee4bbcde0b84a2bc7c251ef57fce5200b2a1ae437fc959c7ad8a7
SHA5127b48864e72627bb51063ea49f6459eb6c05baa64066d8e6c85f2ff7b7de26b633ff973e2a830da63b6824eaea65690e3f6b29af8adbc0c24724016a8764f3b15
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
Filesize9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.5692.update
Filesize9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
Filesize8KB
MD5fe295e65aa8a1872768dfca00fef290f
SHA1fdd8d98f3262a238f153f69d3cd902ab55871f81
SHA2566614601b55848c48a1fcde37032fd9548c1ed228b81fa67fe81e11916cfa3352
SHA51227630e99df0a8e40f3ff26118480163f1fc10679ecfe11cd1ae7ee7451ea51617cb2d3a8b8cd91f8bb92363c314a0104c54d39b304e211cc8dc062be2ab5b769
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
Filesize
333KB
MD5745714d838c4d4f88c6e0db6a434f444
SHA190689ce709bf2464b678c7afa7b1e18f080d52bb
SHA256e35302995dad1d5e4b7147d8763f7262500271cf01eac8edfa896b392ac7139f
SHA51208cbfac0b604530108978c757ad8481c69ed62deac5520777bacee9751f3f260d2c3158609fd723819d8d6626c46b302fe7da7005efc09ab571871ac9d58a0ed
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize70KB
MD5e9b3a59f67febdd7f8fbe68d71c5d0ab
SHA122bd3ec3f8e0be2f317ade9d553acdb3ea11f52e
SHA256bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf
SHA51200e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD55bb0687e2384644ea48f688d7e75377b
SHA144e4651a52517570894cfec764ec790263b88c4a
SHA256963a4c7863beae55b1058f10f38b5f0d026496c28c78246230d992fd7b19b70a
SHA512260b661f52287af95c5033b0a03ac2e182211d165cadb7c4a19e5a8ca765e76fc84b0daf298c3eccb4904504a204194a9bf2547fc91039c3ec2d41f9977ff650
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD52ec1d28706b9713026e8c6814e231d7c
SHA17ef12a01182d28a5ebf049cc1cb80619cd1e391a
SHA256c9514bf67df87ac6cc1002f3585d5b6f7d4093a7a794d524fa8c635f052733de
SHA5129e23588dc6d721f42e309974c3f3089f845f10d1dee87fb26213ba3810ee3c272d758632cf1c9157f6862ba0e582afc49c1ee51540461f41840650f216f35aeb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize59KB
MD526c25e48b69eb8df7d6cea01fd66f3df
SHA1d70e92a8b8d358c7a2e200b11e23703cf43d93e9
SHA256f6da2cc4a4ca0a4cff92a2c9f61e546255bfe9d02eb1087a033b1a45e06fec87
SHA5126414db6ba626fe4b39155052638a15707cf60836056560fceeb5a1ea8faee1bee830840900f1635ff5a0ce1d271f73062660bd0ec582815e0bc56f4997a45feb
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
218B
MD58ad10c450a7daf3dcf6e53781c229c56
SHA11b23454c687fa16b0a1da8411e299aa5a142a5ec
SHA256d2e11c6bf4d9bfb8ab00141bbb8fc11578fe874c945f9bf7dfe824e82a4e84c8
SHA512147efef2f63ea9a1166c281041e4295f8fb79b49705a6248812e26e8076421a22d1fcc43f87413e6c2bffca90d1d1bc8ae8399147baf76a7a7e8df880589b2a9
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
96KB
MD57cfb0b44268ebf2c5363bdec2b5006f3
SHA19a76c25620cda32e6f0d39266288878ea647341b
SHA25640083b031de47bbfffd401892dc35ad690e9ac020c7c03c8f180d22f7ae1ec23
SHA5123955fbd15bec38988d38c1737e794d4399a38493dff52f3743b318c442d83d9b009e4d7a7e2d3dc614fc42ac0ddef8ea127af5c4ff31136c24be2c8b04419587
-
Filesize
287B
MD5fcad4da5d24f95ebf38031673ddbcdb8
SHA13f68c81b47e6b4aebd08100c97de739c98f57deb
SHA2567e1def23e5ab80fea0688c3f9dbe81c0ab4ec9e7bdbcc0a4f9cd413832755e63
SHA5121694957720b7a2137f5c96874b1eb814725bdba1f60b0106073fa921da00038a532764ec9a5501b6ffb9904ee485ce42ff2a61c41f88b5ff9b0afde93d6f7f3d
-
Filesize
7KB
MD5362ce475f5d1e84641bad999c16727a0
SHA16b613c73acb58d259c6379bd820cca6f785cc812
SHA2561f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899
SHA5127630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b
-
Filesize
1.3MB
MD540df7f2a02cdfa70ae76d70d21473428
SHA14baddbc082fdb197c77bc1c232be2881a82a7ec8
SHA256f037309cf6b0174ba282106da31c141e3912486c69c438a53afe7ff589743dc2
SHA5122522483e9d1b9fc20f14ffab3dcb2a9e5735a260e08e7196a05319076ad9b4d7a9fe94b28c52559022f003d2fe55ec5e4abcecb1b11f4000e804dae5b1c0126f
-
Filesize
1.8MB
MD55ed9543e9f5826ead203316ef0a8863d
SHA18235c0e7568ec42d6851c198adc76f006883eb4b
SHA25633583a8e2dcf039382e80bfa855944407bcba71976ec41c52810cb8358f42043
SHA5125b4318ddc6953f31531ee8163463259da5546f1018c0fe671280337751f1c57398a5fd28583afba85e93d70167494b8997c23fee121e67bf2f6fb4ca076e9d9f
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
383KB
MD5f6f297c704f4f4c13d50f971daea3b56
SHA1118581c847ea863ff8bca0a38b5469577ac6b227
SHA256a92e1c423c30b6bb4c73f8807890b6020e12cad4143ebf6548d6562cd04f0b4b
SHA512b312447f381d48b68308b68cd841a4274897fe4e4bd5ea3fcdfd598a6926db1ad43443bf7c0b103fdf06e1b511f5ea1b2e8018abc62a39b9b7f2d4be17a7c848
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini
Filesize11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini
Filesize12B
MD5a6bd887ee94e12d3c42a5d47b4c73826
SHA16b30541a5b528ff8a8befdb5cab0b9dccf4b2491
SHA256643d32f1b400e5cdc5b76067eac006167c07b321d5abd06b30f1a45e9fe2253c
SHA512ec86b4beda8995c13f550ce0f1c60b7bf384f706d37c516a12c6e6d6e0040bc11f72e9af09117d78b46bb799e9e41f4f6b2e78b84c2cf087ac76a1eb94986171
-
Filesize
48KB
MD52d9e4265d02772969dcb3595c7ab5edb
SHA11021ab614fb2ee73885c5b4cef8cee1e11bff8c5
SHA256987504b21dc53a476e3f922f852ba44fc2b659045fed05b796741a4c95cb7dce
SHA512d43d864fb16093cfaff5e53a18af309735d1821c0594eb334495b79c7a612a77232aee4082a058a5dfa49b34d7774d9809a38e1e26a32a9c1739f0420f92e982
-
Filesize
48KB
MD5af360ed19704b663adb7a1f8f8bc808c
SHA1b53fd10c43d8909551ff145e2e8f50707d804f9e
SHA256e1bbe05b47d4b6a3ddb1e006b9989c3bbf2a871b957042631dfafa767b1d12d4
SHA5127b9e38ac5b7f3bc7422ab9879d6bb08b228b8942354202789af600ae9faf24bfb4abc0ce613b43c1a89aec1aeb78f3758def66f95f9344b8126b0662c19143f1
-
Filesize
2.8MB
MD5ab8d85c093d6f0180bf09ec0f466b78b
SHA11daf355d14d45b1e411f96fa394a98a84c09e53e
SHA256d1e08c8dbf3bfc34e3fdfc390d2e7f5b871f95376e7dda93e3dd0051d580db40
SHA5122882292301e1fb85b410570ece6cf05f3e89968a02450dba192a1f97282f1c08ed30819e3d36c524fba3baeb6a2c22a10a762c8313e8823c07554b4b975cc00e
-
Filesize
2.9MB
MD5f39fbf03ca870084bde8bfd5e6e1ec39
SHA100febae56b76f76166fa64a0c0dc746b9feb61e4
SHA2561c2761c31cf551a7b3034618fd0018d1a304bbcb97383d2bb13c47aeb8b23c60
SHA5124c974603fb33e3711dc7f28e4580fef2a197ee1abfcc2c2384e4053c939847fa94b5d27a44ca6ad1fc8799dd80c2cc975c87e55e15902786e4b1e8dbe362bf7a
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
Filesize
12B
MD5880d31390a25de6a9cd34463b46c75e6
SHA1837af65938c9606b5de3c6f2195fc3e855554cd7
SHA256425adf50cf113d68bd6aa8dc1015db43422bbc1c977933d5f8c1ecaabf18eb2e
SHA5128e9dd066ff73625a5a55d1ece5ba1e4fb248ab14a32880a3d4d86266176cb4f1c61f8301e1ff49839c283affe877b9fbcd3bc2b9763c08b0b63ba56023c2282b
-
Filesize
670KB
MD596e50bbca30d75af7b8b40acf8dda817
SHA14b1255280dff8de8b7be47def58f83f6ec39ded6
SHA256a3ad00ccb61bc87d58eb7977f68130b78a0b95e74d61e6a4624ac114ccde5736
SHA5120034c08cb878b703f272e3fd2734bb928ff1bdba85cf79a151519b019c83bd4d199c80af0aa30db28ef82f7ee68a9d59dcaede92f83bfe8787f6a5d4d5e9817c
-
Filesize
3.1MB
MD58e70af11d0ee2abe139b40d67e70b73c
SHA118582e88e16255d5d267904bdf0357ec9ff333e0
SHA2565c687adaa48b83de220e8489e0ceb0093be1f94260750c8d94a1b8497781327e
SHA5123a845ed4ab368b0dde7e98d77fb796e9070f6bb9472ea833e52b19eb5bd47260e0b288fd3c8d19235bd9ded6f7b11ea10985ad871c8f5c82751249301d3ee4a6
-
Filesize
12B
MD59a5e9a329e4e73e0c499371205a810db
SHA15b6d85657d4acd89867283fbe372e9e85c30686f
SHA256d109087c4ca318cad74b7560c32594d37181885adbdc9348ba1dd35d47b35b92
SHA51202bd5261b9e795ed5a07badd65a6cf71d18751452fb44bdd424dfcc6c50ba7441e0066b125e731018fd6f1a8a002ac4e6961c7eff21c36fbda58c8015a100c43
-
Filesize
572KB
MD57062f2490fde7624ceab2fac6a996b98
SHA163a355ebf702bd6fb4e10f4353e5dbaa036ff635
SHA256dbf3e40e068c22a995bb917ef51153bf1d4dd06ab8a5bb5486ea017245edbf1c
SHA5125674e823473887669a1d12ecea9f7569633fb885f570b3c7bd8fbb706b214c564a0aaf0bedebd0a61add76582316c7de9a2f5af5b4cd8d04f426d80987f2d7b3
-
Filesize
143KB
MD571026b098f8fb39c88b003df746d9fa0
SHA1013ca259f551ad6f33db53fff0e121e74408e20e
SHA25611058e8c2cd05f30dcf1775644bf19d2913c9a6d674c12f91d1896d95d9cc5c2
SHA5129830be3444225a4b2f9fa4aedbc8af4f45fdb2548f0b6a2eba2a2a407ea3c7d8fd78c0e37fac66cafbdfad781ae78b076d225fd5c836a451f57a54053ccef9ad
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
Filesize
809B
MD58b6737800745d3b99886d013b3392ac3
SHA1bb94da3f294922d9e8d31879f2d145586a182e19
SHA25686f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594
SHA512654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df
-
Filesize
12KB
MD5f960e4e449584b7de0ba44c8d7e862e4
SHA10ac8aad5a9d53ba6fac22974f7ddf2cbf74f1e99
SHA256b6a46ce9a7d2d69ad7e88efaf2d6eb5f3a4ce8e7d4dbbe6046aae5502a55a35a
SHA5128d7e495ffaff055f1b849fdf9d0e0ab86116768c7350c734a6508e7fbddab4689fe69b0fb659ce2598d95a6ec5d3db7eb97c92f4c29712bb7d46277439a8c8d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5a92359bcd40ab68df3b2a726b293703e
SHA103af49fbe93ce7312ceb352c712941d1ac5fd2f0
SHA256e61fca89129e6e9eecaafaa8612f1d82efb267b900a8ca27427fa0b32e065c63
SHA512f2f2ff4c354ce68642ec37357e40c28cfc2449bfa9971ffe59c800a50287f8a39b5729a6fb2aaf8f23b9f45ea3e478a9f12dbba0479d93e4c2c598263aa7ce92
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD512d865d718c648c03e5657a02fbd7128
SHA167992668978bbcf0dc94166c3d68fe91adf5a4f7
SHA256605bc5c5942c346edd5a9639cd65d9829c8aa80d06b01dfd1b7c8dfa5fc5f671
SHA51202628a076f36de16e92be4b799074dcc843df16a065313662b163a368b46e9a458388e9e4a5c7deedeb9ea3db9da47ba886fa9be7fb8724c5f6af46a372c4c41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD57ede1c2319349ee09eef9b918f848ee1
SHA1907bc671d8865713c6c6758ab35d880bc195cd26
SHA2560091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e
SHA512673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD55ca29b78d84fd3a726f069c885e5ebfe
SHA14fd5bd50523ff34617dd6ed02313f77b0cd39625
SHA256576a0520dc8d4c00940ca0a101a8cabc569bff0b267a1f9d8a38689d92952cae
SHA5126d23577456090a56ff14005e01e852c2499c800476033d8eb815ea640eda1fce5b14cf6c5e959208e9319dd13d770b048b64228d29a20c3cbf0491f6213683cc
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD568223b2e0a49ae2c2ae1647d37c39fac
SHA1ec1e78906ed758e9a46bc41138ce4fb20a5106f6
SHA25677049ea6b1a71cee2b868507e07ea7b04646f8428e1efd2d3fa37f96365db595
SHA5128841a495782e9ccc10e6411aca3dbd14714ab381b121275c21850eb65ad3d0e022180a7fb050b5e572a79519aea8b7afd86e560d19f4e7c9a60f790409004220
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD531f1aba1e22457219038bb22154ad14a
SHA188eb373fb452f0b7e7730d4870f35af75903ac8e
SHA256f2cf9e4babd300a2ffc6fee094ceac29d26b43f5bf781e276eca61f0a758d795
SHA5125c4897e0cedb7f27e02a9b68604d2344367adea389a90b34f4bfe9f90b7b3d41884011fb8dbb7f3ef6d4f6a0d838609806d8f17033b95c56018f57f2a1958589
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
4.5MB
MD508211c29e0d617a579ffa2c41bde1317
SHA14991dae22d8cdc6ca172ad1846010e3d9e35c301
SHA2563334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621
SHA512d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f
-
Filesize
60KB
MD5878e361c41c05c0519bfc72c7d6e141c
SHA1432ef61862d3c7a95ab42df36a7caf27d08dc98f
SHA25624de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40
SHA51259a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
219KB
MD5928f4b0fc68501395f93ad524a36148c
SHA1084590b18957ca45b4a0d4576d1cc72966c3ea10
SHA2562bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae
SHA5127f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372
-
Filesize
2.9MB
MD56032d2452e05a12f1449182deb3ab258
SHA103a992f9020a003fe86e477ac28698afc16a73d3
SHA256394659c01bd981c3a4d5840fbd624c20e3270c9defc432ff3fe6ddb482b5ad46
SHA5121318d1844efe031d05499e642c9509422a9f92977b8b4c76d38c6c614d81813af4ec927d2dd807e9b7b205ab06ea1800eb4a082f1a89a4e3721a37301165e28d
-
Filesize
26.3MB
MD5b9c6d23462adef092b8a5b7880531b03
SHA19e8c4f7f48d38fb54a93789a583852869c074f2d
SHA2562e23da54aa1ff64de09021ab089c1be6d4a323bdf0d8f46f78b5c6a33df83109
SHA51218623991c5690e516541eaf867f22b3a1a02317392178943143bedc7f7eda5e02e69665c3c4a5fa50ade516a191bbbf16fd71e60f3225f660fb10ebc25cd01a5
-
Filesize
772KB
MD5d73de5788ab129f16afdd990d8e6bfa9
SHA188cb87af50ea4999e2079d9269ce64c8eb1a584e
SHA2564f9ac5a094e9b1b4f0285e6e69c2e914e42dcc184dfe6fe93894f8e03ca6c193
SHA512bfc32f9a20e30045f5207446c6ab6e8ef49a3fd7a5a41491c2242e10fee8efd2f82f81c3ff3bf7681e5e660fde065a315a89d87e9f488c863421fe1d6381ba3b
-
Filesize
12KB
MD58e16d54f986dbe98812fd5ec04d434e8
SHA18bf49fa8e12f801559cc2869365f0b184d7f93fe
SHA2567c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd
SHA512e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029
-
Filesize
2KB
MD50315a579f5afe989154cb7c6a6376b05
SHA1e352ff670358cf71e0194918dfe47981e9ccbb88
SHA256d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d
SHA512c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af
-
Filesize
179KB
MD54dc11547a5fc28ca8f6965fa21573481
SHA1d531b0d8d2f8d49d81a4c17fbaf3bc294845362c
SHA256e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d
SHA512bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6
-
Filesize
135KB
MD567ae7b2c36c9c70086b9d41b4515b0a8
SHA1ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b
SHA25679876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69
SHA5124d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078
-
Filesize
119KB
MD5b9b0e9b4d93b18b99ece31a819d71d00
SHA12be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e
SHA2560f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf
SHA512465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53
-
Filesize
10KB
MD562458e58313475c9a3642a392363e359
SHA1e63a3866f20e8c057933ba75d940e5fd2bf62bc6
SHA25685620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562
SHA51249fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad
-
Filesize
4KB
MD51cec22ca85e1b5a8615774fca59a420b
SHA1049a651751ef38321a1088af6a47c4380f9293fc
SHA25660a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf
SHA5120f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb
-
Filesize
52KB
MD501e8bc64139d6b74467330b11331858d
SHA1b6421a1d92a791b4d4548ab84f7140f4fc4eb829
SHA256148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438
SHA5124099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5
-
Filesize
602B
MD57104ef033b2dcacf06fe3f8dc4f5103d
SHA13ee83e848080bbe930a4f6ddf2256e69cc20ea17
SHA25617ab2665cc1f7c7b2b111269c973f3a04080d69dfaef25bf37128ae176069ec3
SHA512551eabc1c05e1cf4dc442b8dc5c0173eff77d96a03e448e55294555f489fb38e549debce8025272d7a4511cb90ced6cfcc9f0b6b493bf069ec4e8999d7b4a6cf
-
Filesize
4KB
MD53b923438f4d6446d49a6f9da234f47d8
SHA1bea36cd9a2cfb9206c1072281577cea7c6d80077
SHA256c4219e7119cc998c8ca194d0bd8e0dbe06b7fb8ada12a85a18c2b1b8a20d1e2f
SHA51287da7385eaf42a21baadab8958f12cd304044d6e0fca8e368c22dc7ee2e2a18e5a5b5814a672cd1f55c394a831899548fde16752fbb0eb6eec84bf80c64c5906
-
Filesize
976B
MD52d272eb92ed96337eacae7888dc33c7a
SHA16ee8ab55d3f106791c15a8c099df868e4501d592
SHA2566a41bb78eb0522d4e8b782018acc0b92825f66fcb0f88442f8e63206b7d6c832
SHA512a71eba4f4ae18372673801de6e11d84b1f8beed7633a1c5b1d33c769fcd36574db0a6a8f0a579cd2b027745b9a94a8a6f765b608167a6fdd335c847b303e74ce
-
Filesize
1KB
MD589f5e230abcb74ea207a8dc36b3290d5
SHA1d632b55c9debba3286254fc6fec9b79daea1592d
SHA256d287106e39b958a89ee121bbd40b3222af58d8e52f604531954b8660665f1a9c
SHA512be68f30ecae0e281c38306711a06e78f02388aaf1d4623b0806cf2df8ab5f80db7dbf550fa1b45f6cf13d27d468bf622a9830ad7f409612b1877b42911ce6d01
-
Filesize
2KB
MD527efd7cd76620bd35b9ec42de78e29d0
SHA1f9409280055bd4fcd3fc2708e56973b11217372e
SHA25641f84d6f8bda5d8a12768bc6a9f1b02a176a61478d020e746b2f1c471b3404c5
SHA512760d6c34c0b5cfae12c57a18cabb191496506b7d4a8262ced34056fde0a9baf2f7ff2c09be9d3a46f45020f09d305648201e3b0a707cfb91562435acc33396d9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5a74e41794022f9c27ba5bc5a9568d143
SHA142823669f522c4a6fe7e7ce6e6b8fdb10ba4511f
SHA2565d715b48c9f13e3b5b5c0bd8c7ce0807974c5cbf286c9ff2f2fd5c791608ec48
SHA512dcea69b3214c1780adf34891d3fbb41b15696c41bb6deea4ce6ac870046c02bdb6f972586260f0c31f3263309585dd9218539071be6a4575965fba6e0e792f3c
-
Filesize
4KB
MD598f5d00e8334a5022808c8f7dfbba64b
SHA17a3dc94862284746bb9d9699a99958539531d832
SHA2566e873ae7bdb62baded042be6d56c6b71a53a543e4ce6d4ee1e15785b578ab4ba
SHA512d63733aac7239c972a521c22e995142a26bc033520491a68c878bfade004f85fc46670b4af077b5e7da0a6cf4726a2b7799c1f99f6e03700c17ea559ace614ce
-
Filesize
3.2MB
MD52c18826adf72365827f780b2a1d5ea75
SHA1a85b5eae6eba4af001d03996f48d97f7791e36eb
SHA256ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be
SHA512474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
607KB
MD5669de3ab32955e69decfe13a3c89891e
SHA1ab2e90613c8b9261f022348ca11952a29f9b2c73
SHA2562240e6318171b3cddcee6a801488f59145c1f54ca123068c2a73564535954677
SHA512be5d737a7d25cc779736b60b1ea59982593f0598e207340219a13fd9572d140cfbcd112e3cf93e3be6085fe284a54d4458563e6f6e4e1cfe7c919685c9ee5442
-
Filesize
571B
MD5d239b8964e37974225ad69d78a0a8275
SHA1cf208e98a6f11d1807cd84ca61504ad783471679
SHA2560ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73
SHA51288eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8
-
Filesize
182KB
MD599bbffd900115fe8672c73fb1a48a604
SHA18f587395fa6b954affef337c70781ce00913950e
SHA25657ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc
SHA512d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD5c0cf1dba229c922aaf132f876df2ec76
SHA138e01ff3a57f93fa28b24187db71f179f2e20acc
SHA256f29b0cfe28a93032ef8b04e940df5f71e42de49f05c554d20a2d3b062d5b2556
SHA512e9b9ea5a63b252300baaf33dca154c67be0fc64d80f2eda8e9ade8489d1775e3b26da33916677e305d8297de6025d41fbafbaeb57982dceead51a76f9175d950
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5c56e56b42343c59182a94f4474a1d5cd
SHA108111e5b5f445c2ec756a29b89045f10086e83fe
SHA256b85f4f5948e66028b9a36c70ef6acd631e89980637fd3560ac45ea221a11b0be
SHA512790eb98ddb84c4c97709f5294481ba67361681bd99cbd7c1c599608f563a42d4f11fc77d0428fea5edae4bfd96aaa0d06d52ba4a2fb84121317c01f37fe9938f