Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
05/02/2025, 11:54
Behavioral task
behavioral1
Sample
NF_e.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
NF_e.msi
Resource
win10v2004-20250129-en
General
-
Target
NF_e.msi
-
Size
2.9MB
-
MD5
73f95f387f28c4076c731baaf9e0aa2f
-
SHA1
7ad11a552545d11065bf318a6d631a1c4c441fd4
-
SHA256
60a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b
-
SHA512
f5a1c75f1c6c56319787c458e12b9059252e4ee4c2f9c5e8b6269a03c559cdb85669581443ab434948f5378c8dd7ccd0ae2922cfe1ea6388f13b8fd087c714a9
-
SSDEEP
49152:m+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:m+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral2/files/0x000500000001e727-236.dat family_ateraagent -
Blocklisted process makes network request 5 IoCs
flow pid Process 2 4072 msiexec.exe 5 4072 msiexec.exe 40 2196 rundll32.exe 45 4848 rundll32.exe 154 1700 MsiExec.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e883dae5-a63d-4a45-afb9-257f64d5a59b} = "\"C:\\ProgramData\\Package Cache\\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\\dotnet-runtime-8.0.11-win-x64.exe\" /burn.runonce" dotnet-runtime-8.0.11-win-x64.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 126 3396 AgentPackageRuntimeInstaller.exe 135 4648 AgentPackageSTRemote.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 39 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageProgramManagement.exe.log AgentPackageProgramManagement.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\SRCB177.tmp MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ValueTuple.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config AgentPackageProgramManagement.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\hidkmdf.sys msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Text.Encoding.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.Tasks.Parallel.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\zh-CN\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Logging.Debug.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\UnInstall-ChocolateyZipPackage.ps1 AgentPackageProgramManagement.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Principal.Windows.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.ini AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\Microsoft.Win32.Primitives.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\NLog.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Windows.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Resources.Reader.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSocketCtrl.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxyumd.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Private.Xml.Linq.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\x86\SQLite.Interop.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Threading.ThreadPool.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Hosting.Abstractions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.WebHeaderCollection.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\fips.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\stprinter.cat msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Data.DataSetExtensions.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe AteraAgent.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.IO.FileSystem.Primitives.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.ThreadPool.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\uninstall_driver64.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Polly.dll AteraAgent.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.XmlSerializer.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Handles.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Numerics.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Calendars.dll msiexec.exe File opened for modification C:\Program Files\dotnet\LICENSE.txt msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x86\lci_proxyumd32.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdnup.gpd msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\pl\Microsoft.Win32.TaskScheduler.resources.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Hosting.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Install-ChocolateyExplorerMenuItem.ps1 AgentPackageProgramManagement.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\Microsoft.Win32.Primitives.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stmirror.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Runtime.Serialization.Formatters.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Security.Cryptography.Encoding.dll msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\BouncyCastle.Crypto.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Collections.Concurrent.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Net.Ping.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Resources.Writer.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp\setupdrv.exe msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\helpers\functions\Get-WebHeaders.ps1 AgentPackageProgramManagement.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\snmp.cfg AgentPackageInternalPoller.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Globalization.Extensions.dll msiexec.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIBD83.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIBD83.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIA3C1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBD83.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC024.tmp msiexec.exe File created C:\Windows\Installer\e57bcca.msi msiexec.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File opened for modification C:\Windows\Installer\MSIC0D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57bcd0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI51FB.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57bcd5.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0 msiexec.exe File opened for modification C:\Windows\Installer\MSIC69E.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F} msiexec.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\e57bccb.msi msiexec.exe File created C:\Windows\Installer\e57bccf.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt msiexec.exe File created C:\Windows\Installer\e57bce0.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIC8B3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5952.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC69E.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC8B2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4006.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795 msiexec.exe File opened for modification C:\Windows\Installer\MSI9538.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File created C:\Windows\Installer\e57bcd0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI56BF.tmp msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\MSIC990.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp msiexec.exe File created C:\Windows\Installer\e57bcda.msi msiexec.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSIA100.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIAAD6.tmp msiexec.exe File created C:\Windows\Installer\e57bcc8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID6C0.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI3EFB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI57BA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI943D.tmp msiexec.exe File created C:\Windows\Installer\e57bce4.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIAB54.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC45C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBD83.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIC024.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC69E.tmp-\CustomAction.config rundll32.exe File created C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\e57bce0.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC024.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSI4C6B.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI5A9C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI59A1.tmp msiexec.exe File opened for modification C:\Windows\Installer\e57bcc8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIC024.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIC69E.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIC69E.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 64 IoCs
pid Process 1100 AteraAgent.exe 116 AteraAgent.exe 436 AgentPackageAgentInformation.exe 380 AgentPackageAgentInformation.exe 2168 AgentPackageAgentInformation.exe 4820 AgentPackageAgentInformation.exe 392 AteraAgent.exe 212 AgentPackageMonitoring.exe 1756 AgentPackageAgentInformation.exe 4676 AgentPackageTicketing.exe 1256 AgentPackageInternalPoller.exe 3632 AgentPackageHeartbeat.exe 1000 AgentPackageOsUpdates.exe 4840 AgentPackageMarketplace.exe 1048 Agent.Package.Watchdog.exe 2296 Agent.Package.Availability.exe 2348 AgentPackageMonitoring.exe 368 AgentPackageSystemTools.exe 4648 AgentPackageSTRemote.exe 3284 AgentPackageProgramManagement.exe 1832 AgentPackageADRemote.exe 3396 AgentPackageRuntimeInstaller.exe 5072 AgentPackageUpgradeAgent.exe 1184 8-0-11.exe 2076 8-0-11.exe 1780 dotnet-runtime-8.0.11-win-x64.exe 1980 dotnet.exe 2572 dotnet.exe 620 AgentPackageHeartbeat.exe 1728 SplashtopStreamer.exe 2564 PreVerCheck.exe 212 _is9560.exe 4996 _is9560.exe 2908 _is9560.exe 3888 _is9560.exe 1116 _is9560.exe 3396 _is9560.exe 1600 _is9560.exe 4856 _is9560.exe 2504 _is9560.exe 4360 _is9560.exe 264 _isA119.exe 1168 _isA119.exe 692 _isA119.exe 3428 _isA119.exe 1952 _isA119.exe 3236 _isA119.exe 244 _isA119.exe 2076 _isA119.exe 2936 _isA119.exe 3608 _isA119.exe 3708 _isAC94.exe 1904 _isAC94.exe 1740 _isAC94.exe 4432 _isAC94.exe 3928 _isAC94.exe 4544 _isAC94.exe 436 _isAC94.exe 380 _isAC94.exe 2040 _isAC94.exe 3236 _isAC94.exe 2568 SetupUtil.exe 3648 SetupUtil.exe 4468 SetupUtil.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 3632 sc.exe 436 sc.exe -
Loads dropped DLL 64 IoCs
pid Process 1692 MsiExec.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 4856 rundll32.exe 1692 MsiExec.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 2196 rundll32.exe 1692 MsiExec.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 2296 rundll32.exe 1692 MsiExec.exe 4312 MsiExec.exe 4312 MsiExec.exe 1692 MsiExec.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 4848 rundll32.exe 212 AgentPackageMonitoring.exe 2348 AgentPackageMonitoring.exe 2076 8-0-11.exe 4144 MsiExec.exe 4144 MsiExec.exe 1256 MsiExec.exe 1256 MsiExec.exe 692 MsiExec.exe 692 MsiExec.exe 692 MsiExec.exe 692 MsiExec.exe 1980 dotnet.exe 2572 dotnet.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe 1700 MsiExec.exe -
pid Process 2336 powershell.exe 3608 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 4072 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 53 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-runtime-8.0.11-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe -
System Time Discovery 1 TTPs 9 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 4856 dotnet.exe 4040 dotnet.exe 2076 8-0-11.exe 1780 dotnet-runtime-8.0.11-win-x64.exe 3848 cmd.exe 1980 dotnet.exe 2392 cmd.exe 3184 cmd.exe 2572 dotnet.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002010d5335a65183a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002010d5330000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002010d533000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2010d533000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002010d53300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Kills process with taskkill 11 IoCs
pid Process 2572 taskkill.exe 4544 taskkill.exe 5096 taskkill.exe 1076 taskkill.exe 4804 taskkill.exe 2020 taskkill.exe 2016 taskkill.exe 2040 taskkill.exe 2168 taskkill.exe 1468 TaskKill.exe 1388 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageMonitoring.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\Location Awareness SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs SRManager.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\Dependents dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\DisplayName = "Microsoft .NET Runtime - 8.0.11 (x64)" dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\ = "URL:ait Protocol" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6DA04985925EAF493E05C325D562007 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\DeploymentFlags = "3" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64 dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{9C80213E-9079-4561-8D57-1FDD0D62251F}v64.44.23191\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\Version = "64.44.23191" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\PackageName = "dotnet-host-8.0.11-win-x64.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Version = "64.44.23191" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\Provider msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" SRService.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\InstanceType = "0" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\ProductName = "Microsoft .NET Host FX Resolver - 8.0.11 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E31208C997091654D875F1DDD02652F1\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D0D4B2638348AD44682BEF4CE400F0AC\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\DefaultIcon MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32 MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait AgentPackageTicketing.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Language = "1033" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Version = "64.44.23191" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4314D9BC1755DB976919CB1686BE4BF0\0F11C95FF37DB254D8D1C8338BD25870 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Dependents\{e883dae5-a63d-4a45-afb9-257f64d5a59b} dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Dependents dotnet-runtime-8.0.11-win-x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\D881F2EC0135A4B72CA89D27FD72F577\D0D4B2638348AD44682BEF4CE400F0AC msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{362B4D0D-8438-44DA-86B2-FEC44E000FCA}v64.44.23191\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\InstanceType = "0" msiexec.exe -
Modifies system certificate store 2 TTPs 5 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 432 msiexec.exe 432 msiexec.exe 116 AteraAgent.exe 436 AgentPackageAgentInformation.exe 380 AgentPackageAgentInformation.exe 380 AgentPackageAgentInformation.exe 2168 AgentPackageAgentInformation.exe 2336 powershell.exe 2336 powershell.exe 116 AteraAgent.exe 116 AteraAgent.exe 116 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 392 AteraAgent.exe 1756 AgentPackageAgentInformation.exe 3608 powershell.exe 3608 powershell.exe 4676 AgentPackageTicketing.exe 4676 AgentPackageTicketing.exe 1256 AgentPackageInternalPoller.exe 1256 AgentPackageInternalPoller.exe 2296 Agent.Package.Availability.exe 4676 AgentPackageTicketing.exe 4676 AgentPackageTicketing.exe 4676 AgentPackageTicketing.exe 4676 AgentPackageTicketing.exe 3284 AgentPackageProgramManagement.exe 3284 AgentPackageProgramManagement.exe 2348 AgentPackageMonitoring.exe 2348 AgentPackageMonitoring.exe 5072 AgentPackageUpgradeAgent.exe 5072 AgentPackageUpgradeAgent.exe 4648 AgentPackageSTRemote.exe 4648 AgentPackageSTRemote.exe 3396 AgentPackageRuntimeInstaller.exe 3396 AgentPackageRuntimeInstaller.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4072 msiexec.exe Token: SeIncreaseQuotaPrivilege 4072 msiexec.exe Token: SeSecurityPrivilege 432 msiexec.exe Token: SeCreateTokenPrivilege 4072 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4072 msiexec.exe Token: SeLockMemoryPrivilege 4072 msiexec.exe Token: SeIncreaseQuotaPrivilege 4072 msiexec.exe Token: SeMachineAccountPrivilege 4072 msiexec.exe Token: SeTcbPrivilege 4072 msiexec.exe Token: SeSecurityPrivilege 4072 msiexec.exe Token: SeTakeOwnershipPrivilege 4072 msiexec.exe Token: SeLoadDriverPrivilege 4072 msiexec.exe Token: SeSystemProfilePrivilege 4072 msiexec.exe Token: SeSystemtimePrivilege 4072 msiexec.exe Token: SeProfSingleProcessPrivilege 4072 msiexec.exe Token: SeIncBasePriorityPrivilege 4072 msiexec.exe Token: SeCreatePagefilePrivilege 4072 msiexec.exe Token: SeCreatePermanentPrivilege 4072 msiexec.exe Token: SeBackupPrivilege 4072 msiexec.exe Token: SeRestorePrivilege 4072 msiexec.exe Token: SeShutdownPrivilege 4072 msiexec.exe Token: SeDebugPrivilege 4072 msiexec.exe Token: SeAuditPrivilege 4072 msiexec.exe Token: SeSystemEnvironmentPrivilege 4072 msiexec.exe Token: SeChangeNotifyPrivilege 4072 msiexec.exe Token: SeRemoteShutdownPrivilege 4072 msiexec.exe Token: SeUndockPrivilege 4072 msiexec.exe Token: SeSyncAgentPrivilege 4072 msiexec.exe Token: SeEnableDelegationPrivilege 4072 msiexec.exe Token: SeManageVolumePrivilege 4072 msiexec.exe Token: SeImpersonatePrivilege 4072 msiexec.exe Token: SeCreateGlobalPrivilege 4072 msiexec.exe Token: SeBackupPrivilege 1524 vssvc.exe Token: SeRestorePrivilege 1524 vssvc.exe Token: SeAuditPrivilege 1524 vssvc.exe Token: SeBackupPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeDebugPrivilege 2196 rundll32.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeDebugPrivilege 1468 TaskKill.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe Token: SeTakeOwnershipPrivilege 432 msiexec.exe Token: SeRestorePrivilege 432 msiexec.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4072 msiexec.exe 4072 msiexec.exe 4224 SRServer.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 1728 SplashtopStreamer.exe 4224 SRServer.exe 4224 SRServer.exe 3024 SRAppPB.exe 3024 SRAppPB.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 432 wrote to memory of 60 432 msiexec.exe 93 PID 432 wrote to memory of 60 432 msiexec.exe 93 PID 432 wrote to memory of 1692 432 msiexec.exe 95 PID 432 wrote to memory of 1692 432 msiexec.exe 95 PID 432 wrote to memory of 1692 432 msiexec.exe 95 PID 1692 wrote to memory of 4856 1692 MsiExec.exe 96 PID 1692 wrote to memory of 4856 1692 MsiExec.exe 96 PID 1692 wrote to memory of 4856 1692 MsiExec.exe 96 PID 1692 wrote to memory of 2196 1692 MsiExec.exe 99 PID 1692 wrote to memory of 2196 1692 MsiExec.exe 99 PID 1692 wrote to memory of 2196 1692 MsiExec.exe 99 PID 1692 wrote to memory of 2296 1692 MsiExec.exe 101 PID 1692 wrote to memory of 2296 1692 MsiExec.exe 101 PID 1692 wrote to memory of 2296 1692 MsiExec.exe 101 PID 432 wrote to memory of 4312 432 msiexec.exe 104 PID 432 wrote to memory of 4312 432 msiexec.exe 104 PID 432 wrote to memory of 4312 432 msiexec.exe 104 PID 4312 wrote to memory of 4772 4312 MsiExec.exe 105 PID 4312 wrote to memory of 4772 4312 MsiExec.exe 105 PID 4312 wrote to memory of 4772 4312 MsiExec.exe 105 PID 4772 wrote to memory of 2488 4772 NET.exe 107 PID 4772 wrote to memory of 2488 4772 NET.exe 107 PID 4772 wrote to memory of 2488 4772 NET.exe 107 PID 4312 wrote to memory of 1468 4312 MsiExec.exe 108 PID 4312 wrote to memory of 1468 4312 MsiExec.exe 108 PID 4312 wrote to memory of 1468 4312 MsiExec.exe 108 PID 432 wrote to memory of 1100 432 msiexec.exe 110 PID 432 wrote to memory of 1100 432 msiexec.exe 110 PID 1692 wrote to memory of 4848 1692 MsiExec.exe 113 PID 1692 wrote to memory of 4848 1692 MsiExec.exe 113 PID 1692 wrote to memory of 4848 1692 MsiExec.exe 113 PID 116 wrote to memory of 3632 116 AteraAgent.exe 114 PID 116 wrote to memory of 3632 116 AteraAgent.exe 114 PID 116 wrote to memory of 436 116 AteraAgent.exe 121 PID 116 wrote to memory of 436 116 AteraAgent.exe 121 PID 116 wrote to memory of 380 116 AteraAgent.exe 123 PID 116 wrote to memory of 380 116 AteraAgent.exe 123 PID 116 wrote to memory of 2168 116 AteraAgent.exe 126 PID 116 wrote to memory of 2168 116 AteraAgent.exe 126 PID 2168 wrote to memory of 2336 2168 AgentPackageAgentInformation.exe 129 PID 2168 wrote to memory of 2336 2168 AgentPackageAgentInformation.exe 129 PID 2168 wrote to memory of 3692 2168 AgentPackageAgentInformation.exe 131 PID 2168 wrote to memory of 3692 2168 AgentPackageAgentInformation.exe 131 PID 3692 wrote to memory of 4032 3692 cmd.exe 133 PID 3692 wrote to memory of 4032 3692 cmd.exe 133 PID 116 wrote to memory of 4820 116 AteraAgent.exe 141 PID 116 wrote to memory of 4820 116 AteraAgent.exe 141 PID 392 wrote to memory of 436 392 AteraAgent.exe 144 PID 392 wrote to memory of 436 392 AteraAgent.exe 144 PID 116 wrote to memory of 212 116 AteraAgent.exe 147 PID 116 wrote to memory of 212 116 AteraAgent.exe 147 PID 392 wrote to memory of 1756 392 AteraAgent.exe 151 PID 392 wrote to memory of 1756 392 AteraAgent.exe 151 PID 1756 wrote to memory of 3608 1756 AgentPackageAgentInformation.exe 154 PID 1756 wrote to memory of 3608 1756 AgentPackageAgentInformation.exe 154 PID 1756 wrote to memory of 2324 1756 AgentPackageAgentInformation.exe 156 PID 1756 wrote to memory of 2324 1756 AgentPackageAgentInformation.exe 156 PID 2324 wrote to memory of 2200 2324 cmd.exe 158 PID 2324 wrote to memory of 2200 2324 cmd.exe 158 PID 392 wrote to memory of 4676 392 AteraAgent.exe 160 PID 392 wrote to memory of 4676 392 AteraAgent.exe 160 PID 392 wrote to memory of 1256 392 AteraAgent.exe 162 PID 392 wrote to memory of 1256 392 AteraAgent.exe 162 PID 392 wrote to memory of 3632 392 AteraAgent.exe 164 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NF_e.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4072
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:432 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:60
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 892545582D33DAF025CE9BD2E2CB72772⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIBD83.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631390 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4856
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC024.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240631859 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2196
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIC69E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240633593 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2296
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID6C0.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240637687 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4848
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7C22C05E7F895C81BE7F771D1D341129 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2488
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1468
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000Q8oX4IAJ" /AgentId="6da213c6-6a90-4218-af25-2c70214af8ee"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:1100
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D3CA2C72A082E6433A23889EC002E121 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4144
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 3AFD4983E1AC0E5C1E3BD0B1550A4B39 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1256
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 48E9E4CF7C66F673C71CB09E105B72F1 E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:692
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding A55444B7655A3CEAB139B72E6DD8E737 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1700 -
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB03BB40-9B7E-4621-AF13-D857361F01B8}3⤵
- Executes dropped EXE
PID:212
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8776E19F-1EE5-4806-A101-A59ABB382D6E}3⤵
- Executes dropped EXE
PID:4996
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4FA9E5D8-F009-4806-9D0C-E2AEB72FBBD9}3⤵
- Executes dropped EXE
PID:2908
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{16B82CA1-7A7E-493D-B722-3ABEDD088C4D}3⤵
- Executes dropped EXE
PID:3888
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2D70C00-C377-4D31-BC91-1A3AEFEC21EF}3⤵
- Executes dropped EXE
PID:1116
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0DD333C3-F0C6-4F4A-B660-5E35574BF568}3⤵
- Executes dropped EXE
PID:3396
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A50539DD-50CB-4C5E-B640-B9E70FE97AE8}3⤵
- Executes dropped EXE
PID:1600
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91068D11-5FEE-4C07-AE26-A57C2F6EC8A5}3⤵
- Executes dropped EXE
PID:4856
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{35979A94-BC49-4339-BF25-40743E3D9AB7}3⤵
- Executes dropped EXE
PID:2504
-
-
C:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exeC:\Windows\TEMP\{AE3EEC02-5991-4F76-8CC4-E6E208BAFEFD}\_is9560.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{94BD8CFF-071B-433E-8DB6-1606AED20A81}3⤵
- Executes dropped EXE
PID:4360
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4488 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1076
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1744 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1388
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2296 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4804
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4044 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2020
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:920 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2016
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2252 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:1472 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4544
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2248 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2040
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2100 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:5096
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2364 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2168
-
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2E9176F3-7CBD-4A96-8621-53D3B063B477}3⤵
- Executes dropped EXE
PID:264
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F39D311D-11B3-46E2-9D29-0E510087AB6E}3⤵
- Executes dropped EXE
PID:1168
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BC382286-740E-44CE-B613-B5D194773571}3⤵
- Executes dropped EXE
PID:692
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E043376E-4CF6-446C-A4D0-9D634A1B3EA4}3⤵
- Executes dropped EXE
PID:3428
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC20C02D-ED26-4156-B66B-F438BF908578}3⤵
- Executes dropped EXE
PID:1952
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E0C06E6C-4C4A-40FE-B205-DF79EB0BBCF6}3⤵
- Executes dropped EXE
PID:3236
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7E382B18-D121-47DA-AA6A-46A4FE6E3819}3⤵
- Executes dropped EXE
PID:244
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6B4CF52D-18F4-48FB-B06D-3844462A5E73}3⤵
- Executes dropped EXE
PID:2076
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C9F67D95-21A6-4012-9DFC-A20C2E7C9E78}3⤵
- Executes dropped EXE
PID:2936
-
-
C:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exeC:\Windows\TEMP\{98FAF8A3-5ED7-444A-98F9-D83CEEEF98FA}\_isA119.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{09DE2C83-83AA-44A6-8EA7-81EB6CFAF7A5}3⤵
- Executes dropped EXE
PID:3608
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77C2CDB0-A00F-4DA9-9FFA-8A7AB4944E9D}3⤵
- Executes dropped EXE
PID:3708
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3D44F836-E19C-4AE8-85CF-50F7CBDA4CBC}3⤵
- Executes dropped EXE
PID:1904
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6CE01115-905B-4445-907B-5CBC61AB4443}3⤵
- Executes dropped EXE
PID:1740
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{44331E71-020A-49A1-A668-A0B57DFCB1FA}3⤵
- Executes dropped EXE
PID:4432
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C0510C22-95AD-4FFB-83FA-158FA96FD982}3⤵
- Executes dropped EXE
PID:3928
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41002552-2652-4FDD-AB74-6B555851A4AF}3⤵
- Executes dropped EXE
PID:4544
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1731907C-5592-4D4F-9C41-5063C669B80F}3⤵
- Executes dropped EXE
PID:436
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FE8C81F-E1CB-420D-B190-656F6DE3FB1C}3⤵
- Executes dropped EXE
PID:380
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4B59ADAB-C363-488E-8FDB-2275A6A22374}3⤵
- Executes dropped EXE
PID:2040
-
-
C:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exeC:\Windows\TEMP\{54057178-FB10-4154-AEBE-6FA99AE2AA56}\_isAC94.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B1EEE5F-2322-4479-8D4C-7BB111EBEFAA}3⤵
- Executes dropped EXE
PID:3236
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2568
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3648
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:4468 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:2688
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:4328
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- System Location Discovery: System Language Discovery
PID:2912
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BEA4788E-2C0C-4527-BCA4-F63BD02E75D9}3⤵PID:2616
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C8729ED-DE66-4BFD-9DD0-11D509C2477C}3⤵PID:1804
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE45C701-5601-4E92-AEC2-26688454F4BB}3⤵PID:4644
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F4DAABDF-E8D6-4CE7-85F8-1C8FA65C2975}3⤵PID:4856
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A65F288-9C85-4C68-83CB-25C790F8ED3A}3⤵PID:4036
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D98839C4-192E-4EF5-ADFF-DA019C3309FE}3⤵PID:4800
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3CBCD88A-C2D7-4AD2-BBA5-9415F201DCE9}3⤵PID:1656
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F3F9C441-5A5E-4BBD-91D9-264557D42856}3⤵PID:2036
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3AEB63F4-111D-4C6A-A596-80E5DD5823A2}3⤵PID:3388
-
-
C:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exeC:\Windows\TEMP\{A7BDAEB7-D56D-4A70-A2F8-B9D5679AAF5C}\_isC108.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A2519CED-3DB4-4B2E-AAC2-8BA2139C8AA4}3⤵PID:1140
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:3708
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{95045637-EB87-4AD2-B5C8-0C53C1171E84}3⤵PID:380
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{641D163C-BDD7-4B0A-BB1C-B5039758FAF7}3⤵PID:3692
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{ECD94AE8-2668-462F-83D2-C370BE4412C5}3⤵PID:3888
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B3E14EF3-59B0-40E8-8771-22DD42510D40}3⤵PID:1236
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{898DFE50-168B-42A7-AEAA-0D5365B39774}3⤵PID:2908
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0A6BCD4-A1BC-4B7E-A3E6-9F42323B03DF}3⤵PID:2132
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F033E009-C16F-45F1-9EBD-DAED9A9C0702}3⤵PID:4512
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC5D8CC3-6EFB-467F-99F0-9BCFCBC3EFE1}3⤵PID:3772
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B58AA6AE-D237-4611-8CDD-7F661892BD8A}3⤵PID:3192
-
-
C:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exeC:\Windows\TEMP\{0299DFD0-04C9-4D7F-A493-5AC31D249806}\_isC4A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62B22351-7981-4E7D-9F70-B195C5A18C03}3⤵PID:4360
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- System Location Discovery: System Language Discovery
PID:3700
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1524
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:3632
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "561f03d1-20cf-420b-abd7-475f024fcff2" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:436
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "4ef58f76-d21f-42aa-906d-baabb181a768" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:380
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "b9bb831b-08f3-4816-8f90-636cc41ae787" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2336
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:3692 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:4032
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "6f0210f8-22e6-482f-804b-e22c4728bada" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
PID:4820
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "3f4c4577-7238-43c2-a14a-52278ea05125" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:212
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:392 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:436
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "cc6f539f-ba0c-482a-bb2a-977eb88e2dbf" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1756 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:3608
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:2324 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:2200
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "8ce85da2-0a03-4b9c-9f99-eb2b87412610" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4676
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "153b2ae4-2163-41ed-8227-5cce205a4ff4" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1256
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "ec35251e-4b1a-4892-8a70-8dde7b5ff2a4" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:3632
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "87e1f509-7e9f-4e21-b295-0a7c62b09d15" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1000
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "38970edc-a01e-41f9-9af6-f2dccb8667d4" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:4840
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "a8cee3d7-399e-4af7-aaf6-2d08c9081074" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
PID:1048
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "fb893ce8-082e-47d8-8fa6-621ae0b6c872" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2296
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "cf90c55d-9dc0-4ec8-9b8d-6e271d8aacd4" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000Q8oX4IAJ2⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:2348
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "3e5c36cd-a283-4b78-8cec-5e1a51b64a1e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:368
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "b07f4181-9737-471c-b4f3-92db3c94c05c" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000Q8oX4IAJ2⤵
- Downloads MZ/PE file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4648 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1728 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2564 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:1280
-
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=d4e325be084120e4f479c3d104036e01&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:1448
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "0bbfaad0-c065-44bd-9223-0a10b653e093" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3284
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "ec2fd597-b93a-4701-b42e-f3aa569951aa" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000Q8oX4IAJ2⤵
- Drops file in System32 directory
- Executes dropped EXE
PID:1832
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "ac3590bd-8a7a-40f4-99cb-2de4c8e9e64c" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000Q8oX4IAJ2⤵
- Downloads MZ/PE file
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3396 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:3184 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:4856
-
-
-
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet" --list-runtimes3⤵
- System Time Discovery
PID:4040
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" /repair /quiet /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1184 -
C:\Windows\Temp\{4A669766-70F7-4809-8A97-4001FDA48063}\.cr\8-0-11.exe"C:\Windows\Temp\{4A669766-70F7-4809-8A97-4001FDA48063}\.cr\8-0-11.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" -burn.filehandle.attached=720 -burn.filehandle.self=724 /repair /quiet /norestart4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:2076 -
C:\Windows\Temp\{78650227-2C66-4C27-9805-364E53717D89}\.be\dotnet-runtime-8.0.11-win-x64.exe"C:\Windows\Temp\{78650227-2C66-4C27-9805-364E53717D89}\.be\dotnet-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{C7DA041A-6338-46BB-B8B9-2A44CFC36CB5} {F732B10D-E403-4C32-AB5F-757D5261A843} 20765⤵
- Adds Run key to start application
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- System Time Discovery
- Modifies registry class
PID:1780
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:3848 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Time Discovery
PID:1980
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:2392 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Time Discovery
PID:2572
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "363632a9-4f27-444c-894b-59d27448fd76" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:5072
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 6da213c6-6a90-4218-af25-2c70214af8ee "ec35251e-4b1a-4892-8a70-8dde7b5ff2a4" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000Q8oX4IAJ2⤵
- Executes dropped EXE
PID:620
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
PID:2256 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:736 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4224
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- System Location Discovery: System Language Discovery
PID:3888 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:2612
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:3024
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
PID:2532 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:1968
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD523f958f10b6e4ee18e378fed172dce07
SHA1b356cade0218b0720aee8e67314589568c46b698
SHA2562a658f7de3453998f84cc5b3201c512267407bcfbe90ba718085c9f67e7f41b8
SHA512d909f5f2cbd14693f0ce3664bf594f831b6dbb228f9d6d4fa15725a1bddfab36848eba97be26be1bda53d0b8905be6e369cb53e3dd8cf27e87ba90994716d7d1
-
Filesize
48KB
MD53ffd31636f177217ee21d0fdece19b78
SHA154900111cef9ec05fd0a73bdf8ad6159decea3fb
SHA256f31b2ad81da9fa41e08ef4a41a0b83aaba02552aeda42604fd4ecd989809e3dc
SHA512312718c75add6a9c8073569eef727be1fbe16fce0737d68aa762d38b8bf8e574de8a764981f8c70cfed2c395009ce9d6ec33d57dacd191f0609ed6512b666f44
-
Filesize
9KB
MD5c3a7df45b5e6c9b0171c9bd5bc6a9577
SHA1cf406f2b1d0850323c4afed9956795bdf75655eb
SHA2565aa915f35501912e06f7d3e2236282a7375c3ef9095b9ddab8a97c3daf17784e
SHA5124a7b45a099f6084a24e5fd69fdc9564a6ba8ecb1d6f814110d77cfd11ed446af6d2908446980671ad8d904722cd74048972e8836dfd8421ce8436edb0f4025f1
-
Filesize
11KB
MD5f557ae4a2961bff9e9e100f7893a96d5
SHA134604212e61d864a87c12fd65195f4e658d028fa
SHA2568e5553f087670f7e0d3c6d9f9c23b4424c68dc7a0d62f9b4f6fcc4a6762060b3
SHA51202ce6290e9c097edb06c3db3dbe47e3a655c9820495ae3e5e1d0cd5357c21efad094b30645a7d85168726cc2a92ecc0e62aa8995b4d1b147e0efc5d5a94a2c94
-
Filesize
8KB
MD52c59ba1f6eee60607fa46866244de747
SHA1453bde51575adb72b917b5e5ba75a020dfa1ded6
SHA2562d986d579384068ce8a897379522d1c4462bc4fbffff03cfa8db75e47a47d90a
SHA512bab60db750c683e8cc5140a9512395c161ecb0369a95736d6ab22a0909ecd858bfdd7ee187d8abce1017e2a5064b29d66a2c55e9ff8d61a8a4543ecd6da5d2f1
-
Filesize
143KB
MD533b4c87f18b4c49114d7a8980241657a
SHA1254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA51242b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
74KB
MD5cc8790f567d3c3dce71efacebbfd2b51
SHA1575de15d017b4128081df6af78b339f313b0f90c
SHA256193c6aad232ac5b3927574fee0efd2f0b31440fafa14dc6a850b99d2655b5e46
SHA5123eecc76ddfd0af1d844217153019a755eb2ed76bb19e91f7f56ddf9a9481958f8171122149823298806cfd7bc198e8d204c33066d424339550ab5de1618fcbb7
-
Filesize
464B
MD559427e3b746cd6572b26f130782060ea
SHA12a4f4cb36adb4fbc603e7b44e672d43814f2b89d
SHA256266db213745b365e645cbb27cc98283bb9fe30996211e850b100026d3239a512
SHA51269c97ec39d7cdc2cd5ba3d3c9d5858e0159eb4e2b5fe4e7bc69a8d144c4f401d23ba4ce4f28b0fcb9f43da9cb4b8d4ae98ee0049e06c54a50f7b9f8afe85dd32
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize146KB
MD58d477b63bc5a56ae15314bda8dea7a3a
SHA13ca390584cd3e11172a014784e4c968e7cbb18f5
SHA2569eec91cdd39cbb560ad5b1d063df67088f412da4b851ae41e71304fb8a444293
SHA51244e3d91ad96b4cb919c06ccb91d3c3e31165b2412e1d78bfbaca0bee6f0c1a3253b3e3ddf19009cebf12c261a0392f6a0b7091cf8aba1d0cc4c1ed61c1b6dc42
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize145KB
MD52b9beb2fdbc41afc48d68d32ef41dd08
SHA14a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c
SHA256977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1
SHA5123e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD51e065e191e89cc811ff49c96fa8fa5e6
SHA1bc50ff2a20a8b83683583684fcac640a91689ed4
SHA256d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e
SHA5125a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize247KB
MD5aa5cf64d575b7544eefd77f256c4dc57
SHA1bd23989db4f9af0aae34d032e817d802c06ca5a9
SHA25679c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920
SHA512774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize546B
MD5158fb7d9323c6ce69d4fce11486a40a1
SHA129ab26f5728f6ba6f0e5636bf47149bd9851f532
SHA2565e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21
SHA5127eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize94KB
MD5c69c7690482c75a8fc70df2990d7afc6
SHA179d72d32a03151823bbf0953d5c2ce6bc2bde4b1
SHA256580415595e5936d5f3945e9eeee63f6f4dbacd327aa46e2b7625b638715c27f5
SHA512ed80ade3519345552ca74958efc9c122de840d2844baa08c94400f15168b6fc25377628a55ed12488ea790aaa40bc5bb77b6586de4f1ecd296902bbe36fba4f4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize688KB
MD5111e2e63bccead95bb5ffc53c9282070
SHA1eaae7df21e291aa089bc101b1e265ca202be1225
SHA2569615fe5fe63c48b13ffd8c9bc76170a9ed1cfea6a3d0901e857a1c6c6edaea76
SHA512ffc818615fb30e24633c90b8f5a55c100b5f307414ec54e5a2914bb4ea36d3fb3aa6ed0e5815976a2f6d1b7f056e7da1f108a8eed81b458decebe721ad30b920
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.4MB
MD593e4c198656fc267f392de11dee01cd0
SHA1e92cb59486745ee7564f5b374e790a065e1f4678
SHA25688b220f9f9bf25f856dda714aa1a1ae998720780cd3ec5b968154e03834fa965
SHA5123a04a02982dbbbb9d54b6c5674f2f2c10e0cbce580e3974cd924cc9131cd94aece71c7b975c9abaae82f057c70243fb016d31339e8700c96bd55c434bb98105f
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize397KB
MD5810f893e58861909b134fa72e3bc90cd
SHA1524977f32836634132d23997b23304574d8d156a
SHA256b83b6c1f64b6700d7444586a6214858a1479c58571f5e7bf4f023166c9016733
SHA512db463d34a37403a9248d463ae63989b40a0172d9543bda922dacb10a624eb603700628a67d9c86df2605c36d789902ec79228aa29f26c49be0195c54a9e4a191
-
Filesize
48KB
MD50e216aee2b1776545e46d6e578c9b269
SHA1f472317e0b903680c87f6117f77d61bbe9fa6711
SHA2563fba387345e215835d1dd36dadadedfc48fe45c0b9a64c05c4d6bc1bcc729b70
SHA51244213f0e4f1380b119e3860db3a53cadf5f150f06dd5d93aa0c0bf41d7ba053d63dca6d8921aa060f7a4282f74db3bfeb651dda7c206135a6fa17a2d0bb4718b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize197KB
MD5d0d21e16e57a1a73056eae228da1e287
SHA1ab5a27b1d3d977a7f657d0acdf047067c625869f
SHA2563db5809f23020f9988d5db0cf494f014a87b9dc1547cf804ae9d66667505a60c
SHA512470bac3e691525ff6007293bac32198c0021a1411ba9d069f88f8603189b1617c2265fe6553c1f60ef788e69afcb8aa790714c59260b7c015a5be5b149222c48
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
Filesize56KB
MD5d0aa95693d78fd438552bd9df01fec78
SHA10e7173c1af5d5543d5a41aed690e59f3ae4bb0b9
SHA25611201ece7c3ee4bbcde0b84a2bc7c251ef57fce5200b2a1ae437fc959c7ad8a7
SHA5127b48864e72627bb51063ea49f6459eb6c05baa64066d8e6c85f2ff7b7de26b633ff973e2a830da63b6824eaea65690e3f6b29af8adbc0c24724016a8764f3b15
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
Filesize9KB
MD59d1528a2ce17522f6de064ae2c2b608e
SHA12f1ce8b589e57ab300bb93dde176689689f75114
SHA25611c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311
SHA512a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.3284.update
Filesize9KB
MD514ffcf07375b3952bd3f2fe52bb63c14
SHA1ab2eadde4c614eb8f1f2cae09d989c5746796166
SHA2566ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed
SHA51214a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
Filesize8KB
MD587e7fbc5812ed7f0f49c221e8a66b751
SHA1dd83e0841cfa4b7f4a4e8da0a5c7f4568e6549d9
SHA25652944a7df5dd08ded308b47c6b4def4ef43d39bd2c8fe0fd6a03c5116cce6e7c
SHA512ad4b864e68080e55db39bd7d45a9a88813bc7c903c2a08ccf113881b46903eb4a4c61d8999db8b35f1c6b6ee7eebda53bbf12a367e82832ee757d157ea2caa7a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
Filesize2B
MD581051bcc2cf1bedf378224b0a93e2877
SHA1ba8ab5a0280b953aa97435ff8946cbcbb2755a27
SHA2567eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6
SHA5121b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize70KB
MD5e9b3a59f67febdd7f8fbe68d71c5d0ab
SHA122bd3ec3f8e0be2f317ade9d553acdb3ea11f52e
SHA256bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf
SHA51200e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD55bb0687e2384644ea48f688d7e75377b
SHA144e4651a52517570894cfec764ec790263b88c4a
SHA256963a4c7863beae55b1058f10f38b5f0d026496c28c78246230d992fd7b19b70a
SHA512260b661f52287af95c5033b0a03ac2e182211d165cadb7c4a19e5a8ca765e76fc84b0daf298c3eccb4904504a204194a9bf2547fc91039c3ec2d41f9977ff650
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD52ec1d28706b9713026e8c6814e231d7c
SHA17ef12a01182d28a5ebf049cc1cb80619cd1e391a
SHA256c9514bf67df87ac6cc1002f3585d5b6f7d4093a7a794d524fa8c635f052733de
SHA5129e23588dc6d721f42e309974c3f3089f845f10d1dee87fb26213ba3810ee3c272d758632cf1c9157f6862ba0e582afc49c1ee51540461f41840650f216f35aeb
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize59KB
MD526c25e48b69eb8df7d6cea01fd66f3df
SHA1d70e92a8b8d358c7a2e200b11e23703cf43d93e9
SHA256f6da2cc4a4ca0a4cff92a2c9f61e546255bfe9d02eb1087a033b1a45e06fec87
SHA5126414db6ba626fe4b39155052638a15707cf60836056560fceeb5a1ea8faee1bee830840900f1635ff5a0ce1d271f73062660bd0ec582815e0bc56f4997a45feb
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
213B
MD567d00764bb0f9c4092b32fd1046cd6dc
SHA1e48db5df40a666caa51f6466deaf81a4f8f4f761
SHA2560d8a2f223dff9a7fed38279c4201bc811c0759f06434cd8722e194c267647949
SHA512d449f51636299cccc6a36a5befb3d56964d5df42351fca82ac453923df64538520f52ff18abaa7e264d8c2a8e96870f7b27fe0903a170f53cf3e770f6e0d70b5
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
92KB
MD5c92c9f5a664bb56b9f6e1b8a8132cbd5
SHA1c6e076542fb007e04111c113e4707fdb48b49650
SHA25650af2f1131f102bee2143691ae08931779c593b93b86630ab4ded6d98b75c2f5
SHA512696264a32e0ddc071be8764593cf0c42e39faaa309fb0b8246d32ac5170296352f1cef7a529e846029eb876ee8c4789fca6f82872479729eede2eca614fa5510
-
Filesize
143KB
MD571026b098f8fb39c88b003df746d9fa0
SHA1013ca259f551ad6f33db53fff0e121e74408e20e
SHA25611058e8c2cd05f30dcf1775644bf19d2913c9a6d674c12f91d1896d95d9cc5c2
SHA5129830be3444225a4b2f9fa4aedbc8af4f45fdb2548f0b6a2eba2a2a407ea3c7d8fd78c0e37fac66cafbdfad781ae78b076d225fd5c836a451f57a54053ccef9ad
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD542cff42b997443cb256b1289a350b1b6
SHA1651afb301d9acc6d9c7306060597e6a5c30625fc
SHA2565a0156e23df8fc05add3ecbdc44fb33b70d86fd08dcafad7fbb37b2107bb629a
SHA5126e50f0b49cabdc45f4b1609a0d388d0c5c544bd3e957951f23637a3059da8500d7e1afe8e8b76d9bacdc2cbb6f7516d2bdbffc09a7e6fbe3a16c4d8100214cdd
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize727B
MD512d865d718c648c03e5657a02fbd7128
SHA167992668978bbcf0dc94166c3d68fe91adf5a4f7
SHA256605bc5c5942c346edd5a9639cd65d9829c8aa80d06b01dfd1b7c8dfa5fc5f671
SHA51202628a076f36de16e92be4b799074dcc843df16a065313662b163a368b46e9a458388e9e4a5c7deedeb9ea3db9da47ba886fa9be7fb8724c5f6af46a372c4c41
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD57ede1c2319349ee09eef9b918f848ee1
SHA1907bc671d8865713c6c6758ab35d880bc195cd26
SHA2560091300b2b650fad4fdf32c8681ca431aa280403bb7afec50e1e3b2232537c9e
SHA512673710e89af144f22a6a69011341e48681cf2b46ec58fa7ceed13688f3dfa17e5c8ea9f8054cb99c054864ec980fa0acebdb480ce9abf4d1d7a8ec46dcfb5866
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5b0f0d356373f26eb2561c95df01bd987
SHA1462a4537ca8a904582008872fd9f26cedda08893
SHA2568ef117bca9fce257d8ceb81db09d9360fcaa32475d65cda6309bd7a6691009f5
SHA5126a140109ba9582ece13033d772df6ba31d4e70f594dc0a824f713e7a490a884d9b36d88a3039d17cf5852cb2ecd6bc9ffceca297545e42d2735a347b2d76dc48
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
Filesize404B
MD5b4e6986befa2bcd14fc0a4e0d992f8b6
SHA1426672845ad4183dd1bea7a0664359ffe96268a7
SHA256eb1f6e6ca103ab00329b7819241df5bc90e8c22b9d69a898763c58f43b04ae7b
SHA51286af38e5a4d279f295ebd9ce511e054ba0021df9fee2b421288de5ed2d15eeed46819a347d55e96189860e6fef1ef58e85c0f82cb11d4c1b3495b2c2eeed12c6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5d960ab9c30acbc39fb17c384075c920b
SHA1c9c550a4ebc75632c3e11c7d57970ed3e0828548
SHA2565e0f51990dedf21a6f0cd04e8c868eeafe80e8c33b9999b9bc08341b983c5359
SHA512a6a4de9e8e9e595e419897fcb21fe91375d8367053cea0ab54fc6647d949c23bee9663921c1172de5a4dcb83f5556713cff7cf67e1f55618a4ab276601bec602
-
Filesize
651B
MD59bbfe11735bac43a2ed1be18d0655fe2
SHA161141928bb248fd6e9cd5084a9db05a9b980fb3a
SHA256549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74
SHA512a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483
-
Filesize
219KB
MD5928f4b0fc68501395f93ad524a36148c
SHA1084590b18957ca45b4a0d4576d1cc72966c3ea10
SHA2562bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae
SHA5127f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372
-
Filesize
4.5MB
MD508211c29e0d617a579ffa2c41bde1317
SHA14991dae22d8cdc6ca172ad1846010e3d9e35c301
SHA2563334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621
SHA512d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD573f95f387f28c4076c731baaf9e0aa2f
SHA17ad11a552545d11065bf318a6d631a1c4c441fd4
SHA25660a7462362c166a19f7b21254568c90c3d4ef5d27b624f68254180c0d4e01e3b
SHA512f5a1c75f1c6c56319787c458e12b9059252e4ee4c2f9c5e8b6269a03c559cdb85669581443ab434948f5378c8dd7ccd0ae2922cfe1ea6388f13b8fd087c714a9
-
Filesize
26.3MB
MD5b9c6d23462adef092b8a5b7880531b03
SHA19e8c4f7f48d38fb54a93789a583852869c074f2d
SHA2562e23da54aa1ff64de09021ab089c1be6d4a323bdf0d8f46f78b5c6a33df83109
SHA51218623991c5690e516541eaf867f22b3a1a02317392178943143bedc7f7eda5e02e69665c3c4a5fa50ade516a191bbbf16fd71e60f3225f660fb10ebc25cd01a5
-
Filesize
772KB
MD5d73de5788ab129f16afdd990d8e6bfa9
SHA188cb87af50ea4999e2079d9269ce64c8eb1a584e
SHA2564f9ac5a094e9b1b4f0285e6e69c2e914e42dcc184dfe6fe93894f8e03ca6c193
SHA512bfc32f9a20e30045f5207446c6ab6e8ef49a3fd7a5a41491c2242e10fee8efd2f82f81c3ff3bf7681e5e660fde065a315a89d87e9f488c863421fe1d6381ba3b
-
Filesize
602B
MD50697b5610e87cc688a95221545b1298a
SHA10c4e19ac37b9ccb2a16166d7950aa6c124ce3f1d
SHA2566c5aba17ff7c16695019b6794c0e4980f7a3699e4d84a249e79a470f70825141
SHA512acea92a83acd47a99933d13b3443604b0985cf9985d4f4ef22bcfb5b3679f4bd103a7273d59a87a846d92c5a19c0cb9658a879bcc2ad1ef25aac2c5cf178b5b7
-
Filesize
708B
MD5987b00df834dec6c8bb8fc7162aa4224
SHA1dbe7a9617b44a93cef118dfebb00363bdd3e320c
SHA256639d51eeb24ee76b6d3b8f0970e0b6dbede7daf27c86e9354976da06c5b68a88
SHA512bddc707d8d2cfa67860c790d7fff8e84411665a37790dc81ca1ce262076423cf8fec3c636f772350471c009d89697e692087c736988aa8da7c7f2299078b0a47
-
Filesize
1KB
MD556adc22979e49f29a22787b3e6fdfbfa
SHA17951c7c4fdd1fdfa727749ac31a423d0e984f3d2
SHA256dbeea43b44063276b77830cfe21de4d24f46711a9cd068f5cd9d8a89b4eaa3a6
SHA5123703493d9de85e6babda1f7aea7501b3b7a9b997a779c5b13e202c8d87fe6ed0ecc6b82d5616e35821ce90fee00a957adf2ddc52cb933b35992d6788e2b49bbc
-
Filesize
4KB
MD5dd2ade0b54770b7d8005a92a05409c1d
SHA131c203746b021356e075c31292151c7dc33cde86
SHA2565562b29b93b7d84b6b95fd868aa12a41e8ea915846fe9c19499cd7e70af6d67d
SHA5121b7db9871aec6194e16d15c24a31aadffbcdd88a1d833a946070cc14a08c05e1c37bf747506b649dd68bea1e851ef10999cda3b34e096d7f1575cd737bd31ac6
-
Filesize
2KB
MD5f26996f02e9d7831a8ea210fa63afd11
SHA1c82d2c15b43344b9289047cf6617a3d06de75506
SHA2565c447c69c914a7133f66ae4a10b5fff1ac185999bfd669309ef8e957772c825e
SHA512cbfc320b844f5e20e61c982050277a6749d7ed59b8f733754b958eb3e86ee18a9ddb99e5872760f758020e1a05abc887a6d5cb1dd4064a557e0fa385539b1c80
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD52c2e105982ac3be519142db68e3b32ac
SHA111589409538dd3b4885cbffd9cedb866c5128b03
SHA256041f320c30f222695b8704efb982c122ba931c267e4d0ef1b3605de16182150c
SHA512f5008ac0a8d200b1deb020e174bceeceaccdc5548c205e217d866e93a115648ff966aea5f0c7c86f1ff5b321604b35b8a06157c3559b23cad9b184ba4049efc3
-
Filesize
4KB
MD5a8fe18ec349f34494001236630f13d97
SHA1c2f3bf6edf1463a2855e5d00b2b693f8285fd8f9
SHA2566f7eb09955f0964f18cef63a7e3b48fc2cf24e8727de31a3977805b96506fc66
SHA5129be5b0d82342743ebc6f3f839cd3a37a081e0636e6b188461679798ad9b2dfc7c662339cd1711ae74a7593b9c3db635bfbba187c1c09acffc11e5e07aecf9a06
-
Filesize
3.2MB
MD52c18826adf72365827f780b2a1d5ea75
SHA1a85b5eae6eba4af001d03996f48d97f7791e36eb
SHA256ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be
SHA512474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
607KB
MD5669de3ab32955e69decfe13a3c89891e
SHA1ab2e90613c8b9261f022348ca11952a29f9b2c73
SHA2562240e6318171b3cddcee6a801488f59145c1f54ca123068c2a73564535954677
SHA512be5d737a7d25cc779736b60b1ea59982593f0598e207340219a13fd9572d140cfbcd112e3cf93e3be6085fe284a54d4458563e6f6e4e1cfe7c919685c9ee5442
-
Filesize
571B
MD5d239b8964e37974225ad69d78a0a8275
SHA1cf208e98a6f11d1807cd84ca61504ad783471679
SHA2560ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73
SHA51288eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8
-
Filesize
182KB
MD599bbffd900115fe8672c73fb1a48a604
SHA18f587395fa6b954affef337c70781ce00913950e
SHA25657ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc
SHA512d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log
Filesize1KB
MD59cad061ddf5ad182cfe7879190aeed71
SHA1cfd292d16d937f95b642527464403b7e5ef6af96
SHA256b2d273fa926ebf6946e69e8808ad332db42bc65f449748082e088aa732e408ca
SHA512df517d66358f441a7c4c690cd90e214f18d490e3de767dd76164effaa179b1dd865a0056d68ce3ab6aee55917465c7f39146e7694b1ac475fcc95c280fb29e92
-
Filesize
24.1MB
MD542430c9b885cab3e14dfae70c70d36ff
SHA1cf3c3333bd1cfa28d178713afd8362b9095ea7c8
SHA2564864212a7f617cc743a0f8292c35810b05a9fb61b14a21838817a12484de34af
SHA512ed1c9849846119f97cab72f8b60632376ac76bb397be635e2adde311798ce3304d525d0ec3f09e78d42948380d2d46fe9d76232c9fd6378076b476852026ffa0
-
\??\Volume{33d51020-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{23d2b3a0-6008-4d3b-be03-5e4db0475a49}_OnDiskSnapshotProp
Filesize6KB
MD52e329f886644f5620d550aa83b0a80a6
SHA1befd8942c86d2075080b37603e56d80a363b1594
SHA256b7f8c67730dc08511a701774237f35e1d297c29d9cadce6ab6235036e8c4684e
SHA5125590beb8b3b0b815123862701f77615a9cab6e4c01e6e5a1587dc1f114190d82bd1006940486907b22271823ef6f46727b4e70c2b60ad09f0bf1ba1b8a7be179