Analysis
-
max time kernel
588s -
max time network
589s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250217-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
12/03/2025, 18:44
Behavioral task
behavioral1
Sample
NF-0459.msi
Resource
win10ltsc2021-20250217-en
General
-
Target
NF-0459.msi
-
Size
2.9MB
-
MD5
6ba81c43b60cb1fb67f4a216b767e681
-
SHA1
ca69001850032c1b9c9c4c2417b20298e71c0ed9
-
SHA256
921ff0f7d946debea36c5009f3a1f3162de3debb49e5e2b167c9d824ea7abf30
-
SHA512
5acb905e260f8b611cfbf3e2b15cf9019f283018b8b9fefaa44d3ff62ea92dc2f2b8af961bd2716f01d54d570a8182f380a6cee67bf90a01db2e569e40ed30b9
-
SSDEEP
49152:U+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:U+lUlz9FKbsodq0YaH7ZPxMb8tT
Malware Config
Signatures
-
AteraAgent
AteraAgent is a remote monitoring and management tool.
-
Ateraagent family
-
Detects AteraAgent 1 IoCs
resource yara_rule behavioral1/files/0x0008000000027d8d-236.dat family_ateraagent -
Blocklisted process makes network request 7 IoCs
flow pid Process 4 3560 msiexec.exe 6 3560 msiexec.exe 27 3012 rundll32.exe 36 3012 rundll32.exe 82 1304 MsiExec.exe 199 5468 rundll32.exe 250 5396 rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e883dae5-a63d-4a45-afb9-257f64d5a59b} = "\"C:\\ProgramData\\Package Cache\\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\\dotnet-runtime-8.0.11-win-x64.exe\" /burn.runonce" dotnet-runtime-8.0.11-win-x64.exe -
Downloads MZ/PE file 2 IoCs
flow pid Process 69 1172 AgentPackageSTRemote.exe 130 6952 AgentPackageRuntimeInstaller.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\D: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 6 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe File opened for modification \??\PhysicalDrive0 AgentPackageMonitoring.exe -
Drops file in System32 directory 49 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log AgentPackageMonitoring.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File opened for modification C:\Windows\system32\SRCredentialProvider.dll MsiExec.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB SRManager.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageInternalPoller.exe.log AgentPackageInternalPoller.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageADRemote.exe.log AgentPackageADRemote.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC AteraAgent.exe File created C:\Windows\system32\SRC52F0.tmp MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMarketplace.exe.log AgentPackageMarketplace.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSystemTools.exe.log AgentPackageSystemTools.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageTicketing.exe.log AgentPackageTicketing.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageOsUpdates.exe.log AgentPackageOsUpdates.exe File opened for modification C:\Windows\system32\InstallUtil.InstallLog AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944 AteraAgent.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageSTRemote.exe.log AgentPackageSTRemote.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageRuntimeInstaller.exe.log AgentPackageRuntimeInstaller.exe File created C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log rundll32.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141 MsiExec.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageHeartbeat.exe.log AgentPackageHeartbeat.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AteraAgent.exe.log AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log powershell.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_9C79DA33A1711362E9D071D2706BB651 SRManager.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive powershell.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageUpgradeAgent.exe.log AgentPackageUpgradeAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4 AteraAgent.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506 AteraAgent.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log AgentPackageAgentInformation.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache MsiExec.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content MsiExec.exe -
Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
resource yara_rule behavioral1/memory/5488-1185-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5488-1184-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5572-1197-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5572-1202-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-1211-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5784-1224-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5488-1262-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5488-1263-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5572-1270-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5572-1271-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5488-1593-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-1595-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-1594-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5488-1592-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5572-1677-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/844-1688-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/844-1680-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/844-1957-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/844-1958-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5572-1678-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5488-2070-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5488-2071-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-2427-0x00000000730B0000-0x00000000731CC000-memory.dmp upx behavioral1/memory/5784-2428-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-2545-0x0000000072CE0000-0x00000000730AD000-memory.dmp upx behavioral1/memory/5784-2544-0x00000000730B0000-0x00000000731CC000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Atera.Utils.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win10\install_driver64.bat msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Options.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\runtimes\win\lib\net6.0\System.Diagnostics.EventLog.Messages.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\ptc3.cch AgentPackageOsUpdates.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista\driver\mv2.sys msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Threading.Tasks.Parallel.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Polly.Core.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.ComponentModel.Primitives.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll AteraAgent.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Net.NetworkInformation.dll msiexec.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.11\System.Xml.Serialization.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.Tools.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Data.SQLite.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Globalization.Extensions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\WdfCoInstaller01009.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.UserSecrets.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe.config AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd64.exe msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.runtimeconfig.json AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Memory.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Microsoft.Extensions.Logging.Configuration.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\x64\SQLite.Interop.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\Microsoft.ApplicationInsights.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.pem msiexec.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\STRLOG\splashtop.bl SRManager.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.AppContext.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\CredentialManagement.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Security.Cryptography.Csp.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\uninstall_driver.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Microsoft.Extensions.DependencyInjection.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Newtonsoft.Json.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\System.Runtime.InteropServices.RuntimeInformation.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\System.Buffers.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.IO.Compression.dll AteraAgent.exe File opened for modification C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\lastSnapshot.txt Agent.Package.Software.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini AteraAgent.exe File opened for modification C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3-journal SRAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Microsoft.Extensions.Diagnostics.Abstractions.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Microsoft.Extensions.Logging.Debug.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\Newtonsoft.Json.dll AteraAgent.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\System.ValueTuple.dll msiexec.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Microsoft.Extensions.Configuration.Binder.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\Polly.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\StructureMap.dll AteraAgent.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\install.bat msiexec.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\System.Data.SQLite.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\TicketingNotifications.exe AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\System.Diagnostics.TraceSource.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\System.Buffers.dll AteraAgent.exe File created C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Serilog.Extensions.Logging.dll AteraAgent.exe File created C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\dynamicfieldscaching.cch AgentPackageAgentInformation.exe File created C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\devcon64.exe msiexec.exe File opened for modification C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Diagnostics.DiagnosticSource.dll AteraAgent.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSICD21.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE457.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\e57d7a6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3491.tmp msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\e57d7c1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI4038.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDB8C.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIE0DE.tmp msiexec.exe File created C:\Windows\Installer\e57d7bb.msi msiexec.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File created C:\Windows\Installer\e57d7b0.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\CacheSize.txt msiexec.exe File opened for modification C:\Windows\Installer\MSIE44D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4308.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIE5E0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSID149.tmp msiexec.exe File created C:\Windows\Installer\e57d7c1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI48D8.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI5DEA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4308.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSID86E.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\MSIE61F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI458C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F6C.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI484A.tmp msiexec.exe File created C:\Windows\Installer\e57d7a3.msi msiexec.exe File created C:\Windows\Installer\SourceHash{9C80213E-9079-4561-8D57-1FDD0D62251F} msiexec.exe File opened for modification C:\Windows\Installer\MSI5F82.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI3F6C.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE457.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\e57d7aa.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI604B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDEF7.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE69D.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File created C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678} msiexec.exe File created C:\Windows\Installer\e57d7b1.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI5F82.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F6C.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5DBA.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\CustomAction.config rundll32.exe File opened for modification C:\Windows\Installer\e57d7b1.msi msiexec.exe File created C:\Windows\Installer\e57d7b6.msi msiexec.exe File opened for modification C:\Windows\Installer\MSID86E.tmp-\Newtonsoft.Json.dll rundll32.exe File created C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File created C:\Windows\Installer\e57d7ac.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE371.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE4DB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3F6C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4308.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\63337BB296F4141479799EDBF63E89A0\64.8.8795\fileCoreHostExe msiexec.exe File opened for modification C:\Windows\Installer\MSI4308.tmp-\System.Management.dll rundll32.exe File opened for modification C:\Windows\Installer\MSI5F82.tmp-\AlphaControlAgentInstallation.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIDB8C.tmp-\Microsoft.Deployment.WindowsInstaller.dll rundll32.exe File opened for modification C:\Windows\Installer\MSIF091.tmp-\Newtonsoft.Json.dll rundll32.exe File opened for modification C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe msiexec.exe File opened for modification C:\Windows\Installer\MSI62FB.tmp msiexec.exe -
Executes dropped EXE 64 IoCs
pid Process 2924 AteraAgent.exe 3424 AteraAgent.exe 3816 AgentPackageAgentInformation.exe 3500 AgentPackageAgentInformation.exe 2452 AgentPackageAgentInformation.exe 4024 AgentPackageAgentInformation.exe 2404 AteraAgent.exe 1172 AgentPackageSTRemote.exe 1500 AgentPackageMonitoring.exe 4632 SplashtopStreamer.exe 4280 PreVerCheck.exe 1128 _is360F.exe 396 _is360F.exe 1908 _is360F.exe 2096 _is360F.exe 840 _is360F.exe 32 _is360F.exe 3272 _is360F.exe 2360 _is360F.exe 700 _is360F.exe 3940 _is360F.exe 1544 _is4274.exe 1088 _is4274.exe 2928 _is4274.exe 2628 _is4274.exe 1312 _is4274.exe 2928 _is4274.exe 2628 _is4274.exe 32 _is4274.exe 840 _is4274.exe 3940 _is4274.exe 3956 _is4E2D.exe 2444 _is4E2D.exe 4752 _is4E2D.exe 700 _is4E2D.exe 4276 _is4E2D.exe 840 _is4E2D.exe 3940 _is4E2D.exe 1908 _is4E2D.exe 2444 _is4E2D.exe 4752 _is4E2D.exe 3628 SetupUtil.exe 1908 SetupUtil.exe 848 SetupUtil.exe 3452 SRSelfSignCertUtil.exe 5308 _is609D.exe 5392 _is609D.exe 5424 _is609D.exe 5456 _is609D.exe 5492 _is609D.exe 5568 _is609D.exe 5600 _is609D.exe 5632 _is609D.exe 5668 _is609D.exe 5700 _is609D.exe 5748 SRService.exe 5940 _is633E.exe 5976 _is633E.exe 6008 _is633E.exe 6040 _is633E.exe 6076 _is633E.exe 3760 _is633E.exe 1096 _is633E.exe 3272 _is633E.exe -
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
pid Process 4448 sc.exe 3628 sc.exe 4172 sc.exe -
Loads dropped DLL 64 IoCs
pid Process 1052 MsiExec.exe 4560 rundll32.exe 4560 rundll32.exe 4560 rundll32.exe 4560 rundll32.exe 4560 rundll32.exe 1052 MsiExec.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 1052 MsiExec.exe 32 rundll32.exe 32 rundll32.exe 32 rundll32.exe 32 rundll32.exe 32 rundll32.exe 1052 MsiExec.exe 1084 MsiExec.exe 1084 MsiExec.exe 1052 MsiExec.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 3012 rundll32.exe 1500 AgentPackageMonitoring.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 1304 MsiExec.exe 5488 SRManager.exe 1304 MsiExec.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5784 SRServer.exe 5784 SRServer.exe 5572 SRAgent.exe 5488 SRManager.exe 5488 SRManager.exe -
pid Process 1272 powershell.exe 1128 powershell.exe 2772 powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3560 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRSelfSignCertUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dotnet-runtime-8.0.11-win-x64.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRServer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAppPB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRAgent.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRFeature.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRManager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SplashtopStreamer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PreVerCheck.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language taskkill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8-0-11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRVirtualDisplay.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language NET.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language TaskKill.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRUtility.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SRService.exe -
System Time Discovery 1 TTPs 11 IoCs
Adversary may gather the system time and/or time zone settings from a local or remote system.
pid Process 6296 cmd.exe 1208 8-0-11.exe 5952 dotnet-runtime-8.0.11-win-x64.exe 5220 cmd.exe 2108 dotnet.exe 3712 dotnet.exe 6756 dotnet.exe 6172 cmd.exe 6164 dotnet.exe 7140 dotnet.exe 1668 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003fd43b55c343aeda0000000000000000000000000000000000000000000000000000000000000000000000000000000000001071020000000000c01200000000ffffffff0000000027010100008838013fd43b550000000000001071020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d083020000000000c050e1000000ffffffff000000000700010000e841013fd43b55000000000000d08302000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000090d4e30000000000000005000000ffffffff00000000070001000048ea713fd43b5500000000000090d4e300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003fd43b5500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Checks processor information in registry 2 TTPs 10 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz firefox.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString firefox.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 firefox.exe -
Kills process with taskkill 13 IoCs
pid Process 700 taskkill.exe 4276 taskkill.exe 3940 taskkill.exe 1300 taskkill.exe 2928 taskkill.exe 2704 TaskKill.exe 4736 TaskKill.exe 1252 TaskKill.exe 2568 taskkill.exe 4708 taskkill.exe 4028 taskkill.exe 4604 taskkill.exe 1824 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs SRManager.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%systemroot%\system32\FirewallControlPanel.dll,-12122 = "Windows Defender Firewall" SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageHeartbeat.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AgentPackageAgentInformation.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root SRManager.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections AgentPackageInternalPoller.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SplashtopStreamer.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CTLs cscript.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates cscript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople SRManager.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\RestartManager\Session0002\Owner = 14170000b9e88bd17f93db01 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" SetupUtil.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust cscript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs MsiExec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPublisher\Certificates cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs cscript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs AteraAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe -
Modifies registry class 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\PackageCode = "6A2CD1281BEA6974086CF7E70C729BF4" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\Dependents\{e883dae5-a63d-4a45-afb9-257f64d5a59b} dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Clients = 3a0000000000 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ = "C:\\Windows\\system32\\SRCredentialProvider.dll" SRService.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\DisplayName = "Microsoft .NET Runtime - 8.0.11 (x64)" dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{F59C11F0-D73F-452B-8D1D-8C33B82D8507}v64.44.23191\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E31208C997091654D875F1DDD02652F1 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Version = "1076648599" msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\Clients = 3a0000000000 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FF1292B61C97FBE4184B6C604D5EEB4F\INSTALLFOLDER_files_Feature msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell\open\command\ = "\"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe\" \"%1\"" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Dependents\{e883dae5-a63d-4a45-afb9-257f64d5a59b} dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50790402" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\InprocServer32\ThreadingModel = "Apartment" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\URL Protocol AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait\shell AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D0D4B2638348AD44682BEF4CE400F0AC msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Language = "1033" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\63337BB296F4141479799EDBF63E89A0\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\shell\open\command\ = "C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRUtility.exe -a %1" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\Provider msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FF1292B61C97FBE4184B6C604D5EEB4F\SourceList\PackageName = "ateraAgentSetup64_1_8_7_2.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ait\DefaultIcon\ = "C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageTicketing\\TicketingNotifications.exe,1" AgentPackageTicketing.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC}\ = "SRCredentialProvider" MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Version = "64.44.23191" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\Version = "1076648599" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_SharedHost_8.0_x64\DisplayName = "Microsoft .NET Host - 8.0.11 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\ProductName = "Microsoft .NET Host - 8.0.11 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\st-streamer\URL Protocol MsiExec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{e883dae5-a63d-4a45-afb9-257f64d5a59b}\ = "{e883dae5-a63d-4a45-afb9-257f64d5a59b}" dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F11C95FF37DB254D8D1C8338BD25870\MainFeature msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64 dotnet-runtime-8.0.11-win-x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D0D4B2638348AD44682BEF4CE400F0AC\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\dotnet_runtime_64.44.23191_x64\Dependents dotnet-runtime-8.0.11-win-x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E31208C997091654D875F1DDD02652F1\ProductName = "Microsoft .NET Runtime - 8.0.11 (x64)" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A6DA04985925EAF493E05C325D562007\E31208C997091654D875F1DDD02652F1 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Dotnet_CLI_HostFxr_64.44.23191_x64\DisplayName = "Microsoft .NET Host FX Resolver - 8.0.11 (x64)" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{97E1814E-5601-41c8-9971-10C319EF61CC} MsiExec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ait AgentPackageTicketing.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F11C95FF37DB254D8D1C8338BD25870\AuthorizedLUAApp = "0" msiexec.exe -
Modifies system certificate store 2 TTPs 7 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba AteraAgent.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4 AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e AteraAgent.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 772 msiexec.exe 772 msiexec.exe 3424 AteraAgent.exe 3424 AteraAgent.exe 3500 AgentPackageAgentInformation.exe 3500 AgentPackageAgentInformation.exe 3816 AgentPackageAgentInformation.exe 3816 AgentPackageAgentInformation.exe 3424 AteraAgent.exe 4024 AgentPackageAgentInformation.exe 4024 AgentPackageAgentInformation.exe 1172 AgentPackageSTRemote.exe 1172 AgentPackageSTRemote.exe 1272 powershell.exe 1272 powershell.exe 1272 powershell.exe 3424 AteraAgent.exe 848 SetupUtil.exe 848 SetupUtil.exe 848 SetupUtil.exe 848 SetupUtil.exe 3452 SRSelfSignCertUtil.exe 3452 SRSelfSignCertUtil.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 5444 SRService.exe 5444 SRService.exe 4384 taskmgr.exe 5488 SRManager.exe 5488 SRManager.exe 5444 SRService.exe 5444 SRService.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 4384 taskmgr.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5572 SRAgent.exe 5572 SRAgent.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5488 SRManager.exe 5544 SRAppPB.exe 5544 SRAppPB.exe 5488 SRManager.exe 5488 SRManager.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 4384 taskmgr.exe 4012 OpenWith.exe 4424 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 772 msiexec.exe Token: SeCreateTokenPrivilege 3560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3560 msiexec.exe Token: SeLockMemoryPrivilege 3560 msiexec.exe Token: SeIncreaseQuotaPrivilege 3560 msiexec.exe Token: SeMachineAccountPrivilege 3560 msiexec.exe Token: SeTcbPrivilege 3560 msiexec.exe Token: SeSecurityPrivilege 3560 msiexec.exe Token: SeTakeOwnershipPrivilege 3560 msiexec.exe Token: SeLoadDriverPrivilege 3560 msiexec.exe Token: SeSystemProfilePrivilege 3560 msiexec.exe Token: SeSystemtimePrivilege 3560 msiexec.exe Token: SeProfSingleProcessPrivilege 3560 msiexec.exe Token: SeIncBasePriorityPrivilege 3560 msiexec.exe Token: SeCreatePagefilePrivilege 3560 msiexec.exe Token: SeCreatePermanentPrivilege 3560 msiexec.exe Token: SeBackupPrivilege 3560 msiexec.exe Token: SeRestorePrivilege 3560 msiexec.exe Token: SeShutdownPrivilege 3560 msiexec.exe Token: SeDebugPrivilege 3560 msiexec.exe Token: SeAuditPrivilege 3560 msiexec.exe Token: SeSystemEnvironmentPrivilege 3560 msiexec.exe Token: SeChangeNotifyPrivilege 3560 msiexec.exe Token: SeRemoteShutdownPrivilege 3560 msiexec.exe Token: SeUndockPrivilege 3560 msiexec.exe Token: SeSyncAgentPrivilege 3560 msiexec.exe Token: SeEnableDelegationPrivilege 3560 msiexec.exe Token: SeManageVolumePrivilege 3560 msiexec.exe Token: SeImpersonatePrivilege 3560 msiexec.exe Token: SeCreateGlobalPrivilege 3560 msiexec.exe Token: SeBackupPrivilege 2060 vssvc.exe Token: SeRestorePrivilege 2060 vssvc.exe Token: SeAuditPrivilege 2060 vssvc.exe Token: SeBackupPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeDebugPrivilege 3012 rundll32.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeDebugPrivilege 1252 TaskKill.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe Token: SeTakeOwnershipPrivilege 772 msiexec.exe Token: SeRestorePrivilege 772 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3560 msiexec.exe 3560 msiexec.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 5784 SRServer.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 5784 SRServer.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe 4384 taskmgr.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
pid Process 4632 SplashtopStreamer.exe 5784 SRServer.exe 5784 SRServer.exe 5544 SRAppPB.exe 5544 SRAppPB.exe 5788 SRVirtualDisplay.exe 5788 SRVirtualDisplay.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4040 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 4012 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 3360 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe 4424 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 772 wrote to memory of 232 772 msiexec.exe 96 PID 772 wrote to memory of 232 772 msiexec.exe 96 PID 772 wrote to memory of 1052 772 msiexec.exe 98 PID 772 wrote to memory of 1052 772 msiexec.exe 98 PID 772 wrote to memory of 1052 772 msiexec.exe 98 PID 1052 wrote to memory of 4560 1052 MsiExec.exe 99 PID 1052 wrote to memory of 4560 1052 MsiExec.exe 99 PID 1052 wrote to memory of 4560 1052 MsiExec.exe 99 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 100 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 100 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 100 PID 1052 wrote to memory of 32 1052 MsiExec.exe 101 PID 1052 wrote to memory of 32 1052 MsiExec.exe 101 PID 1052 wrote to memory of 32 1052 MsiExec.exe 101 PID 772 wrote to memory of 1084 772 msiexec.exe 102 PID 772 wrote to memory of 1084 772 msiexec.exe 102 PID 772 wrote to memory of 1084 772 msiexec.exe 102 PID 1084 wrote to memory of 1236 1084 MsiExec.exe 103 PID 1084 wrote to memory of 1236 1084 MsiExec.exe 103 PID 1084 wrote to memory of 1236 1084 MsiExec.exe 103 PID 1236 wrote to memory of 2536 1236 NET.exe 105 PID 1236 wrote to memory of 2536 1236 NET.exe 105 PID 1236 wrote to memory of 2536 1236 NET.exe 105 PID 1084 wrote to memory of 1252 1084 MsiExec.exe 106 PID 1084 wrote to memory of 1252 1084 MsiExec.exe 106 PID 1084 wrote to memory of 1252 1084 MsiExec.exe 106 PID 772 wrote to memory of 2924 772 msiexec.exe 108 PID 772 wrote to memory of 2924 772 msiexec.exe 108 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 110 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 110 PID 1052 wrote to memory of 3012 1052 MsiExec.exe 110 PID 3424 wrote to memory of 4448 3424 AteraAgent.exe 111 PID 3424 wrote to memory of 4448 3424 AteraAgent.exe 111 PID 3424 wrote to memory of 3816 3424 AteraAgent.exe 113 PID 3424 wrote to memory of 3816 3424 AteraAgent.exe 113 PID 3424 wrote to memory of 3500 3424 AteraAgent.exe 114 PID 3424 wrote to memory of 3500 3424 AteraAgent.exe 114 PID 3424 wrote to memory of 2452 3424 AteraAgent.exe 117 PID 3424 wrote to memory of 2452 3424 AteraAgent.exe 117 PID 3424 wrote to memory of 4024 3424 AteraAgent.exe 119 PID 3424 wrote to memory of 4024 3424 AteraAgent.exe 119 PID 3424 wrote to memory of 1172 3424 AteraAgent.exe 122 PID 3424 wrote to memory of 1172 3424 AteraAgent.exe 122 PID 2404 wrote to memory of 3628 2404 AteraAgent.exe 124 PID 2404 wrote to memory of 3628 2404 AteraAgent.exe 124 PID 4024 wrote to memory of 1272 4024 AgentPackageAgentInformation.exe 127 PID 4024 wrote to memory of 1272 4024 AgentPackageAgentInformation.exe 127 PID 4024 wrote to memory of 2436 4024 AgentPackageAgentInformation.exe 129 PID 4024 wrote to memory of 2436 4024 AgentPackageAgentInformation.exe 129 PID 2436 wrote to memory of 3624 2436 cmd.exe 131 PID 2436 wrote to memory of 3624 2436 cmd.exe 131 PID 3424 wrote to memory of 1500 3424 AteraAgent.exe 132 PID 3424 wrote to memory of 1500 3424 AteraAgent.exe 132 PID 1172 wrote to memory of 4632 1172 AgentPackageSTRemote.exe 138 PID 1172 wrote to memory of 4632 1172 AgentPackageSTRemote.exe 138 PID 1172 wrote to memory of 4632 1172 AgentPackageSTRemote.exe 138 PID 4632 wrote to memory of 4280 4632 SplashtopStreamer.exe 139 PID 4632 wrote to memory of 4280 4632 SplashtopStreamer.exe 139 PID 4632 wrote to memory of 4280 4632 SplashtopStreamer.exe 139 PID 4280 wrote to memory of 4204 4280 PreVerCheck.exe 140 PID 4280 wrote to memory of 4204 4280 PreVerCheck.exe 140 PID 4280 wrote to memory of 4204 4280 PreVerCheck.exe 140 PID 772 wrote to memory of 1304 772 msiexec.exe 141 PID 772 wrote to memory of 1304 772 msiexec.exe 141 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NF-0459.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:232
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2C6BDCDAB83DF8A0DF1D26B98EF30B1A2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSID86E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638375 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4560
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIDB8C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240638875 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3012
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIE457.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240641156 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:32
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSIF091.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644281 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3012
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2EE8A700424EF5DCCCC87D80013ADBBA E Global\MSI00002⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1084 -
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2536
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000QWCvNIAX" /AgentId="95a85604-24f7-4a44-8581-bf20d77571a2"2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2924
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E41BF13C387E0BB4A9F7EA87E6452CB2 E Global\MSI00002⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
PID:1304 -
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{966B9434-2AA4-40C1-9B7F-8AA3BD8929B2}3⤵
- Executes dropped EXE
PID:1128
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A7381D3-C7B4-472C-A00A-6DA18B499F7B}3⤵
- Executes dropped EXE
PID:396
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67B6ACF5-8779-4538-964D-59A1BCBF160C}3⤵
- Executes dropped EXE
PID:1908
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{75C6FC68-6E3F-4A99-9F82-1D2B17EB4920}3⤵
- Executes dropped EXE
PID:2096
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CF64FBB3-A12B-42CD-B438-90AB341A4FB0}3⤵
- Executes dropped EXE
PID:840
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E61807B4-02AC-4FD6-AFAB-3C914D7975B3}3⤵
- Executes dropped EXE
PID:32
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7FDED6FB-7778-4D63-8571-BC88C190BE7F}3⤵
- Executes dropped EXE
PID:3272
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{505E79A8-0A55-4573-AE68-1E8C2957B179}3⤵
- Executes dropped EXE
PID:2360
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{513ED80E-0ECA-43A5-879B-BCB79B44818B}3⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exeC:\Windows\TEMP\{7F323E6B-6615-4470-B926-D3E75E30CA11}\_is360F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{91265D18-6C83-45B8-96DC-4D8CFB828BE3}3⤵
- Executes dropped EXE
PID:3940
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4468 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRServer.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2568
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2360 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRApp.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4708
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"3⤵PID:4232
-
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAppPB.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4028
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4388 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeature.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:700
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2852 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRFeatMini.exe /T4⤵
- Kills process with taskkill
PID:4604
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:60 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRManager.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4276
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:4604 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAgent.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:3940
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:396 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:3144 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRAudioChat.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:1300
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"3⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Windows\SysWOW64\taskkill.exetaskkill.exe /F /IM SRVirtualDisplay.exe /T4⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2928
-
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3A22EF20-F182-4878-AA61-67E9838553B5}3⤵
- Executes dropped EXE
PID:1544
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8E5A96DB-F1BD-4BE1-9CF5-39E356BDFC6D}3⤵
- Executes dropped EXE
PID:1088
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6BA825F2-515C-4606-B324-E987957C163E}3⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81ACA161-28C3-482F-9CE2-A2888553801C}3⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE5EAC09-9801-42D4-921F-A2798F698C75}3⤵
- Executes dropped EXE
PID:1312
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{77D21591-EF58-4786-8CEA-85D4BCBCA380}3⤵
- Executes dropped EXE
PID:2928
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D04CB491-2F89-4E55-B41F-580DE0BBBA89}3⤵
- Executes dropped EXE
PID:2628
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{703F6AE3-E170-46BE-ACE6-BFF27713F25F}3⤵
- Executes dropped EXE
PID:32
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DD382113-76CA-48B6-9B0F-B43FD1663472}3⤵
- Executes dropped EXE
PID:840
-
-
C:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exeC:\Windows\TEMP\{5AF5C19A-62B3-4CA3-B9B7-1F4CF779209A}\_is4274.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E2F1257C-332F-4627-A478-ECFB97FDE8E4}3⤵
- Executes dropped EXE
PID:3940
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2119E525-9EC0-47AD-8DEF-66765CD40CFC}3⤵
- Executes dropped EXE
PID:3956
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{27FDA244-E1D9-4921-AB37-E2A9308F5584}3⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5149BF4C-FBD3-46D3-8199-26AC4CFED1BD}3⤵
- Executes dropped EXE
PID:4752
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A0636FAB-D7A7-42B7-B6B2-9AB0E369E375}3⤵
- Executes dropped EXE
PID:700
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DCBFA803-4623-40E0-AED5-EF89FADEC850}3⤵
- Executes dropped EXE
PID:4276
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4E595B12-15D5-4954-A79F-4976C05291B5}3⤵
- Executes dropped EXE
PID:840
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{10EC9A00-B58D-43C4-AC0D-D9E9BE559C61}3⤵
- Executes dropped EXE
PID:3940
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30F4A836-EA55-47E8-8B41-F354004EF22D}3⤵
- Executes dropped EXE
PID:1908
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AFEBAC14-C37C-404F-B94F-C485ADD4CE0E}3⤵
- Executes dropped EXE
PID:2444
-
-
C:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exeC:\Windows\TEMP\{F657DA99-872E-44C5-B833-7A94DBE4DE72}\_is4E2D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{733E63E9-ED88-40ED-B4A9-22CC869B1280}3⤵
- Executes dropped EXE
PID:4752
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1908
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:848 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:2444
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"4⤵PID:2444
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3452
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{83124D80-BA81-46D4-83AB-8C107B5092C3}3⤵
- Executes dropped EXE
PID:5308
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7BA8174-4338-4853-8760-68FC2527972A}3⤵
- Executes dropped EXE
PID:5392
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2EBC6D65-3544-4364-9BAD-9B29B1C4243F}3⤵
- Executes dropped EXE
PID:5424
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73B2FE07-0182-4EE2-961A-8D571334FE88}3⤵
- Executes dropped EXE
PID:5456
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CCF76702-55BC-4AFB-B7BF-19B057FF2C42}3⤵
- Executes dropped EXE
PID:5492
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5952E51-2E55-49D6-950D-A902F37E0DDE}3⤵
- Executes dropped EXE
PID:5568
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7633B24E-DF35-420B-B85A-14F89224E563}3⤵
- Executes dropped EXE
PID:5600
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{45DF1F2E-7379-435A-BFDE-C33FDF5EC436}3⤵
- Executes dropped EXE
PID:5632
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F2BE745-57F6-44D0-B4E3-87916DBE4B7D}3⤵
- Executes dropped EXE
PID:5668
-
-
C:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exeC:\Windows\TEMP\{CC04A72A-7D27-4022-AC39-2BBE9F2080B9}\_is609D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{65F3EF46-1A2F-4BF7-89E0-994C42C205FE}3⤵
- Executes dropped EXE
PID:5700
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
PID:5748
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A97097A7-55BD-4EE5-A2B5-8B2F35029F41}3⤵
- Executes dropped EXE
PID:5940
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AC441D3D-1752-4DED-BB21-448F6532332F}3⤵
- Executes dropped EXE
PID:5976
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66DDCFF1-98B8-4CAF-A8AC-79A0755ADDB8}3⤵
- Executes dropped EXE
PID:6008
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AB62EAC0-E95B-4284-B523-12FE2200F3F7}3⤵
- Executes dropped EXE
PID:6040
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2FD35378-3533-4853-99DA-92B15AD8386B}3⤵
- Executes dropped EXE
PID:6076
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{35E60DC4-F3D0-4F38-874A-D868A041C386}3⤵
- Executes dropped EXE
PID:3760
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F1ED5AD3-9EDE-4F26-B7B2-B23D36227A85}3⤵
- Executes dropped EXE
PID:1096
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8881417F-7243-4551-BCA5-90E184DDC015}3⤵
- Executes dropped EXE
PID:3272
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8C22F35D-6913-4FC7-8AEE-318CF5386938}3⤵PID:5216
-
-
C:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exeC:\Windows\TEMP\{8A3B8B3C-BA6D-4187-BC97-4DADE39DDB57}\_is633E.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9CE079AB-3011-4544-8AD3-C9CE5D274FEE}3⤵PID:5288
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r3⤵
- System Location Discovery: System Language Discovery
PID:5360
-
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 08177B9058AB85F15FBE08C319EEF01E E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:1892
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding E2B061A7EBA2B8277D3AA9025DE72B14 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 27622519076CC08C6FDCECB1D5279288 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:4764
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 14A845E09AE53D148E8735E72F2A5586 E Global\MSI00002⤵
- System Location Discovery: System Language Discovery
PID:1164 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI3F6C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240992187 483 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId3⤵
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2056
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4038.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240992296 487 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5468
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI4308.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240993000 492 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6832
-
-
C:\Windows\SysWOW64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:4496 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2756
-
-
-
C:\Windows\SysWOW64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:2704
-
-
C:\Windows\syswow64\NET.exe"NET" STOP AteraAgent3⤵
- System Location Discovery: System Language Discovery
PID:736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP AteraAgent4⤵
- System Location Discovery: System Language Discovery
PID:2844
-
-
-
C:\Windows\syswow64\TaskKill.exe"TaskKill.exe" /f /im AteraAgent.exe3⤵
- System Location Discovery: System Language Discovery
- Kills process with taskkill
PID:4736
-
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe "C:\Windows\Installer\MSI5F82.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241000312 530 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5396
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u2⤵
- Drops file in System32 directory
PID:1680
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="70d809b9-bcbc-4a7a-8d47-74f23b3ecea2"2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:6996
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4448
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "f78279ee-f8c8-495b-addd-cdf845ea8710" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3816
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "9d094834-ed97-4497-bf76-e76916334310" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QWCvNIAX2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:3500
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "5952d8f1-126f-460a-be00-09f5d5263b53" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000QWCvNIAX2⤵
- Executes dropped EXE
PID:2452
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "50c53aaa-d881-4118-9768-1657943093f9" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000QWCvNIAX2⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:1272
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:3624
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "60fb3d82-22ea-48d9-a388-b704de806143" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOjMsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000QWCvNIAX2⤵
- Downloads MZ/PE file
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1172 -
C:\Windows\TEMP\SplashtopStreamer.exe"C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=13⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\Temp\unpack\PreVerCheck.exe"C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=14⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4280 -
C:\Windows\SysWOW64\msiexec.exemsiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"5⤵
- System Location Discovery: System Language Discovery
PID:4204
-
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "f2bc31a9-6997-4d90-b376-f04bf0396f0f" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
- Executes dropped EXE
- Loads dropped DLL
PID:1500
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:3628
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "a7ffe63a-aec9-4b93-abbc-35a4738da26b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QWCvNIAX2⤵PID:1440
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:1128
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:5192
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:3760
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7023cd47-7d2b-46db-9cbe-28807cf8127e" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000QWCvNIAX2⤵PID:5900
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=7ac342f4079103186691d69066adbc4d&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:844
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:2416
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "8dca9590-cba8-4aec-ae0e-f62eb5aa4b64" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:4592
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "228a4fc5-eb43-41aa-9be8-65ccc324fd72" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:4012
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "0349ee17-c4b8-4682-9d87-dbeef2a42cf9" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QWCvNIAX2⤵PID:2680
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "48383b4b-1c2f-4945-88ae-c421e3a2b7e8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QWCvNIAX2⤵PID:2992
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "c116db09-ee0a-492e-a5ef-835f10d125bf" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIyZ2V0LWluc3RhbGxlZC1zb2Z0d2FyZVx1MDAyMixcdTAwMjJDYWNoZVR0bEhvdXJzXHUwMDIyOjEyfSJ9" 001Q300000QWCvNIAX2⤵PID:1304
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7956bac2-53ef-4265-b421-f3c7c6bffb0f" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
- Modifies registry class
PID:5804
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "c377a29d-c5fd-4aa0-a2ef-b1eb02633ec4" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:6344 -
C:\Windows\SYSTEM32\msiexec.exe"msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart3⤵
- Modifies data under HKEY_USERS
PID:5908
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "4dc2e0a9-15cb-4a7f-9be3-0ffe1b1df719" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:6864
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "59d433c1-c172-4660-89c3-eb197ee5815f" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svV2luZG93cy9BZ2VudF9BbnlEZXNrX0N1c3RvbV9DbGllbnRfOS4wLjMubXNpIiwiRm9yY2VJbnN0YWxsIjpmYWxzZSwiVGFyZ2V0VmVyc2lvbiI6IjkuMC4zIn0=" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:6884
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "08a8d732-5069-4ee4-b5db-064c80e2ddaf" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:6896
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "2fb19f14-a507-42eb-bb2c-511ebe3110e5" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000QWCvNIAX2⤵
- Drops file in System32 directory
PID:6908
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "18403373-6495-45c1-b1ee-40c3256eff48" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000QWCvNIAX2⤵
- Downloads MZ/PE file
- Drops file in System32 directory
PID:6952 -
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:6296 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:3712
-
-
-
C:\Program Files\dotnet\dotnet.exe"C:\Program Files\dotnet\dotnet" --list-runtimes3⤵
- System Time Discovery
PID:6756
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" /repair /quiet /norestart3⤵
- System Location Discovery: System Language Discovery
PID:5532 -
C:\Windows\Temp\{67036D4D-AB98-4745-9BE6-607E8BB206FF}\.cr\8-0-11.exe"C:\Windows\Temp\{67036D4D-AB98-4745-9BE6-607E8BB206FF}\.cr\8-0-11.exe" -burn.clean.room="C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\8-0-11.exe" -burn.filehandle.attached=692 -burn.filehandle.self=720 /repair /quiet /norestart4⤵
- System Location Discovery: System Language Discovery
- System Time Discovery
PID:1208 -
C:\Windows\Temp\{CF35A14D-E8C6-4D04-824C-4DE39146EC6C}\.be\dotnet-runtime-8.0.11-win-x64.exe"C:\Windows\Temp\{CF35A14D-E8C6-4D04-824C-4DE39146EC6C}\.be\dotnet-runtime-8.0.11-win-x64.exe" -q -burn.elevated BurnPipe.{BD6AA637-D842-4579-B4BD-8D445E0688CC} {89F0B60D-B4CD-46F0-82B1-28F7F6C59915} 12085⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- System Time Discovery
- Modifies registry class
PID:5952
-
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:6172 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:6164
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:5220 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:7140
-
-
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6856
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:5004
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "4dc2e0a9-15cb-4a7f-9be3-0ffe1b1df719" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:1312
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6256
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6996
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "48383b4b-1c2f-4945-88ae-c421e3a2b7e8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QWCvNIAX2⤵PID:6320
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "8dca9590-cba8-4aec-ae0e-f62eb5aa4b64" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QWCvNIAX2⤵PID:5724
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:7020
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵
- Modifies data under HKEY_USERS
PID:4596
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "4dc2e0a9-15cb-4a7f-9be3-0ffe1b1df719" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:3304
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:5424
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6448
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "8dca9590-cba8-4aec-ae0e-f62eb5aa4b64" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QWCvNIAX2⤵PID:6592
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "48383b4b-1c2f-4945-88ae-c421e3a2b7e8" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QWCvNIAX2⤵PID:6404
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "e0ccf6cc-9689-4ac8-a41f-ed9fb9e5e68d" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6148
-
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "4dc2e0a9-15cb-4a7f-9be3-0ffe1b1df719" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:5912
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4384
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5444 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"2⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5488 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe-h3⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5784
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"3⤵
- Drops file in Program Files directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:5572 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v4⤵PID:5308
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5544
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"3⤵
- System Location Discovery: System Language Discovery
PID:6016 -
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exeSRUtility.exe -r4⤵
- System Location Discovery: System Language Discovery
PID:5172
-
-
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5788
-
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
PID:5432
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:6200
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt1⤵PID:6724
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵PID:2028
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵PID:4540
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt1⤵PID:6264
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵PID:2516
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:4040 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config2⤵PID:6856
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4012 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config2⤵PID:5376
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3360 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog2⤵PID:5356
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4424 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\ATERA Networks\AteraAgent\inprocmessaging\trayProcessMessages.json2⤵PID:4744
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵PID:4148
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
PID:4848 -
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1892 -prefMapHandle 1884 -prefsLen 27164 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3672023f-1102-408a-81e8-16d1a80beb0b} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" gpu3⤵PID:2932
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2376 -parentBuildID 20240401114208 -prefsHandle 2368 -prefMapHandle 2356 -prefsLen 27200 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8278332c-a225-4a04-bc0a-136c20f1d516} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" socket3⤵PID:6500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2900 -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 3076 -prefsLen 27341 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3cbfd118-88d4-4541-bef2-455ee6a129a2} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:4624
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4140 -childID 2 -isForBrowser -prefsHandle 4132 -prefMapHandle 4128 -prefsLen 32574 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ccc5377d-2340-4c76-821e-0739d4e15b54} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:5516
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4988 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4984 -prefMapHandle 4980 -prefsLen 32574 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4686a48e-d934-4ee5-9a80-2e21e00b3f5e} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" utility3⤵
- Checks processor information in registry
PID:6756
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5448 -childID 3 -isForBrowser -prefsHandle 5412 -prefMapHandle 5436 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a4166c72-3033-4c8c-944f-c8a7a8245fa0} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:7000
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5580 -childID 4 -isForBrowser -prefsHandle 5588 -prefMapHandle 5592 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {de1d1b91-4873-4021-92ce-28450cc69b8b} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:5580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5772 -childID 5 -isForBrowser -prefsHandle 5780 -prefMapHandle 5784 -prefsLen 27035 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {df4cb48f-4af8-4c29-a810-42b3d332abc1} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:6056
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6156 -childID 6 -isForBrowser -prefsHandle 6180 -prefMapHandle 6176 -prefsLen 27305 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cf477ac6-96c2-47a0-a6e0-954c8f4e84b5} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:4684
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5500 -childID 7 -isForBrowser -prefsHandle 5192 -prefMapHandle 4904 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5baa043c-6940-4606-aaed-56411c5c2803} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:4640
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1564 -parentBuildID 20240401114208 -prefsHandle 2572 -prefMapHandle 1584 -prefsLen 34272 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d33b642-090a-47c4-9f60-4bc7f7df83cf} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" rdd3⤵PID:3580
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5880 -childID 8 -isForBrowser -prefsHandle 5892 -prefMapHandle 5888 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fcc319c4-21a6-42d4-8fef-cd270b48eaad} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:1028
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7532 -childID 9 -isForBrowser -prefsHandle 7524 -prefMapHandle 7520 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {860494f6-5eb8-405a-81d7-1a459e3bb5fd} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:1956
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7188 -childID 10 -isForBrowser -prefsHandle 7548 -prefMapHandle 7544 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5763972-9fd0-439a-9321-b3ba834eede9} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:6300
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7572 -childID 11 -isForBrowser -prefsHandle 5480 -prefMapHandle 5508 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ffb6b2e6-16d1-40a2-8753-4f8690e685a2} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:2108
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7956 -childID 12 -isForBrowser -prefsHandle 7960 -prefMapHandle 7908 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dfa27bc9-16ff-4920-a72c-4b7bbabd20f4} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:1820
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8260 -childID 13 -isForBrowser -prefsHandle 8256 -prefMapHandle 8244 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0e86c0ff-3f4e-4c7f-91b1-3a53fda18f9c} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:2868
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8500 -childID 14 -isForBrowser -prefsHandle 8492 -prefMapHandle 8488 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d132fba2-634f-4519-ba32-f980953a7312} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:3380
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8684 -childID 15 -isForBrowser -prefsHandle 8604 -prefMapHandle 8612 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c3b22e1-00b0-4d16-b9a4-eeb68f9806da} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:6660
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7720 -childID 16 -isForBrowser -prefsHandle 8288 -prefMapHandle 7716 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63346a4c-1e37-401c-948d-ef21662c0c65} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:1680
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7720 -childID 17 -isForBrowser -prefsHandle 8656 -prefMapHandle 8648 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {15015340-83af-40be-8ea1-cadce5932565} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:7076
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8876 -childID 18 -isForBrowser -prefsHandle 8804 -prefMapHandle 5868 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {417de253-4386-4509-bea4-2dfbbc680505} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:5600
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8648 -childID 19 -isForBrowser -prefsHandle 8988 -prefMapHandle 8984 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8115fd2e-7eef-4072-b0a5-076d3c81f00a} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:6412
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8304 -childID 20 -isForBrowser -prefsHandle 7116 -prefMapHandle 4736 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {85b99656-23c6-4d77-9479-fdee03d83282} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:5500
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7464 -childID 21 -isForBrowser -prefsHandle 8932 -prefMapHandle 9204 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0eda0613-7965-42be-9cae-bc01e708f153} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:6480
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7716 -childID 22 -isForBrowser -prefsHandle 8260 -prefMapHandle 8344 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b017acfb-5699-4045-9892-d8757659d1a3} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:5312
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9724 -childID 23 -isForBrowser -prefsHandle 8492 -prefMapHandle 7108 -prefsLen 28092 -prefMapSize 244628 -jsInitHandle 1316 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1e87f67-ac2e-4da0-ad3d-5f88f5608d19} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" tab3⤵PID:1324
-
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7484 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 2716 -prefMapHandle 6540 -prefsLen 34272 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f4942549-31ad-4881-a125-5122877b0959} 4848 "\\.\pipe\gecko-crash-server-pipe.4848" utility3⤵
- Checks processor information in registry
PID:1260
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"1⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
PID:6092 -
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/250002⤵
- Launches sc.exe
PID:4172
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "96da416d-39f1-4a0e-9056-9df0f4e91493" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QWCvNIAX2⤵PID:2828
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "4164f63c-57aa-4949-b268-875e882a5dd4" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QWCvNIAX2⤵PID:6636
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "f87ab605-321b-448f-a843-de0f61dec600" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIyZ2V0LWluc3RhbGxlZC1zb2Z0d2FyZVx1MDAyMixcdTAwMjJDYWNoZVR0bEhvdXJzXHUwMDIyOjEyfSJ9" 001Q300000QWCvNIAX2⤵
- Drops file in Program Files directory
PID:6656
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "31f2e66d-2be9-4683-bfe7-353c093ae16d" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QWCvNIAX2⤵
- Modifies data under HKEY_USERS
PID:5984 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"3⤵
- Drops file in System32 directory
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
PID:2772
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus3⤵PID:1232
-
C:\Windows\system32\cscript.execscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus4⤵
- Modifies data under HKEY_USERS
PID:6076
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "881a86e8-0d07-49a4-a12c-04cdbaaf77a2" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QWCvNIAX2⤵PID:1052
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7ae0c879-59f8-43f4-a191-d9f1cf317132" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9wYWNrYWdlc3N0b3JlLmJsb2IuY29yZS53aW5kb3dzLm5ldC9pbnN0YWxsZXJzL0FueURlc2svV2luZG93cy9BZ2VudF9BbnlEZXNrX0N1c3RvbV9DbGllbnRfOS4wLjMubXNpIiwiRm9yY2VJbnN0YWxsIjpmYWxzZSwiVGFyZ2V0VmVyc2lvbiI6IjkuMC4zIn0=" 001Q300000QWCvNIAX2⤵PID:3060
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:472
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "394e0290-51e5-4809-abaf-abf179757989" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QWCvNIAX2⤵
- Modifies data under HKEY_USERS
PID:6996
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "8937431e-3f88-42e3-bdc9-69d6fe217239" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000QWCvNIAX2⤵PID:6724
-
C:\Windows\SYSTEM32\cmd.exe"cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /3⤵
- System Time Discovery
PID:1668 -
C:\Program Files\dotnet\dotnet.exedotnet --list-runtimes4⤵
- System Time Discovery
PID:2108
-
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "69bd28cf-9222-42eb-a0e2-f01c65da9ab6" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:6988
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "3b6ab8aa-be5c-4af3-a6e3-42432189cbb5" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000QWCvNIAX2⤵PID:5836
-
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe"C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=7ac342f4079103186691d69066adbc4d&rmm_session_pwd_ttl=86400"3⤵
- System Location Discovery: System Language Discovery
PID:4484
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "5dcd043d-ae7d-427c-a166-0dc6bc8f4e61" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QWCvNIAX2⤵
- Modifies registry class
PID:2620
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "a313463c-9497-4661-912b-43dffadf03af" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000QWCvNIAX2⤵PID:684
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "2e63d652-9334-4b21-b072-a22d800e6331" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000QWCvNIAX2⤵
- Drops file in Program Files directory
PID:2064
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "cc1aad2c-0020-47d6-8df3-804119b76647" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000QWCvNIAX2⤵PID:5260
-
C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe"C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "95a85604-24f7-4a44-8581-bf20d77571a2" "cc1aad2c-0020-47d6-8df3-804119b76647" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "001Q300000QWCvNIAX"3⤵PID:628
-
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:2244
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:2880
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "69bd28cf-9222-42eb-a0e2-f01c65da9ab6" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QWCvNIAX2⤵
- Writes to the Master Boot Record (MBR)
PID:3764
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:7160
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "96da416d-39f1-4a0e-9056-9df0f4e91493" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QWCvNIAX2⤵PID:6400
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "394e0290-51e5-4809-abaf-abf179757989" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QWCvNIAX2⤵PID:6532
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:2924
-
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe"C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 95a85604-24f7-4a44-8581-bf20d77571a2 "7758d8ed-eb53-4213-8d15-2ac9c4a62a2e" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QWCvNIAX2⤵PID:6552
-
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding1⤵PID:2328
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe"1⤵PID:6472
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\ATERA Networks\AteraAgent\log.txt1⤵PID:6252
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
2Component Object Model Hijacking
1Installer Packages
1Defense Evasion
Modify Registry
2Pre-OS Boot
1Bootkit
1Subvert Trust Controls
1Install Root Certificate
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5faa40a0ccf24f4bab7c7fb100bd5c956
SHA1a62fdf78511a4a399b536fbde4d078c2ddacd961
SHA256f7f347dc8ee39337499ccd97da94cce45296a65f6b72d913924a29b873304284
SHA5129820944fa2179d74e13ada260d6124bfb073c8195e4ecb34201caea8c18facce53d2cfe34218cfac14b3b21ccb85b0e7c4a7b6dbf8ec5327405800d3cc020470
-
Filesize
74KB
MD5c8caf3bb7f006515af7af82951f148c9
SHA18ba84d680ce0ef6ff4424b2f44b69d9973facd88
SHA2568fdadde410e814b72e095ee41ae6a45415210f1b336b612a89dee9f275b52666
SHA512570c938f7f31aac9e6e400804b31d6b13992389ca2545876e0803786a3e07178bd7d7c168c2e41e6d26bb806e7c7486b01e5ac97a9d6092499bcef04379733dd
-
Filesize
464B
MD5ae3f917a03d3b5b66b78b302da40d89f
SHA1972089250200f76b37617e4ed86b39e2981bb26d
SHA256e4d887e0bfe90576c77f7cade2f05a0fa6d35d8e109db8d5bef319b2dfd838d0
SHA512c3cfbbf20606201abbd1a0115ac0b2454e4f83646182207499c176b93525a1c4359a081152a433a49143f9dd94697795b2d063ec94475054d984ad8a956c3f21
-
Filesize
48KB
MD5a644cb7df86b04dae95a2554caccafa1
SHA1638a3f184cf5eee08aef96a92fe9769462c9d033
SHA256ce1571ed5fff6744df012de649fe89e792c1566f6c2f2f18d29c5cda47410491
SHA51288051912f1e06ac0218da12c3f0b104b1b2e5ec12cd09150b492bac5d7ade8d67bf7e985a58f93f0489be4bf9a3f7b22567a5fa7d02eab432fbd7636c879d903
-
Filesize
9KB
MD58fc3bfaf6342d74bf325f6d8c0155732
SHA1625cf77ba4dae0615ec9085a788b662566c12eac
SHA2569d5407c3816e14daa98badba74f3e9d7dc2b74a5930c09e8cd1cef435cb84c42
SHA512626f2d8fc3656a2e19388229b19c6e225e10459433c7e3bde03f51b7d773e6c4b2837f639a4bcc2962672dfc7781e128a9c7977648b5e1bf502d9ccfd13e97e6
-
Filesize
11KB
MD56f478c62e9b4b7f6a0227fcf1d2e45f0
SHA1d007d6f5cf8389b884b487d583902d726a9353ab
SHA2560017bbd338a27148a50f7a11a6bb60f5ebc1349bf9e0d6050ace936e54793b1c
SHA512f13b0fcd0e3a38de760ae2a369a1a84e73993f3180f846341fdcc3f84973a39e63f07662ef3d4be8c20415070d8c472ded4992123830e0d39bbf34cfa855b4f9
-
Filesize
8KB
MD54c83be5e3eff6cdbd659c3f68f0c9a00
SHA1f5c2aaa898f5159ac18216e44a61c9ef80f421f1
SHA2562d56e05d0f638f902002724a36206731b25cd520ef3eb34a4a03390df988b2f6
SHA5122cb799779829075241b5830579c5e05bf86349c68a76a123f29ae625f9f750ba3b3abfa48f7e6c5a673451095e9682ff497d78beb3c5ec00495e3fcaddeecd9e
-
Filesize
143KB
MD533b4c87f18b4c49114d7a8980241657a
SHA1254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA51242b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9
-
Filesize
3B
MD521438ef4b9ad4fc266b6129a2f60de29
SHA15eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd
SHA25613bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354
SHA51237436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237
-
Filesize
9KB
MD5da26747f807b3ad1e5b233b250cf3492
SHA146348d2b5abb1cebf90b0ffb276bb8ec8154b687
SHA2565073c42fa42dcf49b370eacda0e273ea6defb390cf035dedef28bb87a6a6c6c7
SHA5126e58f9075415c20e334865e153776ce0380359053ee0e3ee3795299b88b87c5d7a4a9cd6713c499f0572b1a6661ce4ba39515415f4b7f4f5f7478d557de6196c
-
Filesize
8KB
MD5d47b4f56c663b96f45fe32b59768c2ca
SHA175747b28b77945a17be2de30775d06b2952895b2
SHA25614d0b0a6da5f896e0cdb60cb2a278f32ed784371739e14aef97a23e23407a673
SHA512381fbe7c8582b67061ee458da36ab35f4b01cffe5ddffd0200752147f108c8948f9ec93016d67300eee89cb1e77608d78cba90ae722819e26b849c06de0c7cd2
-
Filesize
305B
MD527c1adfa459a0d4c1a3ee1e4e92f8e0e
SHA1e21b1152b78827c8e59d84c541c190c099297632
SHA2568e88d3edb3da0f6dfe4dc7716ab64256fab189429a6690b129d6789f7eeca49b
SHA512f8f66043ad65be01a11e130ccedd14a1e638950bb95999e650f62362c05e81d413d330e87cc5fdade02776fc742ebf96331a3752ab80eda9931041089563ae36
-
Filesize
753B
MD58298451e4dee214334dd2e22b8996bdc
SHA1bc429029cc6b42c59c417773ea5df8ae54dbb971
SHA2566fbf5845a6738e2dc2aa67dd5f78da2c8f8cb41d866bbba10e5336787c731b25
SHA512cda4ffd7d6c6dff90521c6a67a3dba27bf172cc87cee2986ae46dccd02f771d7e784dcad8aea0ad10decf46a1c8ae1041c184206ec2796e54756e49b9217d7ba
-
Filesize
1KB
MD5337079222a6f6c6edf58f3f981ff20ae
SHA11f705fc0faa84c69e1fe936b34783b301323e255
SHA256ae56a6c4f6622b5485c46d9fde5d3db468c1bfb573b34c9f199007b5eedcbda5
SHA512ae9cd225f7327da6eeea63c661b9e159d6608dff4897fb6b9651a1756d69282e8051b058a2473d9153fc87c0b54aa59b9a1a865871df693adcb267f8b0157b61
-
Filesize
142KB
MD5477293f80461713d51a98a24023d45e8
SHA1e9aa4e6c514ee951665a7cd6f0b4a4c49146241d
SHA256a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2
SHA51223f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f
-
Filesize
1KB
MD5b3bb71f9bb4de4236c26578a8fae2dcd
SHA11ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e
SHA256e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2
SHA512fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71
-
Filesize
210KB
MD5c106df1b5b43af3b937ace19d92b42f3
SHA17670fc4b6369e3fb705200050618acaa5213637f
SHA2562b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68
SHA512616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae
-
Filesize
693KB
MD52c4d25b7fbd1adfd4471052fa482af72
SHA1fd6cd773d241b581e3c856f9e6cd06cb31a01407
SHA2562a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7
SHA512f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
Filesize146KB
MD58d477b63bc5a56ae15314bda8dea7a3a
SHA13ca390584cd3e11172a014784e4c968e7cbb18f5
SHA2569eec91cdd39cbb560ad5b1d063df67088f412da4b851ae41e71304fb8a444293
SHA51244e3d91ad96b4cb919c06ccb91d3c3e31165b2412e1d78bfbaca0bee6f0c1a3253b3e3ddf19009cebf12c261a0392f6a0b7091cf8aba1d0cc4c1ed61c1b6dc42
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe
Filesize145KB
MD50953b0a835501eede2761d0021d7f814
SHA114bf854aafb9594304cf2d66930a1efbd50e110b
SHA256f87117e19652d814a8f4126696a16e83902ac733beee3b00b24eeb555a07df1b
SHA512fe32059af2cd0c2dfc3dd8ec6b7a60d565efcbe61b24603245eb0618e0664212065d1b052d2f0d7d31f2c298fed75f5d22be38e88d6d85d0a8d5189a2820b387
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
Filesize145KB
MD52b9beb2fdbc41afc48d68d32ef41dd08
SHA14a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c
SHA256977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1
SHA5123e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.ini
Filesize13B
MD5f9769bb20bc8a0f137207ac2fa70e73a
SHA113a5ade4adc04d610cefd3bace0b749e33f6faee
SHA256f117e5835146fcdf2013c5554138c304b5376a1f3e3f1b6c6d1db0dcd6c998c4
SHA512be47552f6b063fff51102ec421b3860773fa9f51800f6c2988c5c67ba56db8e374c2fb048ef6bb0d988620fdc04a2a6adfbf2a06465e4d4f34ba623b92e5f01b
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
Filesize51KB
MD53180c705182447f4bcc7ce8e2820b25d
SHA1ad6486557819a33d3f29b18d92b43b11707aae6e
SHA2565b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22
SHA512228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
Filesize12B
MD5cfce02553c4af9a201345d31962187fc
SHA116f0da42cf874c9c4a84d434eebd2dcf5031b553
SHA256ed104ab4d69e5d34ccdebe12d317c4c8cbb7ddfd60b36f0461db0032a11d288f
SHA512ece94642b88011429e106aa1b4cea75a606a03647e5dace481969946ba9a0d3b23162c9cb81200d12445fd4910ddc30135866c80b645a82df08e7e374c60a4cc
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
Filesize248KB
MD5bf7f46a78bba38717dc1ccd5a48c9aa2
SHA130382066798876dc4e689bfcfad098910a213cda
SHA2560f0425430b83a340883c9c4318cda20e91c8db1febcf0f1b731ae93f2d119020
SHA512bbae0e9ce97d5db855799960778425bcd652d7e1507089211be8413fd56698845dc00c19bb4adafe6ea3ff3c00b0ad0a9a111bb00f7f57b1d59ea79b236163ab
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
Filesize1021B
MD551a41966b950af62998eee5043f543b0
SHA1d4ce80134834a1f10d50a6cac3ca3a3e80ff1dc2
SHA256f1461b023e02fac832979ebf9bfa59ee7043885c90fc8ee6f8077f07a1cb7097
SHA5129c4ba08451116f92036ce24075a641eb5973b740bb876cb8ec7229dae10308364404f175b8abd1f0d6eefa73b9123fa857bf2c3b39577d767831444f99435936
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll
Filesize109KB
MD5f38140dca6604bb2fa225120ab64f1f9
SHA1fb051bd98580efaa446af16dc45fbd296e2c6c5c
SHA256e02d6383678b394db45f11dcd06f309745b30f9e94ffbc33c9c9433a6b211cca
SHA512eb6310d2a02a642c634bdf1f0f6c74c530e995a125b1641732f086efd25c4ced0836562579a22445e5e1582b72707ccf3b22f1fdb50b970ebcb5a694c2f79ab5
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
Filesize693KB
MD5a336fba63cbca9d841cd3188f59be1cb
SHA1d486c67f142f8683bca8d5f487602bff599403ee
SHA256e4ccf5985d2f5006d42cfe002b39651ef0c9f1b8db60453d0f682d6d62cac23f
SHA5129f0c65170a7105bbbafe1ba69bbbc965c41bd009f8d8642542cc54af7520252307f4be9e09c8a7d0ccb6fee42370d80338ac6e83f993b5dc8a6275777e3cafe9
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
Filesize27KB
MD5797c9554ec56fd72ebb3f6f6bef67fb5
SHA140af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb
SHA2567138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49
SHA5124f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
Filesize214KB
MD501807774f043028ec29982a62fa75941
SHA1afc25cf6a7a90f908c0a77f2519744f75b3140d4
SHA2569d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e
SHA51233bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
Filesize37KB
MD5efb4712c8713cb05eb7fe7d87a83a55a
SHA1c94d106bba77aecf88540807da89349b50ea5ae7
SHA25630271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75
SHA5123594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8
-
Filesize
3.5MB
MD5723a7f489fb1861821fee5f5de0acba0
SHA1ad76a8ec8cd52346c575894e08c458e1adf620b7
SHA2560b1afe081f2e2aefdcf40cada67e79e287536999e99145748aeeb4f0010730f5
SHA512b3ea87dd52d79b73b443154b71ea44da1ce86032bb4646d2a2813218e55113b3c1b854dc638229ecda370fa49863228dea1e86b6d455457095a9de865e25b0e1
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
Filesize396KB
MD5b5929e2ca0e402a373b633bb78d0414a
SHA138146d4f3ddca1b1e854bf638b7722356e5e2195
SHA256d7b43a4807e1841b94353656fcfd45b69f7550adf137c56aefb85104883fb821
SHA51265e02019656d61238b8fc784496eb6ccf238a5f6eff9b101893641cb45d9c63058cf67abb2bc75007e9e2726458115eb8e9ad9a4cf34a86435ea637dc78c3ea6
-
Filesize
48KB
MD56386d536403c35204ae066d30c23087b
SHA1ee96c52cc5af8cf8093887f637d3e0e0a16463c2
SHA2561241631e026974cb6432dad05bd864ae2c439b4b737d5af2afe9bcad5d936124
SHA5126fe23f0bc05ecb69ac344ec3d4f5b4593ba4c45d23dd7c15321c08ad5d21dcee4c61fbf8ad642aeec32c5a141ccf3e2c63cf3dfc7fb94079c105195af77950cd
-
Filesize
48KB
MD56f4ba72d44c0c9bcaf80ab1a05ba338c
SHA1201cd9a15141a45f320556f109321c05455fa384
SHA2569ea4fcaaf9650a760cbfca5bbec4818de7836d4c6bf265710826f3a315a0fd3d
SHA5125d89b3ac4d50a5a490f84fbfcf7faff345af8de62dd46ffcd4c0fa317e9ff0fbb044f8a54d240584bc19a4e93791d59e1d7956485c8233d48f4ad96c372da3e2
-
Filesize
48KB
MD56cc3a5f71a3dd134f22fdfbb8f31ea70
SHA15e0a32e63b8da4ee9ee815ef8b8c477217201924
SHA25677eebf05ea81e94cebd2c46b333351de6b8ebcec95eadfcb6422f4a2fcaeb507
SHA512f2e77ad1074b0e07902b8f8f627f082bda13eb0283ad110a871ad227dd1df72d0500538ed21d617a3eebfb6e09bb1ff8d9c633afec9d7e86c270912ad8a73966
-
Filesize
48KB
MD5dd5fe1fc7e8ba1bd6ab519790d2549ee
SHA1cc0b3ab595b74702b19f88b25505b3c4e0ed5074
SHA25621fcdfcbbd021c79fbf81f96a3b513b3fdfd4cb67b292d69958e75598a6522f1
SHA512d9ca238bcf966d2bff37d9725864296d264cc30423d1ba84c6b2a37faa289667d805191ac45f2d8b599fb58284420fee8f0a0e6ca89c26aca6d5e126352eaa13
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
Filesize214KB
MD56111e4d451e8c83bb84c77e7adc7d3e6
SHA1fb6c4702d8142ac52262cf7fd804a2a100154ca5
SHA256f820a82e28b7db8c8af494d8d14f83d79a3446e3d52d27713b1ad13e5fd18a99
SHA512d44cc7daba8f93c15854bf1467209f659ba074034ea27a4988b5d8f68a240d5c220ff5062848a355d4f3f6e96c714a0cf055a5e65c4cf4672b9d3070a76412ca
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
Filesize54KB
MD577c613ffadf1f4b2f50d31eeec83af30
SHA176a6bfd488e73630632cc7bd0c9f51d5d0b71b4c
SHA2562a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf
SHA51229c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3
-
Filesize
333KB
MD5745714d838c4d4f88c6e0db6a434f444
SHA190689ce709bf2464b678c7afa7b1e18f080d52bb
SHA256e35302995dad1d5e4b7147d8763f7262500271cf01eac8edfa896b392ac7139f
SHA51208cbfac0b604530108978c757ad8481c69ed62deac5520777bacee9751f3f260d2c3158609fd723819d8d6626c46b302fe7da7005efc09ab571871ac9d58a0ed
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
Filesize70KB
MD5e9b3a59f67febdd7f8fbe68d71c5d0ab
SHA122bd3ec3f8e0be2f317ade9d553acdb3ea11f52e
SHA256bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf
SHA51200e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
Filesize50KB
MD55bb0687e2384644ea48f688d7e75377b
SHA144e4651a52517570894cfec764ec790263b88c4a
SHA256963a4c7863beae55b1058f10f38b5f0d026496c28c78246230d992fd7b19b70a
SHA512260b661f52287af95c5033b0a03ac2e182211d165cadb7c4a19e5a8ca765e76fc84b0daf298c3eccb4904504a204194a9bf2547fc91039c3ec2d41f9977ff650
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
Filesize32KB
MD51a35c822b4e574c039dd81b1ab095097
SHA187d051da2e26366f5aae9ae4567082282ceced7f
SHA256e3da2a27ea6767c32e181f850dd2dfb14cac8a679f42f2b5e42d6bf1255e2e81
SHA512f06b796e11c10d547b7906a01b18197ed4a5ca177037c3a2bd65ac0e83568a84abe52a03590ff21b2f69424b7a24bfa5004a776a27af0afc24c9362f9835b209
-
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
Filesize60KB
MD599c72ae773f0e16818bc628e6c30272a
SHA1901b18faa2eeb35946746bcf80a3ed7a67f6daab
SHA2569159d0f626aebaca406d0ff9abfe19d6153f3d6eefbc1f831a48c17f4aea7a81
SHA512f05b5884ab3f8b2c0960c2ccbb982555948d293fd37bd29df1157d40c138f1eed6fc94ac5a7d7a4fd098755e9d242d4da992d073ddffcc8f0c543e538b322633
-
Filesize
588KB
MD517d74c03b6bcbcd88b46fcc58fc79a0d
SHA1bc0316e11c119806907c058d62513eb8ce32288c
SHA25613774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15
SHA512f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030
-
Filesize
218B
MD5520dda8429ceed255d61f0886b9d80c4
SHA12a3976860018d1569e7f31d7ebe225b009af034a
SHA256938652cea0b6d08727d0828e6c937747c3e277bf7ef142e9b1adac4f919c97ed
SHA512260393c01569efc6553ce040625c40e0330ed0e45b6524fcf2b05925098557a22dafc6a536bea7c11aac9ac26d785187e5862ea3fd37fe5ec6d2c099dd60c51a
-
Filesize
9KB
MD51ef7574bc4d8b6034935d99ad884f15b
SHA1110709ab33f893737f4b0567f9495ac60c37667c
SHA2560814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271
SHA512947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73
-
Filesize
10KB
MD5f512536173e386121b3ebd22aac41a4e
SHA174ae133215345beaebb7a95f969f34a40dda922a
SHA256a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a
SHA5121efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9
-
Filesize
76KB
MD5b40fe65431b18a52e6452279b88954af
SHA1c25de80f00014e129ff290bf84ddf25a23fdfc30
SHA256800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e
SHA512e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d
-
Filesize
80KB
MD53904d0698962e09da946046020cbcb17
SHA1edae098e7e8452ca6c125cf6362dda3f4d78f0ae
SHA256a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289
SHA512c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea
-
Filesize
96KB
MD5665e412f3830535647b3816b34b7aa0d
SHA19270a0ec6a4e4f675ed9848717df415e8b12e3d0
SHA25641d98410f375be0629f2c86eb667a908218105808ed3c3d22c3288ae55e74731
SHA51240d0bd1248656f312da9a4059f6f45eec0c4f464b484a804468c0258a12628252a89a9574779b9ffb4b82d09526cb19eb5458db4a2f4a5b508f1d52adb482528
-
Filesize
717B
MD5ef0a07aec4367a64c16c581da2657aa9
SHA113011a5abcbadb3424fb6ecee560665556bb1d24
SHA256f8c02541eba2fde1b29b3ce428cbb0f1913110d4bba9b52f7252f728e9fce987
SHA51235cfaedb4e5f754dde69f4cef508bbd6127408c405baa5ee2e20104f9aaa1ff2a228f0bfa42d51dcd1006e026ce238bd7042906e449ca78ef91e4d00b08c5c46
-
Filesize
1.3MB
MD540df7f2a02cdfa70ae76d70d21473428
SHA14baddbc082fdb197c77bc1c232be2881a82a7ec8
SHA256f037309cf6b0174ba282106da31c141e3912486c69c438a53afe7ff589743dc2
SHA5122522483e9d1b9fc20f14ffab3dcb2a9e5735a260e08e7196a05319076ad9b4d7a9fe94b28c52559022f003d2fe55ec5e4abcecb1b11f4000e804dae5b1c0126f
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.runtimeconfig.json
Filesize375B
MD5e8d9109bd15637b1fbf349f9c7ff776f
SHA119762daa20afc8085ba6417a7215f1fe2d619f60
SHA256c4a84cdd787cb31aaa46e8282f7d288f0641fdaa4252ac78979340131c8b9110
SHA5125cc792c0cdf32c4c893eebc6651aabed7428d2f467b58d3b58ad21dfce9dd4ee0924257b4699297f6d41069f27829ce8b8a711642f3208981761b48382d68b74
-
Filesize
1.6MB
MD568a52d3ec57a7fedf808624beca83db3
SHA1d5a43e0e0baf2a3e4e8da2d7e1c797fb01167b6a
SHA256de34a5193566b7dcb3365c283dbe3e2644e2fe65fb3915f20e0a9a60424f8d62
SHA51234bc3b475062219e1ef67c7fd56acf6dcc9f28262ccc4e49701a592a6d228bc5fc61ac25908e798b96b3d16f591c4800dcaeb334508fe70137f2d75577328a29
-
Filesize
1.8MB
MD55ed9543e9f5826ead203316ef0a8863d
SHA18235c0e7568ec42d6851c198adc76f006883eb4b
SHA25633583a8e2dcf039382e80bfa855944407bcba71976ec41c52810cb8358f42043
SHA5125b4318ddc6953f31531ee8163463259da5546f1018c0fe671280337751f1c57398a5fd28583afba85e93d70167494b8997c23fee121e67bf2f6fb4ca076e9d9f
-
Filesize
1.1MB
MD59a9b1fd85b5f1dcd568a521399a0d057
SHA134ed149b290a3a94260d889ba50cb286f1795fa6
SHA25688d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d
SHA5127c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776
-
Filesize
673KB
MD58a190dfd824e864942a13b01e100ee1d
SHA10938bc28ad8b133a7c27635f6eebb268b116bc0c
SHA25666c414c255ef75c6ffe9955b4d27cb84704e187b1997a8d6cb3734c94967190a
SHA51253c03e3f525211e93c3b0b86aa6ee0c49e7c6162b7c830519a4dd4073495f08fb148dcadb7ee08634dc72505c4cdce65228e480262e2e527e9bf29a35ab31aa4
-
Filesize
321KB
MD5d3901e62166e9c42864fe3062cb4d8d5
SHA1c9c19eec0fa04514f2f8b20f075d8f31b78bae70
SHA256dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c
SHA512ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111
-
Filesize
814KB
MD59b1f97a41bfb95f148868b49460d9d04
SHA1768031d5e877e347a249dfdeab7c725df941324b
SHA25609491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4
SHA5129c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4
-
Filesize
1.2MB
MD5e74d2a16da1ddb7f9c54f72b8a25897c
SHA132379af2dc1c1cb998dc81270b7d6be054f7c1a0
SHA256a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46
SHA51252b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini
Filesize11B
MD55eda46a55c61b07029e7202f8cf1781c
SHA1862ee76fc1e20a9cc7bc1920309aa67de42f22d0
SHA25612bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442
SHA5124cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini
Filesize12B
MD5b2d5d511002960697118598e9233b21d
SHA19f0c9252594d590e47027d9fb6afc34abbd3d6f1
SHA256a7a70e5be36672e698230c01904255958bf3e5d81bb5655ffc8dc9221b6134be
SHA512d773d1c77c59c51270ec4f1357ae227e81ca599a98798001ad2c587f1b54877501128a9895ebdc47a5d0a0372a2804ecdc9fb9b47f1ea53607c54eb74a4a7dd7
-
Filesize
48KB
MD5b4a865268d5aca5f93bab91d7d83c800
SHA195ac9334096f5a38ca1c92df31b1e73ae4586930
SHA2565cbf60b0873660b151cf8cd62e326fe8006d1d0cbde2fad697e7f8ad3f284203
SHA512c46ee29861f7e2a1e350cf32602b4369991510804b4b87985465090dd7af64cf6d8dbfa2300f73b2f90f6af95fc0cb5fd1e444b5ddb41dbc89746f04dca6137b
-
Filesize
48KB
MD5512ff2298b179cd8e1bb916de7bc37ad
SHA191e992e1f08b964d7bad0bd44ceff1390f3941bf
SHA2565755fe181177edd49f455500877a2cd9479069e1a05ddc810307a70531beea5c
SHA51235fb9955c43946d9bf310cd5d1cb7a56e1bb04e3f55574b1746dd9bfec557a66d6b81244296f679f95439ccf97cc0c39277305d7c782b3dbcb1c6bb93dd66ee2
-
Filesize
48KB
MD5ac097d1c744f3c37692e8139790e88e0
SHA163027e26a41c926fb480cbcde2d01670d2280967
SHA256381241c305eb7b0985cc6a18f3803193fe2bc6ac239d06f54614575bb7a486e9
SHA51284af808ee2fbcedac8c9fb553c8b30a88f41e6dcbf26cf0b14b972a2be84cae9aaa991e36717dff99a4a583cecda992c33ffcf32ba4b01801f818df7481ea286
-
Filesize
2.8MB
MD5187159336928067bbcaf950ed41ddd7e
SHA1d308976d326a639233ddee6ff5a0d6804926ebe2
SHA256925ad251788435923e07523736f1f3908d3c84a5ced6699d7f8a940c255f617d
SHA51227b4adb10a31f14155d402e423b6147bb9a6b06ebceaa73ddc9cce174a87783b1ba71f16db027d08133270978af3f9a4db5764f264b7c70101c5a49132accc70
-
Filesize
1.1MB
MD56c6f85e896655a6eb726482f04c49086
SHA12e0c55cd4894117428b34d21a1d53738fce4b02c
SHA256e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e
SHA512b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15
-
C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config
Filesize541B
MD5d0efb0a6d260dbe5d8c91d94b77d7acd
SHA1e33a8c642d2a4b3af77e0c79671eab5200a45613
SHA2567d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102
SHA512a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c
-
Filesize
12B
MD5880d31390a25de6a9cd34463b46c75e6
SHA1837af65938c9606b5de3c6f2195fc3e855554cd7
SHA256425adf50cf113d68bd6aa8dc1015db43422bbc1c977933d5f8c1ecaabf18eb2e
SHA5128e9dd066ff73625a5a55d1ece5ba1e4fb248ab14a32880a3d4d86266176cb4f1c61f8301e1ff49839c283affe877b9fbcd3bc2b9763c08b0b63ba56023c2282b
-
Filesize
670KB
MD596e50bbca30d75af7b8b40acf8dda817
SHA14b1255280dff8de8b7be47def58f83f6ec39ded6
SHA256a3ad00ccb61bc87d58eb7977f68130b78a0b95e74d61e6a4624ac114ccde5736
SHA5120034c08cb878b703f272e3fd2734bb928ff1bdba85cf79a151519b019c83bd4d199c80af0aa30db28ef82f7ee68a9d59dcaede92f83bfe8787f6a5d4d5e9817c
-
Filesize
3.1MB
MD5c9845d8fd278289e92a84a29427ddd2b
SHA1f9f086aedfc7434e2290423cd99deded01d7d77c
SHA2561bb7671a2ccd6505183f60d33b53eeb9f36ede0a3c4af92dfcf30fa7fa25dae4
SHA5129c0337b19fb0c763b64b0ef39a181055e0619e7c59e25799ff34c1afb880ca384c8388f85a46b7aed93f925500376af981647d34a3e745d9d71d231585bf6717
-
Filesize
571KB
MD5dec72136e998b6a5b71eefa2b6e8d68b
SHA1a2cdaf23bb441e493fceb7d380730008da5593ee
SHA256106fa7ff5a149f345af041964b7339814b08bf3a26fa922908b94bc806f53662
SHA512b99fa42bf18436d26071f48dd921145fbd8a54f5c62f01204bfb454ccd56aa336fe5147502deea7200b5fbdadbf774af2f0171374de964c8ed5877a30a37b3fc
-
Filesize
143KB
MD571026b098f8fb39c88b003df746d9fa0
SHA1013ca259f551ad6f33db53fff0e121e74408e20e
SHA25611058e8c2cd05f30dcf1775644bf19d2913c9a6d674c12f91d1896d95d9cc5c2
SHA5129830be3444225a4b2f9fa4aedbc8af4f45fdb2548f0b6a2eba2a2a407ea3c7d8fd78c0e37fac66cafbdfad781ae78b076d225fd5c836a451f57a54053ccef9ad
-
Filesize
16KB
MD5b2e89027a140a89b6e3eb4e504e93d96
SHA1f3b1b34874b73ae3032decb97ef96a53a654228f
SHA2565f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982
SHA51293fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD57698355a7e9e36e88e73d16701e321ae
SHA1da642632f6b74ee2422309f3a2bfc326c2e2e2e3
SHA25687cb1cf084c4cc7ed934f98a7681f6826f16b4913f62126adbe4af6606b25f14
SHA512fcc322f012862409ba6acb20a88ad2fb6bf6df93b19f16ef5924e33c6556d222ca824ff18beed8fd78b02505cce508dca72f993ca1a01a2657eb92653b8f22eb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
Filesize727B
MD5e9517c2d7514cbc7e192f697a72b55f3
SHA169ebba769419b9716a0a6cf471a5ca45a23e10b1
SHA256dd3ebd223d7943ab07cb582a09d48c97d515050e799d36b1b7032605b97dc046
SHA512d09ec480ff69198ad9c7e203dc7c0b3594d0fa1d0fc37d903003510494a0fb7c22fedd98faddb6eeb16a6f8bb7767610e14a4f64b7a4c7a4bc6011084f8ae001
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD516d40e6fe7dbda24e4c0011e68de557b
SHA1ad6ee6b3e37a5769230755269ea7eb79c3ff468e
SHA256b9e9bad95aee50d6e2ff0c7a88fe83dd97ddda6d9bc63324749721b0a0abaa39
SHA512ebf04e008422ddc6869c9ade3f6c2c9668818d1f644582aed3b744051cf8480f6654929dfe823f378498b4ec942b705af9756c0b27eb25b047c590f5de9aeb11
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD560690fc8b936b6c7e96aed53f9369fda
SHA1ac8b3230ae4f84ffc1293c5c0aa1a9759b993e0c
SHA256eacd9ab06699a9964378ad1828ba8bcd538a69f09c9b665ef035f3ed51f8b8ca
SHA512b2285b533c5c599cc153f5cc7569ebce7b4570c91c14d781f16ea3e7c0a5a8d18e6c857c49daa2338c2cae0be73e84a0ae83b9688c83f3260d551ed753811627
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
Filesize412B
MD5108efa4464e8ee6bbf475a0694174e12
SHA17a87b3f16aaf36245ba716c5b13b7f52bf43d193
SHA2562b36f8da7d4ea0906fb7e8e000b185f56913a20a13ecfa25fe717dd1712474c0
SHA51299e22f37f1207f0602997f79bf01eee4be7fe77c71867aebaed98a3b725e6e78bf741948817a4c4eb1cc1489f369c957275007a39ddc5c69914a92de6f6785e3
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD5e549e081a00f98c1b8b2cf785fc7362d
SHA158b6e4ebe4f9f0c9e171adc4397fb6cea2997144
SHA256ee8c445d81eaabece8925f7fd422bf48bece32034e44884f782532767d716446
SHA512519eab90f318aa8230af7f13f794b5133411a35dd6c9f4e9ea340d4500788fc014b77d4022bb2340e3aa8e6b73583c9fcc6c03cc5933a192120e4d984ff46dc2
-
Filesize
651B
MD52720e84a1017ee0e44ea1c9611490d96
SHA1a12c1eb5e5dbf8fc4db7738c9d9f4adfeac1dfa7
SHA256ee892f37d0e68c8377e91786efdf33442336162213592fdc815bbc64933abfef
SHA512f6de7e567e300b77ae6b77a3a20f3dd3c374c946ee2aace0de2393a1350452107e9f9e5ff0bbbd58932f2d3f7eeb4d8e6d2eb704c67b79eb0311bf451e73542e
-
Filesize
19KB
MD53e5097e416dd84fc61a003a72ea56a00
SHA13511867ce566ad193ad7be8312b183a8927160d6
SHA256a835285b76b2ef902702c2bd2db3d3337125acf37bb213814955d2c035256b13
SHA512542355a591e829ddea1f8c8b5c1d4e154c0a76f7154f0ba8c8461696542e27d06957bde0b9db36a0c6932a40af71d64d5e81e3178401ac80afce83d2a92da386
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\01D96160E45C4D6B16779C7FCACE002F5E9ACAF0
Filesize82KB
MD55ea5d53d9079197d644287ef6cd91a8c
SHA1c547a2bbeb15f5c55c7134c2033291bbd62df4d5
SHA2567f2ab09ae622b51418977c494ad8858bdb615e26f3d1be3fca122b2e4f146df3
SHA512dc7dbd015ed2b59aceee091801e480f0b774a574d1a595db64b62fd832494259bc6e61cfc88f01cf022026a151535335d7e178b85b4959d1617ea5146e5d0dbe
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\5259C65726BA716E1511F9B285685639AF2227D0
Filesize44KB
MD56e328286dd4d0cee137840ca6dc4eb5b
SHA1b5ba1e849cfbe7fcb85bb677904c4592263d1747
SHA2564dc4fbedd92673515890be86a3965604e0a516873d4020c772558763f0894bdc
SHA5125b2790c214d1842df0419d39b261b2b317f8dbd333b3ef5c74a6190117ce0c1c6fb0072a2e8422a3edcfe2844c19ae16821db48cef4619a0d20084dc3402e308
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\A7CE9E291DC382899C45255C8C18E2051F0E5073
Filesize15KB
MD59bd6be7b02d1bfcbbd9a47aa64959895
SHA1854fe29b8ddd8109de117f2d8e626a93a65e0ed0
SHA25662d488479ea00e4db78279319bd0f0148ca6f04123104d47c3487f530ef7df45
SHA512938a11bae1fdc45aa422cc8eea6e169dc6c6f26e0a5bd93e796d03281733164031df9e43114ac6757dc0d86c1997fca302c15260663ddb4a53aec6ec53cc446a
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\C83BA4FAB8F5340190CA7920B7BC1921E3E4ABFF
Filesize140KB
MD58c9ad2666a8aeb01b61a9ba58dc04f53
SHA1b22ba1fb0749892c8275022549e56c1d8cc962fd
SHA256c92c25d10a19f2d18fe77659d1abec3c371d7473c19caaf2ca1021cb0fcc9806
SHA51227d61384f775f9e3989001ff34484f15dcfcae8fa345a8ca77dfcf39babbc03bf0a67a692ab3cccd027325ee6c45f9f3a2bfdbdedaedcf3220d7821379544844
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\D6E7E20EA4CD4D9958BCB0A141D06E5F87E1274B
Filesize15KB
MD5dddcc2388c81c17d3b88499fffcd281f
SHA14b94314ae1932347de0f8e9e9a425659d3088ed5
SHA256c674457c13f3fc12b4d30536a8e60bf2e0f0b33b676aafbd2b2cde811e25474f
SHA512c3e85a30f04443bee9be7084ee90fe4ab4fe86af0df52d10aeeb7382931c3f06d8bb26fb92cc2183c59f86ec96e3b64a7f5a32444a82439b1414c4ce6dc4b812
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\F7680423BAE7ED3DCA5C1A74E1B814FBF4D3B90B
Filesize19KB
MD5c613c4852780a3ec0cb103b11d2ad36d
SHA13ccf2a8eff151bef66712cd3618f8b2262ca65ad
SHA256209dcf27576470af0c5e54d60e4654bb619780df0dbdc5f3c23b9e3c259acf7e
SHA512a335f0154b67469e4077e00bb7769ac7fd1ba0228bf3d821d856917a1fee3f2d9950af6f04b37f565db712778d4bc531586cb3b269660bc9c5b6a6c11b34a124
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\cache2\entries\F7D2AFA58B3A860C0CBB1598D8437B7D21EBB848
Filesize76KB
MD50cb3c3cf7a40152bc0a1b6161fd9ad1c
SHA12d5994c8ef1931f99b572046906a67f9678f7dec
SHA256180d77cba1c983daba91464336fec33acf1fade8251577589db5c98511b2bfa7
SHA512dcb83d5eec7588f1963f7d9c8824569321cde9e93ae0dfc4184da3cc8782187fe6ae2069b4f3a167cd6f879eeec35790bc6d419bb7a11182197ddcc708c3c7c3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\z1vzqal0.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl
Filesize15KB
MD596c542dec016d9ec1ecc4dddfcbaac66
SHA16199f7648bb744efa58acf7b96fee85d938389e4
SHA2567f32769d6bb4e875f58ceb9e2fbfdc9bd6b82397eca7a4c5230b0786e68f1798
SHA512cda2f159c3565bc636e0523c893b293109de2717142871b1ec78f335c12bad96fc3f62bcf56a1a88abdeed2ac3f3e5e9a008b45e24d713e13c23103acc15e658
-
Filesize
479KB
MD509372174e83dbbf696ee732fd2e875bb
SHA1ba360186ba650a769f9303f48b7200fb5eaccee1
SHA256c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f
SHA512b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1
-
Filesize
13.8MB
MD50a8747a2ac9ac08ae9508f36c6d75692
SHA1b287a96fd6cc12433adb42193dfe06111c38eaf0
SHA25632d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03
SHA51259521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\AlternateServices.bin
Filesize7KB
MD5b4e9b67f6900757c70895c44fbe17ebd
SHA16325b36ecd3da6a17ef6b88dfefe32fec2a4d0fd
SHA25683ba24949d41d89c13d3ab4ff39d7f488088805a997b7c586da6daacf99934eb
SHA512e382f1ab05a20a92a73fee9110f09fbf5ef0b12927cc3520321e25d6160cf86aa95cc09529a84cb8711d060e852a030d1bf00ce27f96257d3655fb81fc7400d1
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\AlternateServices.bin
Filesize12KB
MD5fed61b4c4b7f9ae1daa0a4e5150fed67
SHA17749fc8eb4b1712bb0f1e892955bf893d75a049a
SHA256b315727c81082171cc0b470b30bc95d1fcdc4bd1a466431ad9d9e92006226a43
SHA5124c6d8f9290303c7dd18f92f028a829af77e90bff610dc5b45893dc9270e0199d23f715e5881730519a3cf939476f15e2b2fd3c3dd6da008731830a7998aa2de5
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\db\data.safe.tmp
Filesize5KB
MD5d0e922012fb7818d203ed6face66babf
SHA19486d69d6ad1b0dff082bcf08dd871b349b2e84d
SHA2565bd395d6297525eb2dd1dc61e8f8f9be61480d8e198ae6f69440bc819ed2e12f
SHA51231c042ba71c733152fc275cf2d44ee8f6f2562a4f17b0430471e69b24e93d1d82e110aaae0ee5f63b8a8012b42e500084b00b8e3d967c8460b4fe827e3a58d1d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\db\data.safe.tmp
Filesize6KB
MD563c88cda98fc14e2911c9760ce817e90
SHA1f7edea8638c5c1ec10169595faf90658a6164c0c
SHA256a382e095a58a8ebf30aa411d94196251f5866b1fc1309f66242f34cbc34258e0
SHA5124c9d66ac9d23fd10837c04865dd29967dac49e9d0e86ab541c06df7c7321eae96019e20a1e53847078387248b8e64cf6f7a023062c3f71686247755d36bbc004
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\pending_pings\4dae983a-1165-4b7c-94fa-b03e6c5bfd9f
Filesize982B
MD5027a8cec0ef6b0514cbdea804dd13d22
SHA1cfd64abf007b4282c97bed550844525b6d0bab6a
SHA25679ca8a932882cb97e9afb252d2cf60f2c2ab6b075e0d0212befdf6062960c36d
SHA512099b5031d1ba09b94a469e5f2e95ce4babbeff11faa8c491e31f2e67e4e8856200c1ca62ab0f802536bdef9ebdf01d8a1d146364e7b090488afacb6497d7f5b9
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\pending_pings\82deb4c0-8be4-4397-adff-68fe2450405b
Filesize27KB
MD50be7f6f78aa3bb341a81a7b1e59635a3
SHA1c1c203b21c2190f298ec85a735288993c254d384
SHA2562a8b4288bcd8c049a809e54a39e0aa8faa0aa78a620b9c31e9dd5a7647eed497
SHA512da8431cdf5e89145b10d27741316bcb1387070db6f5c8c255709028bf768b698f03c49ed93ad5798f2af9a4f89a88b9608363e78aafb789be68e2f1b1e1a59cb
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\pending_pings\9526708c-cafd-4567-b6dd-421d5954ef3a
Filesize671B
MD5f616747d84e0f30b07fe82943e853ff2
SHA1c9153355083a409be0707b667fff00096564090d
SHA25632a56a50cc6ca79ead51d5e9588bd7ec16e198924aa699f5584e329ae1b8bc24
SHA5124572d295577039faac49779e36c56eacd10e7507dcf0d34e62554e5a16ca9e07d70a276411bc713f0d6d39954bc28519cc68b13ad88dda88972c9fa27597154f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\pending_pings\ae4cbc72-d619-40fd-9f28-2f6321e1176e
Filesize3KB
MD5b7aaa383611a0967b3c1af5af62e117a
SHA1f035118d5218998a53e3f40a9a4e2616b1152d85
SHA256749edd8e0f5efafa3892812aa676f3be4e9e12ff944dfe3d9e0613bfb1e2e5c5
SHA512eef39fb4be486a7cc9c1911b2cdcc8e4b36a429ecd976581cef726bc0884517bafc4f7ab34a900b60c51f8045588179956966226e931fcff7deaf0fbc7bb8b5d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\datareporting\glean\pending_pings\affb8cea-719d-4fff-a48b-9173a50d78dc
Filesize846B
MD5c26f7a7861f00d0b298fb0bf44df912f
SHA1fc36e9a7e236e7fe3d3c5e560de6f2860d4124f3
SHA256ff662d187d9ed60daa2828b925fbe62e38e0f01522f1ea351f7c7291dbd15da2
SHA51239cfeedc5a9a1050e15d4cd8047cbcf25ee3aba5cf0b21edca0902c45a97aa2240409864d8c28ea51beb331c95a2f6a738764a4277e1fbfe7a943be9e2efc957
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll
Filesize1.1MB
MD5842039753bf41fa5e11b3a1383061a87
SHA13e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153
SHA256d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c
SHA512d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info
Filesize116B
MD52a461e9eb87fd1955cea740a3444ee7a
SHA1b10755914c713f5a4677494dbe8a686ed458c3c5
SHA2564107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc
SHA51234f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json
Filesize372B
MD5bf957ad58b55f64219ab3f793e374316
SHA1a11adc9d7f2c28e04d9b35e23b7616d0527118a1
SHA256bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda
SHA51279c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll
Filesize17.8MB
MD5daf7ef3acccab478aaa7d6dc1c60f865
SHA1f8246162b97ce4a945feced27b6ea114366ff2ad
SHA256bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e
SHA5125840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75
-
Filesize
9KB
MD5f6219a045f407b6473c592adde34df8f
SHA137af0f9abae7c08f130571568f25c52f59eb6884
SHA2568f15b06f92d5ab01f8dcac8e5e3c3ef35e84477fb56c29df63bafb57be4d1110
SHA5124bd5630d176b1d4c33c56978add40d7ec4b42c543efbacca6cfb914fa584816b3dd7d10d04e8f515bb6d7e62dc74be073e5dd489c1e0f1bdb3104d4cb24fb551
-
Filesize
10KB
MD59ae736e9b095cbaff7fc4cb91f085ab8
SHA1de7686bde0a969b794556a86d74238ae0548ee42
SHA256f76d2947245cc8dbf87dde1be5c434ecc913d891fa38934f07bf7c98944d5eef
SHA512b9d5d90b31a91387c2aaba636357193c175c6f8ed86c4d44577e79e456a8dd94ef45f7a5945844c53c24dc5caf18ab02fdbe92e79300055e346437f37a1a271e
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize3KB
MD57894d6e7fb47716565afe3ae55c8e646
SHA1113088cadac800ee5d8d97a15de328866081faef
SHA2560d2af96d5e2acc550007892cd47a3bdb9224c95fc6fc1b0a7b94727f0cf922ae
SHA512c5696c3bf40020eded148f88ffdc04566f6debefee48497cc7cb222136b9163082e4bdbdc39bd45f8c808557ec57d23b50da9bde7adc927aa7a059a2dffbb05d
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5ef3453b79d25fb7c932085797df57a5f
SHA125d4eba0320ac0f95b0ce7e54fd0d4ce2c49c217
SHA2563bb362c543e7899bdd7b12b83f8e99c0fee0387fe1b8b8659bb2a6cac1d77200
SHA5121af6b55caefda8b79a29ad9f7c29e08d4a8129336805cdb723f747f84d252f5a106fe25419ae17475b9a1decfebe4c7508bb29dfa017cd42bbdce9b74613f714
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5ef464473ff2e2ccd23d604bf508bf070
SHA1f9b2e097b9f443aa36ce04b43d1b76d09728068a
SHA25669808761dc412a0827dfcbbcc7d1d8dac680c0f2a02f5d8a68816bba585707b7
SHA512c1037ad1e4e7e88dbe4e2ec70e6e491de51944f4559eedcc2d32e5c98e2a183647a08fb3319060a081af2f03deccdc0e9ece5905c55037bc1da41a170e7f8dcf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5e0b78e31c2aaf4629733b390f82dc7e4
SHA150d8651dd77bd9fc3e8a035f070cdd7ef3c3ead7
SHA256d5dbfdae9007d4809d72e046a03ed50bf2be6cbdee00647dc6f976f4eb729953
SHA5128a059d5689adce41b93ed772e65905fa604c13f34d559d6f5835c6715e1799e92833020210a6121fc37ed123cb4e6b93ef2455e306beb19098ad30e211a56245
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize4KB
MD5025327c59ffddb1c3a7e7db63d0e449c
SHA11c657e90cc8ca2559718e8f07b142371af7d01e6
SHA256da01208318ce43c8f1891dc237d803d144e410c134a75584cf46b6191ccf86ef
SHA512745323c0bd75f7eccd4007f3874d7b42c8290f5c0925a1f33fd7cf9298b0ae5a02f6f313c8010e823bd4a7122c23ca02734842392420e35cc5861a7c6553930f
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize6KB
MD55b8b62f92a47d04e354d2dd8638ebf52
SHA1f4399cb49d02d26ee4e7aea81581ac1f91ddf2ca
SHA2568ec6929390518f1ca008a4dde046ad937bb16410bc8cba67ced19bf894a30b82
SHA5120f5d7db203a6867a77d3cbf7cb3027dca70f62b9d0e613cccea38f5274c8f6600038026816d7bff579451789c6314d3cc2839ad8f9cdce979f0a6b57ca7415e0
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\z1vzqal0.default-release\sessionstore-backups\recovery.baklz4
Filesize7KB
MD5b3393534eeff9088a874ae01070d91ec
SHA18acc08475e0f659d3b4db1c4fcfe85ee60f85df2
SHA2560027daf1bb59f6dcf645703869f604d1acda7c61ca5864242c7b888688a1bf5b
SHA512c6c24e68b26a6f5e9afc4c617241df52468ed6fc1574ecdd4dcb4c33a1af4632ed1f04a3a7f2570a78fec439fed561bc75f0d0cb0e91c22453030958f976da25
-
Filesize
60KB
MD5878e361c41c05c0519bfc72c7d6e141c
SHA1432ef61862d3c7a95ab42df36a7caf27d08dc98f
SHA25624de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40
SHA51259a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa
-
Filesize
4.5MB
MD508211c29e0d617a579ffa2c41bde1317
SHA14991dae22d8cdc6ca172ad1846010e3d9e35c301
SHA2563334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621
SHA512d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f
-
Filesize
509KB
MD588d29734f37bdcffd202eafcdd082f9d
SHA1823b40d05a1cab06b857ed87451bf683fdd56a5e
SHA25687c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf
SHA5121343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0
-
Filesize
25KB
MD5aa1b9c5c685173fad2dabebeb3171f01
SHA1ed756b1760e563ce888276ff248c734b7dd851fb
SHA256e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7
SHA512d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334
-
Filesize
179KB
MD51a5caea6734fdd07caa514c3f3fb75da
SHA1f070ac0d91bd337d7952abd1ddf19a737b94510c
SHA256cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca
SHA512a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1
-
Filesize
1KB
MD5bc17e956cde8dd5425f2b2a68ed919f8
SHA15e3736331e9e2f6bf851e3355f31006ccd8caa99
SHA256e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5
SHA51202090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940
-
Filesize
695KB
MD5715a1fbee4665e99e859eda667fe8034
SHA1e13c6e4210043c4976dcdc447ea2b32854f70cc6
SHA256c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e
SHA512bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad
-
Filesize
219KB
MD5928f4b0fc68501395f93ad524a36148c
SHA1084590b18957ca45b4a0d4576d1cc72966c3ea10
SHA2562bf33a9b9980e44d21d48f04cc6ac4eed4c68f207bd5990b7d3254a310b944ae
SHA5127f2163f651693f9b73a67e90b5c820af060a23502667a5c32c3beb2d6b043f5459f22d61072a744089d622c05502d80f7485e0f86eb6d565ff711d5680512372
-
Filesize
211KB
MD5a3ae5d86ecf38db9427359ea37a5f646
SHA1eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA51296ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0
-
Filesize
2.9MB
MD56ba81c43b60cb1fb67f4a216b767e681
SHA1ca69001850032c1b9c9c4c2417b20298e71c0ed9
SHA256921ff0f7d946debea36c5009f3a1f3162de3debb49e5e2b167c9d824ea7abf30
SHA5125acb905e260f8b611cfbf3e2b15cf9019f283018b8b9fefaa44d3ff62ea92dc2f2b8af961bd2716f01d54d570a8182f380a6cee67bf90a01db2e569e40ed30b9
-
Filesize
26.3MB
MD5b9c6d23462adef092b8a5b7880531b03
SHA19e8c4f7f48d38fb54a93789a583852869c074f2d
SHA2562e23da54aa1ff64de09021ab089c1be6d4a323bdf0d8f46f78b5c6a33df83109
SHA51218623991c5690e516541eaf867f22b3a1a02317392178943143bedc7f7eda5e02e69665c3c4a5fa50ade516a191bbbf16fd71e60f3225f660fb10ebc25cd01a5
-
Filesize
772KB
MD5d73de5788ab129f16afdd990d8e6bfa9
SHA188cb87af50ea4999e2079d9269ce64c8eb1a584e
SHA2564f9ac5a094e9b1b4f0285e6e69c2e914e42dcc184dfe6fe93894f8e03ca6c193
SHA512bfc32f9a20e30045f5207446c6ab6e8ef49a3fd7a5a41491c2242e10fee8efd2f82f81c3ff3bf7681e5e660fde065a315a89d87e9f488c863421fe1d6381ba3b
-
Filesize
602B
MD5b0428aa4a82578351169506b909060a9
SHA12c063572e396d3bd6dc98a25981986b636eb13a9
SHA2568c37a0cc1ba536382eda481afdc725e14a8afc33e19c0ca0411aa2544cb2fc5a
SHA51270391767373c8e276d03a7f18372d6b2b47e2955674b95066beb4f24ed175355fd601e8cb4a3d70ba3d7e171e920a9a08ba30b8f243123d20e49ca5cfe038103
-
Filesize
4KB
MD55b5e5f0accdaf362612501eb6f3f5f52
SHA1e5c0c12c8cf1ad3a79d3fd5c16fa2ad5f2112118
SHA256fafbd1047f24376cc364540965aff62f523a6988c1be4bfd043ddaa58235ea3c
SHA51206f4140b5b2b515319d117b0103b6f358b7d052d90ca56353d1f092c1f2882bbe961fee3e3c5ee17b72a192ea18f1782231658910259a03dde3c98fb913a6167
-
Filesize
1KB
MD54040179d0e7c81cf06fb219b27a111f8
SHA193d19124d59d5f482d34634bb33175d8a2ba360e
SHA2560872496316cc7fee4bb0c1e3dba6eda89d3e9928ea3601d92aa84221dd2136b6
SHA512cfb50e293bbc48650a8a60ef540cb036ace0ad9b8aa795247f38defd2c843e475c0deb27b341237502d2a4b23d230ffa271d5e717c7fb86caf87eab45f194aaf
-
Filesize
2KB
MD55008fd0a781f06a1427f84122cfbd704
SHA184c201b357f3e9a6990bf35437d71ee2f861e7e0
SHA256042cd3ce14b7c9a8aff27f389d24e72cd1c54709ecd7f14e046ed23c08e55d70
SHA512d090f422cfadbc35fe3de90c3dc23321a9ff46b92e2b28fd6e5edad1f0218b7666563e5e8d733bfeba0c410e18adc19e5bc05878608bd658564ecbb47db4b325
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.2MB
MD52c18826adf72365827f780b2a1d5ea75
SHA1a85b5eae6eba4af001d03996f48d97f7791e36eb
SHA256ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be
SHA512474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167
-
Filesize
571B
MD5d239b8964e37974225ad69d78a0a8275
SHA1cf208e98a6f11d1807cd84ca61504ad783471679
SHA2560ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73
SHA51288eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8
-
Filesize
182KB
MD599bbffd900115fe8672c73fb1a48a604
SHA18f587395fa6b954affef337c70781ce00913950e
SHA25657ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc
SHA512d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff
-
Filesize
179KB
MD57a1c100df8065815dc34c05abc0c13de
SHA13c23414ae545d2087e5462a8994d2b87d3e6d9e2
SHA256e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed
SHA512bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327
-
Filesize
345KB
MD50376dd5b7e37985ea50e693dc212094c
SHA102859394164c33924907b85ab0aaddc628c31bf1
SHA256c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415
SHA51269d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5
-
Filesize
427KB
MD585315ad538fa5af8162f1cd2fce1c99d
SHA131c177c28a05fa3de5e1f934b96b9d01a8969bba
SHA25670735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7
SHA512877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556
-
Filesize
1.8MB
MD5befe2ef369d12f83c72c5f2f7069dd87
SHA1b89c7f6da1241ed98015dc347e70322832bcbe50
SHA2569652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131
SHA512760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b
-
Filesize
4KB
MD59eb0320dfbf2bd541e6a55c01ddc9f20
SHA1eb282a66d29594346531b1ff886d455e1dcd6d99
SHA2569095bf7b6baa0107b40a4a6d727215be077133a190f4ca9bd89a176842141e79
SHA5129ada3a1757a493fbb004bd767fab8f77430af69d71479f340b8b8ede904cc94cd733700db593a4a2d2e1184c0081fd0648318d867128e1cb461021314990931d
-
Filesize
607KB
MD5669de3ab32955e69decfe13a3c89891e
SHA1ab2e90613c8b9261f022348ca11952a29f9b2c73
SHA2562240e6318171b3cddcee6a801488f59145c1f54ca123068c2a73564535954677
SHA512be5d737a7d25cc779736b60b1ea59982593f0598e207340219a13fd9572d140cfbcd112e3cf93e3be6085fe284a54d4458563e6f6e4e1cfe7c919685c9ee5442
-
C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD557842c261defb143f6e989d46c286120
SHA116cdea39a278a10685540ce8ca2e5266853de7d2
SHA2568e7e4a622de32ef09de568a1b73cbccb8d7e839ef23c0f9ebded6d30a730707e
SHA512a7155ef36a4e735639171348e36f12576eda35ae73e59b1a26dd4b38a49d7a5e5339d451c964e3724379bc0d563cd077e37249644aa2961d82f757249a50155d
-
Filesize
24.0MB
MD54ad4e884b05024d5958c2c2d8199752f
SHA1336cf5a31050fa972487db1db7a8ffacfd0ad9f4
SHA25669da077b6e5cfc3e65ac85a8af06f9050fa96974e8c7fa113468206c748a9ed4
SHA512df796e309bfa012bc93c2620b62040008a6ec2b23ab0bd568e47ba8e25e8ce516b6f797e333c7dc5d6e6d0ec5fc03c5e907aa8e7dd54c2b5198b9963c5ae0c64
-
\??\Volume{553bd43f-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{6dc0e292-6194-46c0-a43d-ca63a1f170db}_OnDiskSnapshotProp
Filesize6KB
MD59d7f7009b105faa3c0416f5cde411c0c
SHA1281db99bae3b755e41a8df5dc55e6c033601c93c
SHA25643546d09200df6faf1dd17ded00df3e71f204629d3fb358b20bffa3dd1e6f610
SHA5122988b400be25328cc8434b297a6d3a7edb487e7c67152309fd5feb5cce47fa08efa8c76e70aef9219d26ec334749c3a9020b76edd729d85e759215b4f2f5654e