ateraagent | hxxps://hidrive[.]ionos[.]com/api/sharelink/download?id=O9dSTHQbd

Analysis

max time kernel
59s
max time network
59s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
02/04/2025, 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://hidrive.ionos.com/api/sharelink/download?id=O9dSTHQbd

Score

10^/10

ateraagent discovery execution rat

Malware Config

Signatures

AteraAgent
AteraAgent is a remote monitoring and management tool.
rat ateraagent
Ateraagent family
ateraagent

Detects AteraAgent 1 IoCs

resource	yara_rule
behavioral1/files/0x00070000000243bf-481.dat	family_ateraagent

Blocklisted process makes network request 4 IoCs

flow	pid	Process
91	5276	msiexec.exe
117	668	rundll32.exe
123	3260	rundll32.exe
172	6388	MsiExec.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
166	5468	AgentPackageSTRemote.exe

Executes dropped EXE 31 IoCs

pid	Process
3808	AteraAgent.exe
5988	AteraAgent.exe
5840	AgentPackageAgentInformation.exe
5244	AgentPackageAgentInformation.exe
5416	AgentPackageAgentInformation.exe
3672	AgentPackageAgentInformation.exe
2056	AteraAgent.exe
5468	AgentPackageSTRemote.exe
5296	AgentPackageMonitoring.exe
7044	SplashtopStreamer.exe
6320	PreVerCheck.exe
6224	_is37D4.exe
6660	_is37D4.exe
5768	_is37D4.exe
5228	_is37D4.exe
6472	_is37D4.exe
5976	_is37D4.exe
5900	_is37D4.exe
3888	_is37D4.exe
2156	_is37D4.exe
2508	_is37D4.exe
7104	_is45EE.exe
7068	_is45EE.exe
7160	_is45EE.exe
7140	_is45EE.exe
6244	_is45EE.exe
5148	_is45EE.exe
6340	_is45EE.exe
6716	_is45EE.exe
6620	_is45EE.exe
6248	_is45EE.exe

Loads dropped DLL 42 IoCs

pid	Process
2284	MsiExec.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
3436	rundll32.exe
2284	MsiExec.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
668	rundll32.exe
2284	MsiExec.exe
564	rundll32.exe
564	rundll32.exe
564	rundll32.exe
564	rundll32.exe
564	rundll32.exe
2284	MsiExec.exe
1532	MsiExec.exe
1532	MsiExec.exe
2284	MsiExec.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
3260	rundll32.exe
5296	AgentPackageMonitoring.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe
6388	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	MsiExec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F2E248BEDDBB2D85122423C41028BFD4	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive	powershell.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_90864756631514CEFBD0C1134238624E	MsiExec.exe
File opened for modification	C:\Windows\system32\InstallUtil.InstallLog	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C56C4404C4DEF0DC88E5FCD9F09CB2F1	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	AteraAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC	AteraAgent.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log	AgentPackageAgentInformation.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageMonitoring.exe.log	AgentPackageMonitoring.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\64bits\xdsmplui.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\win7\stvad.inf	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\install_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioResample.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRDetect.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\xp64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\utils\DIFxCmd64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\xdsmplui.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\uninstall_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\DIFxCmd.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win7\x64\my_setup.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\p_mount.bat	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\az\messages.json	msedge.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\utils\DIFxCmd64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\sthid.inf	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\is\messages.json	msedge.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\utils\devcon64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdwmark.gpd	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\zh_TW\messages.json	msedge.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\x64\lci_proxywddm.sys	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\p_unmount.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\64bits\stvspk.sys	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\DIFxCmd.exe	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\am\messages.json	msedge.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll	AteraAgent.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\log.txt	AgentPackageSTRemote.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdsmplui.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\GamePad\utils\devcon64.exe	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\nl\messages.json	msedge.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Runtime.InteropServices.RuntimeInformation.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRApp.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\driver\mv2.cat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\64bits\WdfCoInstaller01009.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\VirtualDriver\utils\StHidNotSupport.reg	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAudioChat.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdnup.gpd	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libcrypto-3.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\libx264-116.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\64bits\XDColMan.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\EvtLogProvider\stevt_srs_x64.dll	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\bg\messages.json	msedge.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\lh.txt	AgentPackageSTRemote.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Acknowledgements.htm	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Monitor\install_driver.bat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\xdsmpl-PipelineConfig.xml	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\win10\xdCMYKPrinter.icc	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\StructureMap.dll	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe	msiexec.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallState	AteraAgent.exe
File created	C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\System.Buffers.dll	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\dbghelp.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\Mirror\vista64\setupdrv.exe	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.sys	msiexec.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping1968_1437668263\_locales\si\messages.json	msedge.exe
File opened for modification	C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt	AteraAgent.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STPrinter\32bits\xdbook.dll	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\stvideo.cat	msiexec.exe
File created	C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVSpk\stvspk.inf	msiexec.exe

Drops file in Windows directory 47 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF00E.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5731.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ecb2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF00E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ecb2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF00E.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF64C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6D9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ecb5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF5FC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI379F.tmp	msiexec.exe
File created	C:\Windows\Installer\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF00E.tmp-\Newtonsoft.Json.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp-\System.Management.dll	rundll32.exe
File created	C:\Windows\Installer\SourceHash{B7C5EA94-B96A-41F5-BE95-25D78B486678}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF00E.tmp-\System.Management.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF60C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFFB4.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File created	C:\Windows\Installer\e57ecb5.msi	msiexec.exe
File created	C:\Windows\Installer\e57ecb9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF00E.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4A20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp-\AlphaControlAgentInstallation.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIED2F.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF445.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E732A0D7-A2F2-4657-AC41-B19742648E45}	msiexec.exe
File created	C:\Windows\Installer\e57ecb4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3617.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3676.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI455C.tmp	msiexec.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5232	sc.exe
5840	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3848	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SplashtopStreamer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskKill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PreVerCheck.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NET.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005c00d8281e7515450000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005c00d8280000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005c00d828000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5c00d828000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005c00d82800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Kills process with taskkill 11 IoCs

defense_evasion

pid	Process
3984	TaskKill.exe
6640	taskkill.exe
6688	taskkill.exe
6456	taskkill.exe
744	taskkill.exe
544	taskkill.exe
7080	taskkill.exe
7156	taskkill.exe
6264	taskkill.exe
6564	taskkill.exe
5992	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AgentPackageAgentInformation.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates\7B0F360B775F76C94A12CA48445AA2D2A875701C	AteraAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	SplashtopStreamer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPublisher\CRLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	cscript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	cscript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	SplashtopStreamer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	AteraAgent.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	AteraAgent.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	AteraAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 49 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductIcon = "C:\\Windows\\Installer\\{B7C5EA94-B96A-41F5-BE95-25D78B486678}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\ProductName = "AteraAgent"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Version = "17301511"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\PackageCode = "4B43BFF14B20EEE4CA4A4249A1E8ED5E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\PackageName = "setup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{5B057DFE-EDE6-4E8F-8806-B8AA07307AC3}	msedge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\PackageCode = "559DA127DF979104BB5FD9CCC41157BB"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\ProductName = "Splashtop Streamer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Net\1 = "C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\PackageName = "3330a-8272-4b57-8c7c-608589d7d1a2 .msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\SourceList\LastUsedSource = "n;1;C:\\Windows\\TEMP\\unpack\\"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\49AE5C7BA69B5F14EB59527DB8846687\Version = "50790402"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7D0A237E2F2A7564CA141B792446E854\INSTALLFOLDER_files_Feature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\25F46F8180ECF4345A1FA7A8935DE9AE\7D0A237E2F2A7564CA141B792446E854	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C580F100A850B084DA6592048B753CD8\49AE5C7BA69B5F14EB59527DB8846687	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7D0A237E2F2A7564CA141B792446E854\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\49AE5C7BA69B5F14EB59527DB8846687\Server	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F\Blob = 19000000010000001000000014d4b19434670e6dc091d154abb20edc0f00000001000000200000001504593902ec8a0bab29f03bf35c3058b5fd1807a74dab92cb61ed4a9908afa40b000000010000006200000041006d0061007a006f006e00200053006500720076006900630065007300200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790020002d002d002000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107180330123010060a2b0601040182373c0101030200c0620000000100000020000000568d6905a2c88708a4b3025190edcfedb1974a606a13c6e5290fcb2ae63edab51400000001000000140000009c5f00dfaa01d7302b3888a2b86d4a9cf21191831d000000010000001000000052135310639a10f77f886b229b9f7afc7f000000010000000c000000300a06082b060105050703037e00000001000000080000000080c82b6886d701030000000100000014000000925a8f8d2c6d04e0665f596aff22d863e8256f3f2000000001000000f3030000308203ef308202d7a003020102020100300d06092a864886f70d01010b0500308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308198310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313b303906035504031332537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100d50c3ac42af94ee2f5be19975f8e8853b11f3fcbcf9f20136d293ac80f7d3cf76b763863d93660a89b5e5c0080b22f597ff687f9254386e7691b529a90e171e3d82d0d4e6ff6c849d9b6f31a56ae2bb67414ebcffb26e31aba1d962e6a3b5894894756ff25a093705383da847414c3679e04683adf8e405a1d4a4ecf43913be756d60070cb52ee7b7dae3ae7bc31f945f6c260cf1359022b80cc3447dfb9de90656d02cf2c91a6a6e7de8518497c664ea33a6da9b5ee342eba0d03b833df47ebb16b8d25d99bce81d1454632967087de020e494385b66c73bb64ea6141acc9d454df872fc722b226cc9f5954689ffcbe2a2fc4551c75406017850255398b7f050203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604149c5f00dfaa01d7302b3888a2b86d4a9cf2119183300d06092a864886f70d01010b050003820101004b36a6847769dd3b199f6723086f0e61c9fd84dc5fd83681cdd81b412d9f60ddc71a68d9d16e86e18823cf13de43cfe234b3049d1f29d5bff85ec8d5c1bdee926f3274f291822fbd82427aad2ab7207d4dbc7a5512c215eabdf76a952e6c749fcf1cb4f2c501a385d0723ead73ab0b9b750c6d45b78e94ac9637b5a0d08f15470ee3e883dd8ffdef410177cc27a9628533f23708ef71cf7706dec8191d8840cf7d461dff1ec7e1ceff23dbc6fa8d554ea902e74711463ef4fdbd7b2926bba961623728b62d2af6108664c970a7d2adb7297079ea3cda63259ffd68b730ec70fb758ab76d6067b21ec8b9e9d8a86f028b670d4d265771da20fcc14a508db128ba	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 0f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e42000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e19962000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 04000000010000001000000078f2fcaa601f2fb4ebc937ba532e75490f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e1996530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac89988140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f1d0000000100000010000000a86dc6a233eb339610f3ed414927c559030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e4190000000100000010000000ffac207997bb2cfe865570179ee037b92000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DDFB16CD4931C973A2037D3FC83A4D7D775D05E4\Blob = 5c000000010000000400000000100000190000000100000010000000ffac207997bb2cfe865570179ee037b9030000000100000014000000ddfb16cd4931c973a2037d3fc83a4d7d775d05e41d0000000100000010000000a86dc6a233eb339610f3ed414927c559140000000100000014000000ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f620000000100000020000000552f7bdcf1a7af9e6ce672017f4f12abf77240c78e761ac203d1d9d20ac899880b00000001000000320000004400690067006900430065007200740020005400720075007300740065006400200052006f006f0074002000470034000000090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000300000004ea1b34b10b982a96a38915843507820ad632c6aad8343e337b34d660cd8366fa154544ae80668ae1fdf3931d57e199604000000010000001000000078f2fcaa601f2fb4ebc937ba532e75492000000001000000940500003082059030820378a0030201020210059b1b579e8e2132e23907bda777755c300d06092a864886f70d01010c05003062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f74204734301e170d3133303830313132303030305a170d3338303131353132303030305a3062310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3121301f060355040313184469676943657274205472757374656420526f6f7420473430820222300d06092a864886f70d01010105000382020f003082020a0282020100bfe6907368debbe45d4a3c3022306933ecc2a7252ec9213df28ad859c2e129a73d58ab769acdae7b1b840dc4301ff31ba43816eb56c6976d1dabb279f2ca11d2e45fd6053c520f521fc69e15a57ebe9fa95716595572af689370c2b2ba75996a733294d11044102edf82f30784e6743b6d71e22d0c1bee20d5c9201d63292dceec5e4ec893f821619b34eb05c65eec5b1abcebc9cfcdac34405fb17a66ee77c848a86657579f54588e0c2bb74fa730d956eeca7b5de3adc94f5ee535e731cbda935edc8e8f80dab69198409079c378c7b6b1c4b56a183803108dd8d437a42e057d88f5823e109170ab55824132d7db04732a6e91017c214cd4bcae1b03755d7866d93a31449a3340bf08d75a49a4c2e6a9a067dda427bca14f39b5115817f7245c468f64f7c169887698763d595d4276878997697a48f0e0a2121b669a74cade4b1ee70e63aee6d4ef92923a9e3ddc00e4452589b69a44192b7ec094b4d2616deb33d9c5df4b0400cc7d1c95c38ff721b2b211b7bb7ff2d58c702c4160aab1631844951a76627ef680b0fbe864a633d18907e1bdb7e643a418b8a67701e10f940c211db2542925896ce50e52514774be26acb64175de7aac5f8d3fc9bcd34111125be51050eb31c5ca72162209df7c4c753f63ec215fc420516b6fb1ab868b4fc2d6455f9d20fca11ec5c08fa2b17e0a2699f5e4692f981d2df5d9a9b21de51b0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e04160414ecd7e382d2715d644cdf2e673fe7ba98ae1c0f4f300d06092a864886f70d01010c05000382020100bb61d97da96cbe17c4911bc3a1a2008de364680f56cf77ae70f9fd9a4a99b9c9785c0c0c5fe4e61429560b36495d4463e0ad9c9618661b230d3d79e96d6bd654f8d23cc14340ae1d50f552fc903bbb9899696bc7c1a7a868a427dc9df927ae3085b9f6674d3a3e8f5939225344ebc85d03caed507a7d62210a80c87366d1a005605fe8a5b4a7afa8f76d359c7c5a8ad6a23899f3788bf44dd2200bde04ee8c9b4781720dc01432ef30592eaee071f256e46a976f92506d968d687a9ab236147a06f224b9091150d708b1b8897a8423614229e5a3cda22041d7d19c64d9ea26a18b14d74c19b25041713d3f4d7023860c4adc81d2cc3294840d0809971c4fc0ee6b207430d2e03934108521150108e85532de7149d92817504de6be4dd175acd0cafb41b843a5aad3c305444f2c369be2fae245b823536c066f67557f46b54c3f6e285a7926d2a4a86297d21ee2ed4a8bbc1bfd474a0ddf67667eb25b41d03be4f43bf40463e9efc2540051a08a2ac9ce78ccd5ea870418b3ceaf4988aff39299b6b3e6610fd28500e7501ae41b959d19a1b99cb19bb1001eefd00f4f426cc90abcee43fa3a71a5c84d26a535fd895dbc85621d32d2a02b54ed9a57c1dbfa10cf19b78b4a1b8f01b6279553e8b6896d5bbc68d423e88b51a256f9f0a680a0d61eb3bc0f0f537529aaea1377e4de8c8121ad07104711ad873d07d175bccff3667e	AteraAgent.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\925A8F8D2C6D04E0665F596AFF22D863E8256F3F	AteraAgent.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1996	msiexec.exe
1996	msiexec.exe
5988	AteraAgent.exe
5988	AteraAgent.exe
5840	AgentPackageAgentInformation.exe
5840	AgentPackageAgentInformation.exe
5244	AgentPackageAgentInformation.exe
5244	AgentPackageAgentInformation.exe
3672	AgentPackageAgentInformation.exe
3672	AgentPackageAgentInformation.exe
5988	AteraAgent.exe
5988	AteraAgent.exe
5468	AgentPackageSTRemote.exe
5468	AgentPackageSTRemote.exe
3848	powershell.exe
3848	powershell.exe
3848	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5276	msiexec.exe
Token: SeSecurityPrivilege	1996	msiexec.exe
Token: SeCreateTokenPrivilege	5276	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5276	msiexec.exe
Token: SeLockMemoryPrivilege	5276	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5276	msiexec.exe
Token: SeMachineAccountPrivilege	5276	msiexec.exe
Token: SeTcbPrivilege	5276	msiexec.exe
Token: SeSecurityPrivilege	5276	msiexec.exe
Token: SeTakeOwnershipPrivilege	5276	msiexec.exe
Token: SeLoadDriverPrivilege	5276	msiexec.exe
Token: SeSystemProfilePrivilege	5276	msiexec.exe
Token: SeSystemtimePrivilege	5276	msiexec.exe
Token: SeProfSingleProcessPrivilege	5276	msiexec.exe
Token: SeIncBasePriorityPrivilege	5276	msiexec.exe
Token: SeCreatePagefilePrivilege	5276	msiexec.exe
Token: SeCreatePermanentPrivilege	5276	msiexec.exe
Token: SeBackupPrivilege	5276	msiexec.exe
Token: SeRestorePrivilege	5276	msiexec.exe
Token: SeShutdownPrivilege	5276	msiexec.exe
Token: SeDebugPrivilege	5276	msiexec.exe
Token: SeAuditPrivilege	5276	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5276	msiexec.exe
Token: SeChangeNotifyPrivilege	5276	msiexec.exe
Token: SeRemoteShutdownPrivilege	5276	msiexec.exe
Token: SeUndockPrivilege	5276	msiexec.exe
Token: SeSyncAgentPrivilege	5276	msiexec.exe
Token: SeEnableDelegationPrivilege	5276	msiexec.exe
Token: SeManageVolumePrivilege	5276	msiexec.exe
Token: SeImpersonatePrivilege	5276	msiexec.exe
Token: SeCreateGlobalPrivilege	5276	msiexec.exe
Token: SeBackupPrivilege	884	vssvc.exe
Token: SeRestorePrivilege	884	vssvc.exe
Token: SeAuditPrivilege	884	vssvc.exe
Token: SeBackupPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeDebugPrivilege	668	rundll32.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeDebugPrivilege	3984	TaskKill.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe
Token: SeTakeOwnershipPrivilege	1996	msiexec.exe
Token: SeRestorePrivilege	1996	msiexec.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
5276	msiexec.exe
5276	msiexec.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe
1968	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7044	SplashtopStreamer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1968 wrote to memory of 116	1968	msedge.exe	85
PID 1968 wrote to memory of 116	1968	msedge.exe	85
PID 1968 wrote to memory of 4520	1968	msedge.exe	86
PID 1968 wrote to memory of 4520	1968	msedge.exe	86
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5616	1968	msedge.exe	87
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88
PID 1968 wrote to memory of 5696	1968	msedge.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://hidrive.ionos.com/api/sharelink/download?id=O9dSTHQbd
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x2b0,0x7ffb149af208,0x7ffb149af214,0x7ffb149af220
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1952,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2244,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:5616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2516,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=2656 /prefetch:8
  2⤵
  PID:5696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3540,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=3620 /prefetch:1
  2⤵
  PID:5168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3548,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:5164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4340,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:5996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4892,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5516,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5768,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5756 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --always-read-main-dll --field-trial-handle=5808,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6044,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6516,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:5140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6612,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6636 /prefetch:8
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6684,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5800 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=5672,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:5248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --always-read-main-dll --field-trial-handle=6848,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6868 /prefetch:1
  2⤵
  PID:5568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --init-isolate-as-foreground --pdf-shared-library --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6040,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6828 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --renderer-sub-type=pdf-renderer --pdf-renderer --pdf-shared-library --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags="--ms-user-locale= --jitless" --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --always-read-main-dll --field-trial-handle=6728,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:2780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=5908,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=6820 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --always-read-main-dll --field-trial-handle=3696,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=7164 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6824,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=7324 /prefetch:8
  2⤵
  PID:1448
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\3330a-8272-4b57-8c7c-608589d7d1a2 .msi"
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:5276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5628 /prefetch:8
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5580,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=5584 /prefetch:8
  2⤵
  PID:5800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6112,i,11636037102188153391,4139061479541384660,262144 --variations-seed-version --mojo-platform-channel-handle=7284 /prefetch:8
  2⤵
  PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4044

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
1⤵
PID:3244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window --win-session-start
  2⤵
  PID:5232

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1996
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4140
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3955C7C9B51750AC3BCE7684428510E9
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2284
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIED2F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643625 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3436
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF00E.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240644140 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:668
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIF445.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240645203 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:564
- - C:\Windows\SysWOW64\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSIFFB4.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240648171 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
    3⤵
    - Blocklisted process makes network request
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2708966F0CE920CA332A6F0E9888490C E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1532
- - C:\Windows\SysWOW64\NET.exe
    "NET" STOP AteraAgent
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 STOP AteraAgent
      4⤵
      System Location Discovery: System Language Discovery
      PID:2056
- - C:\Windows\SysWOW64\TaskKill.exe
    "TaskKill.exe" /f /im AteraAgent.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000RjygRIAR" /AgentId="3e071f31-6a44-413e-8f82-f2d4ba7429f8"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  PID:3808
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 884FFCABD6E7C27CEB729868011E3E68 E Global\MSI0000
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  PID:6388
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4C7C2DB3-93EC-4CDB-BA24-1F3B835D5145}
    3⤵
    - Executes dropped EXE
    PID:6224
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{08BDF544-470F-4B1A-9F21-4CEB5BE208D4}
    3⤵
    - Executes dropped EXE
    PID:6660
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CFA92EF0-3B5B-42A5-B79F-9A99AD5C995B}
    3⤵
    - Executes dropped EXE
    PID:5768
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F8B22494-7455-4BAD-8316-4C24A02CC8D0}
    3⤵
    - Executes dropped EXE
    PID:5228
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C16D13C0-233E-40B6-A02F-0B20CC0E0AAD}
    3⤵
    - Executes dropped EXE
    PID:6472
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D3FA818-130F-4310-AF25-4F2273A10E64}
    3⤵
    - Executes dropped EXE
    PID:5976
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFF3F6A9-B107-430D-8380-5E3B2F680C25}
    3⤵
    - Executes dropped EXE
    PID:5900
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FA43C46D-EAC1-4BEC-9865-125D4D72364C}
    3⤵
    - Executes dropped EXE
    PID:3888
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C287A7C6-D9CD-4F97-8A3A-B628D8DEACBA}
    3⤵
    - Executes dropped EXE
    PID:2156
- - C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe
    C:\Windows\TEMP\{C5190340-96FA-40F9-8218-9B8048D85A33}\_is37D4.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F90FCBEF-F710-489D-83D2-755A89EF69DB}
    3⤵
    - Executes dropped EXE
    PID:2508
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRServer.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:7072
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRApp.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:7156
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6208
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAppPB.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6264
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6288
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeature.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6564
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6580
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRFeatMini.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6640
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6712
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRManager.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6688
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6660
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAgent.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:6456
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6436
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRChat.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3808
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRAudioChat.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:544
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3656
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill.exe /F /IM SRVirtualDisplay.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:5992
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4138F174-44D0-4A9F-8845-479857DE88D9}
    3⤵
    - Executes dropped EXE
    PID:7104
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{68072EE4-C55C-4D7B-84ED-B9B41701770B}
    3⤵
    - Executes dropped EXE
    PID:7068
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2F90BDCA-60B1-4BB2-95F8-6ED378C19418}
    3⤵
    - Executes dropped EXE
    PID:7160
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{128A2212-9A8B-468B-9DFC-3F606ED99DFE}
    3⤵
    - Executes dropped EXE
    PID:7140
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{258A1088-4239-427E-8729-5A9CAAB7EFAC}
    3⤵
    - Executes dropped EXE
    PID:6244
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8679918C-6283-4936-9736-79E9E376D647}
    3⤵
    - Executes dropped EXE
    PID:5148
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DD4935B2-F145-4FD8-A864-B68290EA3737}
    3⤵
    - Executes dropped EXE
    PID:6340
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4A5B4B24-793D-40E6-97F6-2C48944555A2}
    3⤵
    - Executes dropped EXE
    PID:6716
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{857B95B5-2865-4007-AA41-ABA9F4346C7D}
    3⤵
    - Executes dropped EXE
    PID:6620
- - C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe
    C:\Windows\TEMP\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE1DE94E-3BE2-4D57-9E59-2CD81F3D2013}
    3⤵
    - Executes dropped EXE
    PID:6248

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:884

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
PID:5988
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:5232
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "86270d87-791e-4c6e-bf8d-0427c1fd75da" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000RjygRIAR
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5840
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "01c8c885-d943-498d-ae7d-cd849d091d24" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000RjygRIAR
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:5244
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "ad99dc2a-2153-4b55-b245-302ba2451b0f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000RjygRIAR
  2⤵
  - Executes dropped EXE
  PID:5416
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "92dcab4c-64ca-4bad-bbb5-f45a3b376be1" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000RjygRIAR
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:3672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"
    3⤵
    - Drops file in System32 directory
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3848
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
    3⤵
    PID:6380
  - - C:\Windows\system32\cscript.exe
      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
      4⤵
      Modifies data under HKEY_USERS
      PID:6440
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "9608a9c1-8628-4542-a9ae-47a5d5aaa017" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOjMsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000RjygRIAR
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5468
- - C:\Windows\TEMP\SplashtopStreamer.exe
    "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of SetWindowsHookEx
    PID:7044
  - - C:\Windows\Temp\unpack\PreVerCheck.exe
      "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:6320
    - - C:\Windows\SysWOW64\msiexec.exe
        
        msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:6284
- C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 3e071f31-6a44-413e-8f82-f2d4ba7429f8 "fd7eaa93-d770-4b49-a99c-5fa183b362c5" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000RjygRIAR
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in System32 directory
  PID:5296

C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
"C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:2056
- C:\Windows\System32\sc.exe
  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
  2⤵
  - Launches sc.exe
  PID:5840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ecb3.rbs

Filesize
8KB

MD5
40528f51b04fbd75bd64a32f816a2ea7

SHA1
11ea2f925125aac71eadb58675dc7edc4a94e2c2

SHA256
bb8f3ea55a12b0d7abb3e39eac9789e1bcff553f4dfbdffdaa920543e9e71fc2

SHA512
8ee299c1fc872fcd3b299622a629f3858cede2d680568c5c726343ec14da844e103bdf0356e64861e77561bc56388cd5d472c15d743a567b2744b659ed01fc12

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

Filesize
142KB

MD5
477293f80461713d51a98a24023d45e8

SHA1
e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

SHA256
a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

SHA512
23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

Filesize
1KB

MD5
b3bb71f9bb4de4236c26578a8fae2dcd

SHA1
1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

SHA256
e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

SHA512
fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

Filesize
248KB

MD5
bf7f46a78bba38717dc1ccd5a48c9aa2

SHA1
30382066798876dc4e689bfcfad098910a213cda

SHA256
0f0425430b83a340883c9c4318cda20e91c8db1febcf0f1b731ae93f2d119020

SHA512
bbae0e9ce97d5db855799960778425bcd652d7e1507089211be8413fd56698845dc00c19bb4adafe6ea3ff3c00b0ad0a9a111bb00f7f57b1d59ea79b236163ab

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

Filesize
396KB

MD5
b5929e2ca0e402a373b633bb78d0414a

SHA1
38146d4f3ddca1b1e854bf638b7722356e5e2195

SHA256
d7b43a4807e1841b94353656fcfd45b69f7550adf137c56aefb85104883fb821

SHA512
65e02019656d61238b8fc784496eb6ccf238a5f6eff9b101893641cb45d9c63058cf67abb2bc75007e9e2726458115eb8e9ad9a4cf34a86435ea637dc78c3ea6

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

Filesize
70KB

MD5
e9b3a59f67febdd7f8fbe68d71c5d0ab

SHA1
22bd3ec3f8e0be2f317ade9d553acdb3ea11f52e

SHA256
bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf

SHA512
00e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688

Download Submit
C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

Filesize
588KB

MD5
17d74c03b6bcbcd88b46fcc58fc79a0d

SHA1
bc0316e11c119806907c058d62513eb8ce32288c

SHA256
13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

SHA512
f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

Filesize
9KB

MD5
1ef7574bc4d8b6034935d99ad884f15b

SHA1
110709ab33f893737f4b0567f9495ac60c37667c

SHA256
0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

SHA512
947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

Filesize
10KB

MD5
f512536173e386121b3ebd22aac41a4e

SHA1
74ae133215345beaebb7a95f969f34a40dda922a

SHA256
a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

SHA512
1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

Filesize
76KB

MD5
b40fe65431b18a52e6452279b88954af

SHA1
c25de80f00014e129ff290bf84ddf25a23fdfc30

SHA256
800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

SHA512
e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

Download Submit
C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

Filesize
80KB

MD5
3904d0698962e09da946046020cbcb17

SHA1
edae098e7e8452ca6c125cf6362dda3f4d78f0ae

SHA256
a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

SHA512
c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
0fae2e98e720271cfb2be761f02a40ae

SHA1
57252bb3328ef51a781aef047327f384fd597e4a

SHA256
f7e431fa38579eba6f402524c2a41ebb9888a5925b880bb58c8fad81149bee82

SHA512
878b4ba25fdf29bfcc924de90b32a0b5f75a314b7287e97fe61bc286c851dedb39db56d2f240b348f8f88d4780d2c2d719d7eaf80ac7b8cf94c48386d8388bd8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC

Filesize
727B

MD5
740aba26756c2e67fe1d1448dd06982e

SHA1
62e2192c8bfa95a244813d0cb500b494d8a4a646

SHA256
65a67fbc4a20cc9c3cbfc6035f144589e85dbd31d05bccdeabb5d63b43b8c104

SHA512
9324cc00ea9cac8b68c328432e07398af81a0454f2f140f03b836b7b4d167c6dc506853edf68327b49b9315639e6b18bd52ce3a6572d0a938084f4883587a913

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
265da4547fc57c9b732837e09cd30d8e

SHA1
422b0b6e88c6ee8a58c9f8db2f9f4fa8c45c3a75

SHA256
a5033d6bba7f36ff40321b82b37292077c41cacbe53e208d455cdb530199906e

SHA512
e04a351a97ba121a42dcd5e9d8123235b1c9b98a5b29e4db3ea885cb467d2f848ae811274b2ab1ea4657432a4fedc198bb5c7bb44fb6055b934712f57fda63c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
400B

MD5
45db07fe6c012a6d9785e8d2a33e8a27

SHA1
29b88a7adbb1dd3540c6e31603b1b963299cb1c2

SHA256
5e01ee4736850dd075e0f1e2e88af5fc8ca2f020b63f2690059250cd83928435

SHA512
dff2a0554f3e838a9725d7a2237dd5d54464984525d42ba3e58b6ae9fc04541e8f1234c7087db1309d0a34591041f7477795b47d9b6d495b08a31e8eeb01d2e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC

Filesize
412B

MD5
86f09c603a4d62ed9d11da0c0e574fa8

SHA1
97635a4757a465bdd77d151564aac05463b6a43d

SHA256
fd0c357dc15ee2d7a73686d8912553732b54a489b9aa7b881907aaa66c2ae62e

SHA512
713391882217a2de3d78576b84d21fdf4e1ec5083a3df8341829c66dec6e67c5db49a9fc69d493b3f60bff6372f82d25b83400ddb80cc09a26c96451d01bf2df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
543dfa1dfcf76da211e4f3c88384c1cb

SHA1
4f635b998cffaf3a9efa9ec5e94422a65bd3dce6

SHA256
bdcb795e56190cd185999407db335cefdff523472c648cb02883416f7bb98568

SHA512
41ca4690534cdb43a9ab4b47c08e72c88f12880ed8c2ed546a8f5256e713c88eecff68b8ed6afb507e8df3ea9706cc46dcbdeea398819960027c1a6d45eab9f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
9bbfe11735bac43a2ed1be18d0655fe2

SHA1
61141928bb248fd6e9cd5084a9db05a9b980fb3a

SHA256
549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

SHA512
a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
c565dec6fa71939fb17e03a07c570be5

SHA1
de0f95e50100be6354040e35b561b9a39786ce27

SHA256
052d5d2eed7f686b9fba64ac28ed246a6174ff0eb66207cbeed9f46dde999780

SHA512
c040d053241ce5bf9cab1916eb81042f72488fbdae1025ccceb4eedbcb7218fcb8be0e10a99e0bb135b373b32f91ab67c194eeebf037266b20a4a258d8f81f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57fda9.TMP

Filesize
3KB

MD5
793d7b6f2b407b3a68af7520586f131b

SHA1
7fb628ca3b752a8434fdcf53255db32cc6ae88fe

SHA256
d88c6a8846190258cf1522a888a2a97247a884a9932212fbcf14beddffa86cda

SHA512
37f6cee58fb75a8d5dbb97e857dfe23fc7203cad7866b11900b6de47c00e8ca1e4fbbf28a61a7ef0888bda12ab65d2ca50727d4e0d80f0a328175820e84e520b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
2b66d93c82a06797cdfd9df96a09e74a

SHA1
5f7eb526ee8a0c519b5d86c845fea8afd15b0c28

SHA256
d4c064db769b3c109da2ed80a53fbab00987c17421a47921e41e213781d67954

SHA512
95e45c0aea0e704be5f512dffaae377d4abef78da99b3bca769264d69be20f2570daf2f47905645217e1b2696e42b101f26149219f148b4d6dd97a6c2868b6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
fc2a6e74da1a58e8f04d882a26315af9

SHA1
e2d1b08def9859037ce3cb9fe3d37c1a213bbf0a

SHA256
9bc464316acc5363b2e3a7e34dfe451804f1a8abbf75de3564b4009d317840fc

SHA512
1843d8ebd990561f126e0b95780b64d7e574fad386dcd93881b69276f928f70527530de8c4215d63a029b083b22809a762cec3ca5edc11dad1f07519a3bc0921

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
68487e0c22c8a961ba78b40838e990f7

SHA1
86c1f54538ea0297125bd982da0759b42d2e84a4

SHA256
0f8548d7fb0c4fd75e856a5a6f80e9b99155e456854233a7fcac0b1d7bd46937

SHA512
960d3b8b900066b0d8d965e1da30261e828738fe0c197bdd95fba5bc45c0dc99f0b87148096780efb1b9a61f272f519dd0c7ed9f8e3d95fd4fd6cc1eaf29c896

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
eaf1c1dc694c09f7107f4bbaaf99961f

SHA1
c6a2377daa3d0d1b811ccef9ad3b5a61eea9c3a4

SHA256
116c4fafe586dab3ba84e203e1f7ca12977321ca09c1a6af9bed987ae0ea0fcd

SHA512
394520ae7a348e690d471b7f613594046b3ea00836bc7c1daf50616fcf1a24efd38af28207fd5d1314fa14af60a2bd82dd9b338f993b1c94e269e6bfaacf82a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
29f2cd8e37763efa1233cc22070ad897

SHA1
fb7fa66a226b4affef20429d4856980389e6651f

SHA256
9cc32154b9889da0396cda1d690be24cea7f51dfd4fa9575c46c48445849ba6a

SHA512
8467358eb8f06d3a5c61db2ceb9b6b1fc349f545f81e8f2ada9c549bbb7876561e0a84bf5278a2a38cd92f8635f145675a4018fcaaab52bdd4fd07fdcf8391c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
bc650a7161f0a46f93b62404c7883f25

SHA1
e0a6a293b7a858f1b1e51ad7296144724b87864a

SHA256
814576c212e1b57049a1aa5c1af6c3263391062567bf0002e1c58819bc8407df

SHA512
8d825d53bdbf1578b68cb086d0ec7da2465ba1d2fcb41af988739918b82aa9a97041c106d9868eda29a3797740dcd15392488686b790de0341a635ce7ee30bd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
87e307a20003ad66078e08fb00a7a783

SHA1
07b187a3e797c2936bee67d4bb57368c883d6c9a

SHA256
fccd9a64159b620a5b243f98fa4a634e049065b6447e45faace89470b8a789b1

SHA512
af2fb352c7ae1985523651f2375bbbca1675130935ad9cd875d3f189f4fa6ca2e234ecd824b581295e9a114d346264598e5fd7507e5a55b798030aa1b1640643

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e82f0abf-8183-44fb-ae6d-3dd2982e01da.tmp

Filesize
41KB

MD5
a250e1d8d63a0aed8ced8d5ff9bd6875

SHA1
c89980c5257e0ac6818d2667d3bec27af40e4bf1

SHA256
e32e957d554da24ac0fbd2d6f1881459794408f423c59d9672e7ec71e71138c4

SHA512
b6b271d376afe0559af3ab5728c6cb5197ce8666753ae4063cc34866b3c1683ee7993200fce5b8c206f75d73d12a236d8ff4047c47c51502f9dd5a28e9afe78b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\extensions_crx_cache\ghbmnnjooekpmoecnnnilnnbdlolhkhi_1.fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
149988633fa537b5eba675986d9fc807

SHA1
90b868167719f0b06945d9e6468e9db3ac25b9de

SHA256
15ec18af34b74fefa23ab1b17f71fe2ba05aa751172bd14da1e1330239778872

SHA512
4ebf7c10121d54ff5e0e0e1189e901aca4415a1496c654b96703c8e87fd312e77d2d6764befb7c3ccb237877ea81286992b3137d82aee01e2e52bad27f3735a2

Download Submit
C:\Users\Admin\Downloads\3330a-8272-4b57-8c7c-608589d7d1a2 .msi

Filesize
2.9MB

MD5
ab89fb0e79651e8507704a55912a88cd

SHA1
3b33c91f86fc294257c027b824597799330c07c1

SHA256
f195434cdd4902df5ce9f4a2401b8ab391fd097b46900ab49e4fb7f19829616f

SHA512
d127d8eafbfa8a80a7e1815c84d5fa48b79b1d5035bc0711f2041f79617763afbcf8b3df7319fd8e5c7350d0e2f30ab4ac6c154498dc2ec2a20d34b01910d6fe

Download Submit
C:\Users\Admin\Downloads\72435345322.pdf

Filesize
11KB

MD5
c232af69b5be9ab5a9a0f838bc5e373b

SHA1
3e09a1225d3e9e90bb722f983270e6af3805b29d

SHA256
d15a8b88c144bb2efad68a41c9b7470fdc8007e2ef5ffa03213bde24924daed9

SHA512
45e6a332a2f55f5f89ccf5dfbffbd264dde852c48715163245bfb28f3df7335b4e9de457e61edd25f894d6c44d818ac9dfbe25b12018be5804ec9d3aba92411b

Download Submit
C:\Windows\Installer\MSIED2F.tmp

Filesize
509KB

MD5
88d29734f37bdcffd202eafcdd082f9d

SHA1
823b40d05a1cab06b857ed87451bf683fdd56a5e

SHA256
87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

SHA512
1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

Download Submit
C:\Windows\Installer\MSIED2F.tmp-\AlphaControlAgentInstallation.dll

Filesize
25KB

MD5
aa1b9c5c685173fad2dabebeb3171f01

SHA1
ed756b1760e563ce888276ff248c734b7dd851fb

SHA256
e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

SHA512
d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

Download Submit
C:\Windows\Installer\MSIED2F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

Filesize
179KB

MD5
1a5caea6734fdd07caa514c3f3fb75da

SHA1
f070ac0d91bd337d7952abd1ddf19a737b94510c

SHA256
cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

SHA512
a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

Download Submit
C:\Windows\Installer\MSIF00E.tmp-\CustomAction.config

Filesize
1KB

MD5
bc17e956cde8dd5425f2b2a68ed919f8

SHA1
5e3736331e9e2f6bf851e3355f31006ccd8caa99

SHA256
e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

SHA512
02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

Download Submit
C:\Windows\Installer\MSIF00E.tmp-\Newtonsoft.Json.dll

Filesize
695KB

MD5
715a1fbee4665e99e859eda667fe8034

SHA1
e13c6e4210043c4976dcdc447ea2b32854f70cc6

SHA256
c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

SHA512
bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

Download Submit
C:\Windows\Installer\MSIF60C.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-14-54-39.dat

Filesize
602B

MD5
63479e1072430e02ba2f389347a6d4ff

SHA1
5ad0bf1db087269757428fed3f10665b347fc386

SHA256
4a39656e5ac98354b81e656c75addeff7586832f5a6a6c6fcfa620dcbafcb8da

SHA512
542253b82a476220d79e8743db106e0fe8ea0f2174c7a6ab26c2753f190f28ca91a0cbc8b1644f9ee14e5a0543c231c4c110551f88327743aab4d8f76f2c10fe

Download Submit
C:\Windows\Temp\PreVer.log

Filesize
2KB

MD5
e436598ca7283b93802ba667bad2ccbd

SHA1
f20705de48e145e6a8a13edf5be799a2f9639160

SHA256
6fb35f653011e3864d9bef3757f1cbd3d382d6c4209f93610ecf8182cc5cf40d

SHA512
10d4947fef914f250fd253e59953bfd26a46aa2e623c9df55f29039ab6af1b6ad209d35f52dbe8a7a90bb7414d078d79268f978afc5f6d48a76ef9642fb053aa

Download Submit
C:\Windows\Temp\__PSScriptPolicyTest_w1t5msoh.iwy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\unpack.log

Filesize
4KB

MD5
188340e84830e73491227f42663985c8

SHA1
f1d40b81c1f4ab361ada7b08423296294964447c

SHA256
f4073da1074969335057257cf52ec5d11eb90e970c5a7e985bf5b2ba94339da2

SHA512
d894bf01c33ca6163fd4d002119ac50fb165c90d757481d3ee98ba9837111f956c62f40a15f49eb8bfbf58ee8021ec85deb5e82a21c4cd610edc410f2fa1c99f

Download Submit
C:\Windows\Temp\unpack\PreVerCheck.exe

Filesize
3.2MB

MD5
2c18826adf72365827f780b2a1d5ea75

SHA1
a85b5eae6eba4af001d03996f48d97f7791e36eb

SHA256
ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be

SHA512
474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167

Download Submit
C:\Windows\Temp\{09805029-7B5C-415C-96AA-52E9B453D664}\IsConfig.ini

Filesize
571B

MD5
d239b8964e37974225ad69d78a0a8275

SHA1
cf208e98a6f11d1807cd84ca61504ad783471679

SHA256
0ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73

SHA512
88eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8

Download Submit
C:\Windows\Temp\{09805029-7B5C-415C-96AA-52E9B453D664}\String1033.txt

Filesize
182KB

MD5
99bbffd900115fe8672c73fb1a48a604

SHA1
8f587395fa6b954affef337c70781ce00913950e

SHA256
57ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc

SHA512
d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff

Download Submit
C:\Windows\Temp\{09805029-7B5C-415C-96AA-52E9B453D664}\_is45EE.exe

Filesize
179KB

MD5
7a1c100df8065815dc34c05abc0c13de

SHA1
3c23414ae545d2087e5462a8994d2b87d3e6d9e2

SHA256
e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

SHA512
bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

Download Submit
C:\Windows\Temp\{09805029-7B5C-415C-96AA-52E9B453D664}\setup.inx

Filesize
345KB

MD5
0376dd5b7e37985ea50e693dc212094c

SHA1
02859394164c33924907b85ab0aaddc628c31bf1

SHA256
c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415

SHA512
69d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5

Download Submit
C:\Windows\Temp\{C5190340-96FA-40F9-8218-9B8048D85A33}\ISRT.dll

Filesize
427KB

MD5
85315ad538fa5af8162f1cd2fce1c99d

SHA1
31c177c28a05fa3de5e1f934b96b9d01a8969bba

SHA256
70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

SHA512
877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

Download Submit
C:\Windows\Temp\{C5190340-96FA-40F9-8218-9B8048D85A33}\_isres_0x0409.dll

Filesize
1.8MB

MD5
befe2ef369d12f83c72c5f2f7069dd87

SHA1
b89c7f6da1241ed98015dc347e70322832bcbe50

SHA256
9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

SHA512
760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

Download Submit
memory/564-633-0x0000000004AC0000-0x0000000004B26000-memory.dmp

Filesize
408KB

Download
memory/668-599-0x00000000050E0000-0x0000000005192000-memory.dmp

Filesize
712KB

Download
memory/668-602-0x0000000002CA0000-0x0000000002CC2000-memory.dmp

Filesize
136KB

Download
memory/668-603-0x00000000051A0000-0x00000000054F4000-memory.dmp

Filesize
3.3MB

Download
memory/3436-562-0x0000000002520000-0x000000000254E000-memory.dmp

Filesize
184KB

Download
memory/3436-566-0x0000000002560000-0x000000000256C000-memory.dmp

Filesize
48KB

Download
memory/3808-690-0x0000012498A90000-0x0000012498ACC000-memory.dmp

Filesize
240KB

Download
memory/3808-673-0x00000124985F0000-0x0000012498618000-memory.dmp

Filesize
160KB

Download
memory/3808-685-0x00000124B2C50000-0x00000124B2CE8000-memory.dmp

Filesize
608KB

Download
memory/3808-689-0x00000124989F0000-0x0000012498A02000-memory.dmp

Filesize
72KB

Download
memory/5296-918-0x0000017593200000-0x0000017593208000-memory.dmp

Filesize
32KB

Download
memory/5296-896-0x0000017593010000-0x000001759302C000-memory.dmp

Filesize
112KB

Download
memory/5296-914-0x00000175ABC00000-0x00000175ABCDC000-memory.dmp

Filesize
880KB

Download
memory/5296-915-0x00000175ABCE0000-0x00000175ABD92000-memory.dmp

Filesize
712KB

Download
memory/5296-919-0x0000017593210000-0x0000017593218000-memory.dmp

Filesize
32KB

Download
memory/5296-900-0x0000017593030000-0x0000017593038000-memory.dmp

Filesize
32KB

Download
memory/5296-920-0x0000017593220000-0x0000017593228000-memory.dmp

Filesize
32KB

Download
memory/5296-921-0x00000175ABB90000-0x00000175ABBF8000-memory.dmp

Filesize
416KB

Download
memory/5296-922-0x00000175ABB50000-0x00000175ABB7A000-memory.dmp

Filesize
168KB

Download
memory/5296-923-0x00000175ABE20000-0x00000175ABE5A000-memory.dmp

Filesize
232KB

Download
memory/5296-924-0x00000175ABB20000-0x00000175ABB46000-memory.dmp

Filesize
152KB

Download
memory/5296-899-0x00000175AB9D0000-0x00000175ABA18000-memory.dmp

Filesize
288KB

Download
memory/5296-898-0x00000175AB980000-0x00000175AB9CC000-memory.dmp

Filesize
304KB

Download
memory/5296-901-0x0000017593090000-0x000001759309A000-memory.dmp

Filesize
40KB

Download
memory/5296-894-0x0000017592780000-0x00000175927E6000-memory.dmp

Filesize
408KB

Download
memory/5296-895-0x0000017593040000-0x000001759308A000-memory.dmp

Filesize
296KB

Download
memory/5468-889-0x000001FA40200000-0x000001FA4021C000-memory.dmp

Filesize
112KB

Download
memory/5468-878-0x000001FA58B50000-0x000001FA58C02000-memory.dmp

Filesize
712KB

Download
memory/5468-874-0x000001FA3F990000-0x000001FA3F9A6000-memory.dmp

Filesize
88KB

Download
memory/5840-812-0x00000216C3D60000-0x00000216C3D80000-memory.dmp

Filesize
128KB

Download
memory/5840-811-0x00000216C3E20000-0x00000216C3ED2000-memory.dmp

Filesize
712KB

Download
memory/5840-810-0x00000216AACF0000-0x00000216AAD32000-memory.dmp

Filesize
264KB

Download
memory/5988-766-0x0000022B29E20000-0x0000022B29E58000-memory.dmp

Filesize
224KB

Download
memory/5988-736-0x0000022B29830000-0x0000022B29852000-memory.dmp

Filesize
136KB

Download
memory/5988-728-0x0000022B29890000-0x0000022B29942000-memory.dmp

Filesize
712KB

Download
memory/6388-1043-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download
memory/6388-1046-0x0000000003360000-0x0000000003527000-memory.dmp

Filesize
1.8MB

Download
memory/6388-1079-0x0000000010000000-0x0000000010114000-memory.dmp

Filesize
1.1MB

Download