Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 12:28

General

  • Target

    b42fa58e23432c66acf7d1ba65f2c938dac7bbcd0dbebeac7c52951555d07cdf.msi

  • Size

    2.9MB

  • MD5

    ab5c500b1c59ef0f6c6d0f7846f7a6f6

  • SHA1

    91a5b9993e3b891d0e502e9b37a9e39afc93715c

  • SHA256

    b42fa58e23432c66acf7d1ba65f2c938dac7bbcd0dbebeac7c52951555d07cdf

  • SHA512

    1abde5aa2e93168fd676aca21678d9f52d9dc27623adeebf584ad561899d61f058e413848c627ec78788cc0a4c30999549f5c79c439440e1ecc50742f2708f14

  • SSDEEP

    49152:d+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:d+lUlz9FKbsodq0YaH7ZPxMb8tT

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Ateraagent family
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 7 IoCs
  • Drops file in Drivers directory 6 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • UPX packed file 29 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Executes dropped EXE 64 IoCs
  • Launches sc.exe 5 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 60 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Time Discovery 1 TTPs 4 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 13 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\b42fa58e23432c66acf7d1ba65f2c938dac7bbcd0dbebeac7c52951555d07cdf.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4644
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4408
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 39109CE61717D66FF338DC84238B4B10
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1780
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIB12F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240628265 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:2224
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIB3FF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240628750 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:4456
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIB884.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240629890 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4168
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIC3A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240632781 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1200
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 480686048C71BBB61410F528BAD63400 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\NET.exe
          "NET" STOP AteraAgent
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:5024
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP AteraAgent
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4632
        • C:\Windows\SysWOW64\TaskKill.exe
          "TaskKill.exe" /f /im AteraAgent.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:4940
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="297" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="0013z00002RLqCLAA1" /AgentId="830d21bf-52f4-4ce7-a581-dcc7ad1e27f0"
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:2828
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 3593F73AF82FD3DA44F1BD49FAF93FC1 E Global\MSI0000
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1184
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{168A8811-6E8C-4E1F-9F2C-9D76B9E072B9}
          3⤵
          • Executes dropped EXE
          PID:4000
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A2334420-B03B-45D1-AEB4-73D486B251DA}
          3⤵
          • Executes dropped EXE
          PID:3932
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6167F7CA-E5E5-4146-883E-2597F847BB34}
          3⤵
          • Executes dropped EXE
          PID:2176
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9C9C895D-75C7-4095-9211-AF695BBE8D73}
          3⤵
          • Executes dropped EXE
          PID:2068
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46909E20-DA09-44B8-8A32-29C30852E857}
          3⤵
          • Executes dropped EXE
          PID:4168
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F14FDE1F-40B3-40AC-8FBF-8CA59FADCDEF}
          3⤵
          • Executes dropped EXE
          PID:3432
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8900B626-41E1-4040-A9B7-1808133D4A5D}
          3⤵
          • Executes dropped EXE
          PID:3932
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00B0C397-BE89-4EDA-94CE-5C16C15273C2}
          3⤵
          • Executes dropped EXE
          PID:4408
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C028FB3A-4275-414C-87BA-73EE1E19C2D8}
          3⤵
          • Executes dropped EXE
          PID:4112
        • C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe
          C:\Windows\TEMP\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isF906.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A07CDF60-2A32-4577-BD18-6EE6A30E7496}
          3⤵
          • Executes dropped EXE
          PID:1176
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4636
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRServer.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:1028
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1200
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRApp.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2180
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAppPB.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:2068
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRFeature.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:2192
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5048
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRFeatMini.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3168
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4168
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRManager.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4380
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3168
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAgent.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4416
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4476
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRChat.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:1176
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAudioChat.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3504
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:876
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRVirtualDisplay.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:2828
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9DD52F0D-F0C7-41ED-9167-CB85172A3E97}
          3⤵
          • Executes dropped EXE
          PID:1148
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1D0895B3-ED09-4978-A4CF-D44961397ADB}
          3⤵
          • Executes dropped EXE
          PID:2444
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{010D102B-C5C8-42F8-812B-1E90677AFBC4}
          3⤵
          • Executes dropped EXE
          PID:748
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{62D72C17-01CE-45A4-B633-F776B8411F76}
          3⤵
          • Executes dropped EXE
          PID:4000
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{516316B9-6AB2-4051-8EA8-072665D64BF1}
          3⤵
          • Executes dropped EXE
          PID:3340
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2A13475F-1FC5-4E06-86EA-B78C05D67EEA}
          3⤵
          • Executes dropped EXE
          PID:3784
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{69E16327-6B7B-4105-BD91-4809A3ACFB69}
          3⤵
          • Executes dropped EXE
          PID:2968
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A44EEA68-3C6B-4670-B2A0-964B1E4EC827}
          3⤵
          • Executes dropped EXE
          PID:3892
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DAFAB92F-FBC8-4205-A645-007BB11FD6D9}
          3⤵
          • Executes dropped EXE
          PID:3476
        • C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe
          C:\Windows\TEMP\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{58886269-4BEA-4F99-91FF-E8B66A952FD3}
          3⤵
          • Executes dropped EXE
          PID:2840
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{98580CAF-21D5-43D5-9E52-C439115C67D3}
          3⤵
          • Executes dropped EXE
          PID:5204
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{67D5B463-A157-4F44-817E-04B92A5D8923}
          3⤵
          • Executes dropped EXE
          PID:5244
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2DC16D3B-572B-4723-B68A-F0C8EBC343AA}
          3⤵
          • Executes dropped EXE
          PID:5276
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F90A8D98-D59C-4BFD-A1A8-81FEA5D02235}
          3⤵
          • Executes dropped EXE
          PID:5308
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{00C4C0BC-9E45-450E-85D9-A2519244A217}
          3⤵
          • Executes dropped EXE
          PID:5340
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5BC175A4-36F4-4E3A-994E-53B7771AF6F2}
          3⤵
          • Executes dropped EXE
          PID:5416
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A957F286-24D0-41AE-9B30-9D862F1EAE7F}
          3⤵
          • Executes dropped EXE
          PID:5448
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2118333A-6D93-418F-8184-1207438FAC64}
          3⤵
          • Executes dropped EXE
          PID:5480
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AE835E1D-51F2-4D77-8104-5E01376B7B08}
          3⤵
          • Executes dropped EXE
          PID:5512
        • C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe
          C:\Windows\TEMP\{049C33FB-28E7-4EF9-B239-E64D8AA00D6B}\_is125C.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6A473004-E39A-4153-91CE-1EB200E87975}
          3⤵
          • Executes dropped EXE
          PID:5544
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5700
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5772
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:5916
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
            4⤵
              PID:5968
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
              4⤵
                PID:6108
            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe
              "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:2444
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F49393CA-FB0E-407F-92EA-F3AACBB72FA9}
              3⤵
              • Executes dropped EXE
              PID:2728
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7BA64203-C30F-440D-8A28-B699396CB832}
              3⤵
              • Executes dropped EXE
              PID:5204
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3234FA5A-63AD-4761-997E-373CE2FCFD79}
              3⤵
              • Executes dropped EXE
              PID:5296
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22C8561F-9FFC-4408-B232-1B2C6C8E8878}
              3⤵
              • Executes dropped EXE
              PID:5316
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BFBEB20C-CE57-4303-ABA0-C398FA9985C9}
              3⤵
              • Executes dropped EXE
              PID:5372
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3F303965-6BAE-4390-B7F0-88A55D96C941}
              3⤵
              • Executes dropped EXE
              PID:5464
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{16BFA83F-5F1D-4837-8384-C5610A458BE2}
              3⤵
              • Executes dropped EXE
              PID:5496
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6263ECE9-34B1-4058-971A-CA15AF914BFA}
              3⤵
              • Executes dropped EXE
              PID:5516
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59B18082-A288-4D06-B17A-F9F7C23AB8B2}
              3⤵
              • Executes dropped EXE
              PID:5548
            • C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe
              C:\Windows\TEMP\{7D99B03D-12A0-4834-B60C-3978ADD5F183}\_is2682.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2431BC3B-F11F-4BF7-A34E-268B4B5BD022}
              3⤵
              • Executes dropped EXE
              PID:5588
            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
              "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:5640
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E566023B-2FE3-47F0-BAA1-972153209CF2}
              3⤵
              • Executes dropped EXE
              PID:5808
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{41FAF2BD-4454-493F-A1A7-B7A8012AFB8F}
              3⤵
              • Executes dropped EXE
              PID:5844
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{79372E29-DB18-424C-A81E-89F39CC8E35E}
              3⤵
              • Executes dropped EXE
              PID:5876
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{476720B8-5FBF-4701-AFBA-DFC82ABADB86}
              3⤵
              • Executes dropped EXE
              PID:5908
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6880AA86-F3DB-420E-A02C-711F4BCE3326}
              3⤵
              • Executes dropped EXE
              PID:5996
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BBA20BE4-8319-4728-94A4-1414060944C5}
              3⤵
              • Executes dropped EXE
              PID:2888
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1EA4454C-9022-4FBB-BD1B-C7205833F94F}
              3⤵
              • Executes dropped EXE
              PID:6084
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF74DE85-1D86-46CA-9D29-582064DC98F1}
              3⤵
              • Executes dropped EXE
              PID:4356
            • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
              C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1915863C-0900-43DB-A883-24737839FD9C}
              3⤵
                PID:6132
              • C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe
                C:\Windows\TEMP\{711DA4C5-53C7-49AF-9617-8B1539354661}\_is29CF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{06187B9C-D321-4EA9-9469-FF970FE8108A}
                3⤵
                  PID:4380
                • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                  "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:4564
              • C:\Windows\syswow64\MsiExec.exe
                C:\Windows\syswow64\MsiExec.exe -Embedding 89F892C93BC2418D00AB59AB7C365398 E Global\MSI0000
                2⤵
                • System Location Discovery: System Language Discovery
                PID:2888
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Windows\Installer\MSI66D6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240674609 464 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
                  3⤵
                  • Drops file in System32 directory
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2760
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Windows\Installer\MSI680F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240674828 468 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
                  3⤵
                  • Blocklisted process makes network request
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  PID:5508
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Windows\Installer\MSI6B5C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675671 473 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
                  3⤵
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:2340
                • C:\Windows\SysWOW64\NET.exe
                  "NET" STOP AteraAgent
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:5576
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 STOP AteraAgent
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:5868
                • C:\Windows\SysWOW64\TaskKill.exe
                  "TaskKill.exe" /f /im AteraAgent.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  PID:5348
                • C:\Windows\syswow64\NET.exe
                  "NET" STOP AteraAgent
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:1484
                  • C:\Windows\SysWOW64\net1.exe
                    C:\Windows\system32\net1 STOP AteraAgent
                    4⤵
                    • System Location Discovery: System Language Discovery
                    PID:5408
                • C:\Windows\syswow64\TaskKill.exe
                  "TaskKill.exe" /f /im AteraAgent.exe
                  3⤵
                  • System Location Discovery: System Language Discovery
                  • Kills process with taskkill
                  PID:1804
                • C:\Windows\SysWOW64\rundll32.exe
                  rundll32.exe "C:\Windows\Installer\MSI8A86.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240683625 511 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
                  3⤵
                  • Blocklisted process makes network request
                  • Drops file in Windows directory
                  • System Location Discovery: System Language Discovery
                  PID:5944
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /u
                2⤵
                • Drops file in System32 directory
                PID:1220
              • C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
                "C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="" /CompanyId="" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="" /AgentId="663fb7fe-44df-4ff1-b865-bdc800025b12"
                2⤵
                • Modifies data under HKEY_USERS
                PID:4864
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              PID:2128
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
              1⤵
              • Drops file in System32 directory
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2628
              • C:\Windows\System32\sc.exe
                "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                2⤵
                • Launches sc.exe
                PID:224
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "cf1acd3d-5225-4061-83bf-3e06b0d6e6f9" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002RLqCLAA1
                2⤵
                • Executes dropped EXE
                PID:4456
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "968523fb-00ae-4f9d-9e62-b3b339ed5c13" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 0013z00002RLqCLAA1
                2⤵
                • Executes dropped EXE
                PID:3452
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "cd1f406c-3213-4ea0-9432-ca4b789c107f" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 0013z00002RLqCLAA1
                2⤵
                • Executes dropped EXE
                PID:4724
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "fcb291ba-59aa-48f9-b5b7-779e8787e23b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 0013z00002RLqCLAA1
                2⤵
                • Drops file in Program Files directory
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:748
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3428
                  • C:\Windows\system32\cscript.exe
                    cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:224
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "c43dabf7-b7d0-46d2-b5d6-1a3cccef613b" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIn0=" 0013z00002RLqCLAA1
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1364
                • C:\Windows\TEMP\SplashtopStreamer.exe
                  "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:2772
                  • C:\Windows\Temp\unpack\PreVerCheck.exe
                    "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:4656
                    • C:\Windows\SysWOW64\msiexec.exe
                      msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:468
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "db70f31b-8eab-4e44-938c-18767ece83ab" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 0013z00002RLqCLAA1
                2⤵
                • Drops file in System32 directory
                • Executes dropped EXE
                • Loads dropped DLL
                • Modifies data under HKEY_USERS
                PID:4224
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
              1⤵
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Suspicious use of WriteProcessMemory
              PID:4064
              • C:\Windows\System32\sc.exe
                "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                2⤵
                • Launches sc.exe
                PID:4644
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "7953a923-8b82-4354-9b19-cb67130c8c74" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 0013z00002RLqCLAA1
                2⤵
                • Drops file in Program Files directory
                • Modifies data under HKEY_USERS
                PID:4928
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  3⤵
                    PID:1200
                    • C:\Windows\system32\cscript.exe
                      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                      4⤵
                      • Modifies data under HKEY_USERS
                      PID:5408
                • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "74755cca-a0fa-45a4-a859-b25657df1a40" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 0013z00002RLqCLAA1
                  2⤵
                  • Drops file in System32 directory
                  • Drops file in Program Files directory
                  PID:2776
                  • C:\Windows\SYSTEM32\msiexec.exe
                    "msiexec.exe" /i C:\Windows\TEMP\ateraAgentSetup64_1_8_7_2.msi /lv* AteraSetupLog.txt /qn /norestart
                    3⤵
                      PID:5504
                  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "475bbea8-37a1-4f29-b5fa-2c62cc9087bc" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 0013z00002RLqCLAA1
                    2⤵
                      PID:4392
                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=2668c673ba99afa95e46a102c8d5c6f3&rmm_session_pwd_ttl=86400"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3804
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "a75b0d11-a65d-4131-815e-a934d1221f46" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 0013z00002RLqCLAA1
                      2⤵
                      • Drops file in System32 directory
                      • Modifies registry class
                      PID:3420
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "f91f391e-368e-4ad4-93b8-53d807722c89" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 0013z00002RLqCLAA1
                      2⤵
                      • Drops file in System32 directory
                      PID:5360
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "2898f3eb-ebc8-4783-a98b-cc9ef877203c" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 0013z00002RLqCLAA1
                      2⤵
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      PID:6140
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "e065a7f7-8f1d-4090-a908-32052d236a0e" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 0013z00002RLqCLAA1
                      2⤵
                      • Writes to the Master Boot Record (MBR)
                      PID:5368
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "6a564bb5-d2a6-44fe-9306-ce72236471a8" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 0013z00002RLqCLAA1
                      2⤵
                      • Drops file in System32 directory
                      PID:5520
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "504adffa-98c5-4e20-ab3d-672d13835268" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 0013z00002RLqCLAA1
                      2⤵
                      • Drops file in System32 directory
                      PID:3520
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "7e90baa7-3960-4598-ab93-ef6b0e43b278" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 0013z00002RLqCLAA1
                      2⤵
                        PID:5916
                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "51f71bc8-e617-4832-8880-8b88f05180ac" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 0013z00002RLqCLAA1
                        2⤵
                          PID:5796
                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                          "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "b0b9ab0a-8d73-4bd7-8a2a-c045df48ea2b" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 0013z00002RLqCLAA1
                          2⤵
                            PID:4696
                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                            "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "f9728ac1-90b5-4edc-8563-9cbb1cf5e250" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 0013z00002RLqCLAA1
                            2⤵
                            • Drops file in System32 directory
                            PID:5900
                            • C:\Windows\SYSTEM32\cmd.exe
                              "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                              3⤵
                              • System Time Discovery
                              PID:5764
                              • C:\Program Files\dotnet\dotnet.exe
                                dotnet --list-runtimes
                                4⤵
                                • System Time Discovery
                                PID:5924
                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                            "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "64b18a6f-02d0-4dd5-8b83-0525a029e69e" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 0013z00002RLqCLAA1
                            2⤵
                            • Drops file in System32 directory
                            PID:2836
                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"
                          1⤵
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4180
                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
                            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"
                            2⤵
                            • Drops file in System32 directory
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            • Modifies data under HKEY_USERS
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2728
                            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
                              -h
                              3⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SetWindowsHookEx
                              PID:5512
                            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
                              "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"
                              3⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious behavior: EnumeratesProcesses
                              PID:5584
                              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe
                                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v
                                4⤵
                                  PID:6100
                              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe
                                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious behavior: EnumeratesProcesses
                                • Suspicious use of SetWindowsHookEx
                                PID:5612
                              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe
                                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"
                                3⤵
                                • Drops file in Program Files directory
                                • System Location Discovery: System Language Discovery
                                PID:2856
                                • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                                  SRUtility.exe -r
                                  4⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:5668
                              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe
                                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"
                                3⤵
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:6036
                                • C:\Windows\System32\cmd.exe
                                  "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey
                                  4⤵
                                    PID:4444
                                    • C:\Windows\system32\cmd.exe
                                      C:\Windows\system32\cmd.exe /c ver
                                      5⤵
                                        PID:5856
                                      • C:\Windows\system32\sc.exe
                                        sc query ddmgr
                                        5⤵
                                        • Launches sc.exe
                                        PID:5776
                                      • C:\Windows\system32\sc.exe
                                        sc query lci_proxykmd
                                        5⤵
                                        • Launches sc.exe
                                        PID:1900
                                      • C:\Windows\system32\rundll32.exe
                                        rundll32 x64\my_setup.dll do_install_lci_proxywddm
                                        5⤵
                                        • Drops file in System32 directory
                                        • Drops file in Windows directory
                                        • Checks SCSI registry key(s)
                                        • Modifies data under HKEY_USERS
                                        PID:3144
                              • C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe
                                "C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe"
                                1⤵
                                • Drops file in Program Files directory
                                • Modifies data under HKEY_USERS
                                PID:1588
                                • C:\Windows\System32\sc.exe
                                  "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                                  2⤵
                                  • Launches sc.exe
                                  PID:4536
                                • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                  "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "9bfc456e-e6a7-469c-b563-107665e8143d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 0013z00002RLqCLAA1
                                  2⤵
                                    PID:748
                                  • C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                                    "C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "baa9512e-8746-4e0e-8a5a-2a22b783566a" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjp0cnVlLFx1MDAyMlJlcGVhdEludGVydmFsTWludXRlc1x1MDAyMjoxMCxcdTAwMjJEYXlzSW50ZXJ2YWxcdTAwMjI6MSxcdTAwMjJSZXBlYXREdXJhdGlvbkRheXNcdTAwMjI6MX0ifQ==" 0013z00002RLqCLAA1
                                    2⤵
                                      PID:6064
                                    • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                      "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "33dde2e4-bfcf-4e7f-a454-e796d0b281c4" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 0013z00002RLqCLAA1
                                      2⤵
                                      • Modifies data under HKEY_USERS
                                      PID:6136
                                      • C:\Windows\System32\cmd.exe
                                        "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                                        3⤵
                                          PID:1188
                                          • C:\Windows\system32\cscript.exe
                                            cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                                            4⤵
                                            • Modifies data under HKEY_USERS
                                            PID:4932
                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                        "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "cb716dd9-6e33-42f5-97ef-b8e62edcce49" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 0013z00002RLqCLAA1
                                        2⤵
                                          PID:1520
                                        • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                          "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "3c8b0e70-6454-4771-a302-b66013fd2878" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 0013z00002RLqCLAA1
                                          2⤵
                                          • Drops file in Program Files directory
                                          PID:5856
                                        • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                          "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "f05e12e1-9376-4e74-a71b-3caa9900acc8" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 0013z00002RLqCLAA1
                                          2⤵
                                            PID:1072
                                          • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                            "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "bd68bd52-e742-4009-b5c0-48fa9624b507" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 0013z00002RLqCLAA1
                                            2⤵
                                            • Writes to the Master Boot Record (MBR)
                                            PID:3148
                                          • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                            "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "7e2265ec-3e8d-4380-8955-5189b1b40665" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 0013z00002RLqCLAA1
                                            2⤵
                                              PID:1220
                                              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                                                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer/?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=2668c673ba99afa95e46a102c8d5c6f3&rmm_session_pwd_ttl=86400"
                                                3⤵
                                                • System Location Discovery: System Language Discovery
                                                PID:3872
                                            • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                                              "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "e96d5c49-2b5a-46f2-8dae-f57a704d2132" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 0013z00002RLqCLAA1
                                              2⤵
                                                PID:4368
                                              • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                                "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "90e75412-5d4c-4736-858b-c592363fc91e" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 0013z00002RLqCLAA1
                                                2⤵
                                                  PID:5848
                                                • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                                  "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "fb597661-842c-429b-8c2a-06ac00b9637d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiNi4wLjM1IiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU4OTc4Y2ViLTVkZTMtNDllMi1iNTcxLTk3MjgyNWIwOGYwYS9mMWJkOWIxYmI1YjI1YjhjOWNlZTQwZWQ5YTNkODAyMy9kb3RuZXQtcnVudGltZS02LjAuMzUtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8yNjkyMDY2NC1kNzU0LTRmNzYtOWM5OS1lNjkxMTYzNDhlODIvYTQwMzE1MzcxY2M2MDdjOWYxODQ3OGM5M2YyYTY3NmEvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2EyMjNjNDViLTQ3NzctNDA1Ni1hZWEyLTY1M2M1NzZkODExNS9iZjhhZjYzYzZlNjI1YmU0YWZhODVlYzA5M2U4MWU2NS9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci9jNGY2NTYyMS1iMzZiLTQ2YTktODM4MC1kNWI2NjBiZWYyN2UvMDE4NWZkNzIwNTVkY2RjYTg2MTY2Yjk5YWRkNzE2ODYvZG90bmV0LXJ1bnRpbWUtNi4wLjM1LXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E5MGZiNWRjLWY0ODgtNDAwZS04NWNhLTg0M2ExMzY0MGY1Ni80ODNkMjQ2MzhjYzJiZWRhZGRhYjQzNzM0YWEyZTQ0Ny9kb3RuZXQtcnVudGltZS02LjAuMzUtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6IlVlSmJHR0dWb2NwZmdpckU2eDVNN29MQzhBS2NOSjk4SDNFcmJ0L0taS0dPdWxpQ1Flc1x1MDAyQmx6Wno5XHUwMDJCcnQwdXJMZ2FEeng0cmtXZm0veWg5UWI1RFRKUT09IiwiTWFjWDY0Q2hlY2tzdW0iOiJaZFZQVmRFSG40ZXFkdlNPUksxRUpXcjdnOUt5b0RZSXp6czQzOUxKeHYvZkFRdG5iTjk3OE8yTm1pNGtRSFNkdlJJazEvNFx1MDAyQjlycTZPMEx2Q2FnL1d3PT0iLCJXaW5BUk1DaGVja3N1bSI6IldlTGhodXU3Vi96NEs2WGVubDBINDVWWDExb0ZhdHdvV1BNa2pEQ2dobmhrTm5US2tqZjc0eUFcdTAwMkJcdTAwMkJ0Ri9VU1ZDZXE2T2dRbHI2V1Y1dU1rRWwxUVdqUT09IiwiV2luWDY0Q2hlY2tzdW0iOiJEREtSSlRFanp6XHUwMDJCSWUxMldTM2Y0aHVKQlNpeXR4TkRwQlI2SXpFeHpkM2ZBb0toNVV5MkEwbTlKOFU0ZVh5VmJxeEhjZzB3M25hWW1FZFNFeEwzMEZnPT0iLCJXaW5YODZDaGVja3N1bSI6IjdtSUF5bG9IeWxIVFVJakhud3NXeVVOXHUwMDJCVWU0alk3eXBrZVx1MDAyQnEyM2xNbEdzR0hpVUc1b21scW1LOVEvYVViODhLXHUwMDJCTnBGMWNaUVpXQjVJb3ZtTzVucWN3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 0013z00002RLqCLAA1
                                                  2⤵
                                                    PID:6092
                                                    • C:\Windows\SYSTEM32\cmd.exe
                                                      "cmd.exe" /K "cd /d C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                                      3⤵
                                                      • System Time Discovery
                                                      PID:4920
                                                      • C:\Program Files\dotnet\dotnet.exe
                                                        dotnet --list-runtimes
                                                        4⤵
                                                        • System Time Discovery
                                                        PID:3476
                                                  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                                    "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "ab206eec-d526-4558-b3d5-a1c9f8a00711" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 0013z00002RLqCLAA1
                                                    2⤵
                                                    • Modifies data under HKEY_USERS
                                                    PID:5984
                                                  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                                    "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "58f85555-bbf8-4acc-8951-ef791e16c91a" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 0013z00002RLqCLAA1
                                                    2⤵
                                                      PID:5572
                                                      • C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe
                                                        "C:\Windows\TEMP\AteraUpgradeAgentPackage\AgentPackageUpgradeAgent.exe" "830d21bf-52f4-4ce7-a581-dcc7ad1e27f0" "58f85555-bbf8-4acc-8951-ef791e16c91a" "agent-api.atera.com/Production" "443" "or8ixLi90Mf" "checkforupdates" "0013z00002RLqCLAA1"
                                                        3⤵
                                                          PID:5648
                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                                        "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "cb716dd9-6e33-42f5-97ef-b8e62edcce49" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 0013z00002RLqCLAA1
                                                        2⤵
                                                          PID:3112
                                                        • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                                          "C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 830d21bf-52f4-4ce7-a581-dcc7ad1e27f0 "ba4ba833-2e90-4423-bd20-b65ecc661faa" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 0013z00002RLqCLAA1
                                                          2⤵
                                                          • Modifies registry class
                                                          PID:4564
                                                      • C:\Windows\system32\svchost.exe
                                                        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                                        1⤵
                                                        • Drops file in Windows directory
                                                        • Checks SCSI registry key(s)
                                                        PID:1648
                                                        • C:\Windows\system32\DrvInst.exe
                                                          DrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"
                                                          2⤵
                                                          • Drops file in System32 directory
                                                          • Checks SCSI registry key(s)
                                                          • Modifies data under HKEY_USERS
                                                          PID:5508
                                                        • C:\Windows\system32\DrvInst.exe
                                                          DrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "0000000000000158" "WinSta0\Default" "0000000000000160" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"
                                                          2⤵
                                                          • Drops file in System32 directory
                                                          • Checks SCSI registry key(s)
                                                          • Modifies data under HKEY_USERS
                                                          PID:3800
                                                        • C:\Windows\system32\DrvInst.exe
                                                          DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "0000000000000158"
                                                          2⤵
                                                          • Drops file in Drivers directory
                                                          • Drops file in System32 directory
                                                          • Drops file in Windows directory
                                                          • Checks SCSI registry key(s)
                                                          PID:2220
                                                        • C:\Windows\system32\DrvInst.exe
                                                          DrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"
                                                          2⤵
                                                          • Drops file in Drivers directory
                                                          • Drops file in Windows directory
                                                          • Checks SCSI registry key(s)
                                                          PID:3764

                                                      Network

                                                      MITRE ATT&CK Enterprise v15

                                                      Replay Monitor

                                                      Loading Replay Monitor...

                                                      Downloads

                                                      • C:\Config.Msi\e57b0b3.rbs

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        1096e36eb7a2103403b2767c20b70d93

                                                        SHA1

                                                        9cf04be4ab39297908bda1a77a6ca40b9ea6571d

                                                        SHA256

                                                        e8861786fcf2206b90fe62101a042b2a137cda9edd5b0b59e5cac8570ab7db16

                                                        SHA512

                                                        9d87c097c3a176896d4ae73152d45ec2021606aaf9ee33aeab9d68a2f58e1bd2170cf9c8d24c36a0705746534a84032a4ce321c4060df84048b39b735d5971c5

                                                      • C:\Config.Msi\e57b0b8.rbs

                                                        Filesize

                                                        74KB

                                                        MD5

                                                        0d200123b40d101a3a7febb6a27fd588

                                                        SHA1

                                                        1365faeb7703ea77ecc96742a7c8752edbe7cd0a

                                                        SHA256

                                                        d44e865aab6ac7f63f5f7d768d5e06d9afd5b42a6a5e8b3f311e151114d27cef

                                                        SHA512

                                                        b4cd7bc76189d25aa27205d5852e521e692ca5fa0ec98e5a2d087a89f9024d12f173f77c800cfd3e93f6f3c0cfb89737974272db4a489fcd7c2d8daddc7038e8

                                                      • C:\Config.Msi\e57b0ba.rbs

                                                        Filesize

                                                        464B

                                                        MD5

                                                        7658769000116f34e87b0663107841c7

                                                        SHA1

                                                        200176ed8c3b5a97ad88e630ea0f3000bfdf5ce0

                                                        SHA256

                                                        3b4ae6ad2176ece59d0d4741d1e344c075cd67ee97ebe3d55c0bdb646c3b6755

                                                        SHA512

                                                        74690e7ad3e75155efb65813debfff8e1a26c5245ef349485aa08aae0eb5e5332e1775995145ae49ba656e88f84bfc679bef5923938576232e23cadef41807ba

                                                      • C:\Config.Msi\e57b0c0.rbs

                                                        Filesize

                                                        9KB

                                                        MD5

                                                        9c4898160fb85148ab0b8127ec11d43c

                                                        SHA1

                                                        499c48a51be717747ae21c9f3d3013691b4b4eb4

                                                        SHA256

                                                        1a17e15a55290b493fcbf6717c43e33fc49c261e52ff820741fef1141a546471

                                                        SHA512

                                                        f8f321200ec9d162e77c35c0bc857621b7c1b602919082bf704acbe4f1ba3c6429ef4e7ccaaa086afa5d9675233c82162e3eae88f66018eb49d3994408b6db13

                                                      • C:\Config.Msi\e57b0c8.rbs

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        9084bc05291435d2641101f0a6cb882e

                                                        SHA1

                                                        cfae3af93ef9f4f750770bbc91d8acad4cc5316d

                                                        SHA256

                                                        729a885f6c31ecaa8f2a006eb4a8fe319791520ac2de7355d695e8a21cad87c3

                                                        SHA512

                                                        9f9c690f3364832c35a43ce85f7c9b4c086807ebbb234c9bf1dddebf99cbc66368f0296518806a87e7b7ffc063932e848777fa773d922d9b9d71982edee16490

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.InstallLog

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        337079222a6f6c6edf58f3f981ff20ae

                                                        SHA1

                                                        1f705fc0faa84c69e1fe936b34783b301323e255

                                                        SHA256

                                                        ae56a6c4f6622b5485c46d9fde5d3db468c1bfb573b34c9f199007b5eedcbda5

                                                        SHA512

                                                        ae9cd225f7327da6eeea63c661b9e159d6608dff4897fb6b9651a1756d69282e8051b058a2473d9153fc87c0b54aa59b9a1a865871df693adcb267f8b0157b61

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

                                                        Filesize

                                                        142KB

                                                        MD5

                                                        477293f80461713d51a98a24023d45e8

                                                        SHA1

                                                        e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

                                                        SHA256

                                                        a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

                                                        SHA512

                                                        23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        b3bb71f9bb4de4236c26578a8fae2dcd

                                                        SHA1

                                                        1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

                                                        SHA256

                                                        e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

                                                        SHA512

                                                        fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

                                                        Filesize

                                                        210KB

                                                        MD5

                                                        c106df1b5b43af3b937ace19d92b42f3

                                                        SHA1

                                                        7670fc4b6369e3fb705200050618acaa5213637f

                                                        SHA256

                                                        2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

                                                        SHA512

                                                        616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

                                                        Filesize

                                                        693KB

                                                        MD5

                                                        2c4d25b7fbd1adfd4471052fa482af72

                                                        SHA1

                                                        fd6cd773d241b581e3c856f9e6cd06cb31a01407

                                                        SHA256

                                                        2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

                                                        SHA512

                                                        f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe

                                                        Filesize

                                                        157KB

                                                        MD5

                                                        242d415e238789fbc57c5ac7e8ca5d02

                                                        SHA1

                                                        09c1e25e035be67c9fbfa23b336e26bfd2c76d04

                                                        SHA256

                                                        7f3ded5bf167553a5a09ca8a9d80a451eb71ccecc043bda1dd8080a2cbe35fa2

                                                        SHA512

                                                        ac55d401951ecf0112051db033cc9014e824ab6a5ed9ea129a8793408d9bf2446cb3c15711e59a8577e0f60d858a4639e99e38d6232315f0f39df2c40217ea40

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe

                                                        Filesize

                                                        51KB

                                                        MD5

                                                        3180c705182447f4bcc7ce8e2820b25d

                                                        SHA1

                                                        ad6486557819a33d3f29b18d92b43b11707aae6e

                                                        SHA256

                                                        5b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22

                                                        SHA512

                                                        228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

                                                        Filesize

                                                        12B

                                                        MD5

                                                        dc63026e80d2bb04f71e41916f807e33

                                                        SHA1

                                                        6cda386d2c365f94ea3de41e2390fd916622eb51

                                                        SHA256

                                                        3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

                                                        SHA512

                                                        61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

                                                        Filesize

                                                        173KB

                                                        MD5

                                                        31def444e6135301ea3c38a985341837

                                                        SHA1

                                                        f135be75c721af2d5291cb463cbc22a32467084a

                                                        SHA256

                                                        36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

                                                        SHA512

                                                        bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

                                                        Filesize

                                                        546B

                                                        MD5

                                                        158fb7d9323c6ce69d4fce11486a40a1

                                                        SHA1

                                                        29ab26f5728f6ba6f0e5636bf47149bd9851f532

                                                        SHA256

                                                        5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

                                                        SHA512

                                                        7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

                                                        Filesize

                                                        94KB

                                                        MD5

                                                        9d8b5941ea5b905e8197a175ef2b15a9

                                                        SHA1

                                                        86a078e94b5578ec4125f50f78c8518a8ce1d086

                                                        SHA256

                                                        c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

                                                        SHA512

                                                        fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

                                                        Filesize

                                                        688KB

                                                        MD5

                                                        ba66874c510645c1fb5fe74f85b32e98

                                                        SHA1

                                                        e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

                                                        SHA256

                                                        12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

                                                        SHA512

                                                        44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe

                                                        Filesize

                                                        27KB

                                                        MD5

                                                        797c9554ec56fd72ebb3f6f6bef67fb5

                                                        SHA1

                                                        40af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb

                                                        SHA256

                                                        7138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49

                                                        SHA512

                                                        4f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe

                                                        Filesize

                                                        214KB

                                                        MD5

                                                        01807774f043028ec29982a62fa75941

                                                        SHA1

                                                        afc25cf6a7a90f908c0a77f2519744f75b3140d4

                                                        SHA256

                                                        9d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e

                                                        SHA512

                                                        33bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe

                                                        Filesize

                                                        37KB

                                                        MD5

                                                        efb4712c8713cb05eb7fe7d87a83a55a

                                                        SHA1

                                                        c94d106bba77aecf88540807da89349b50ea5ae7

                                                        SHA256

                                                        30271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75

                                                        SHA512

                                                        3594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip

                                                        Filesize

                                                        3.4MB

                                                        MD5

                                                        e010d1f614b1a830482d3df4ba056f24

                                                        SHA1

                                                        5873e22b8c51a808c06a3bbf425fcf02b2a80328

                                                        SHA256

                                                        98a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b

                                                        SHA512

                                                        727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe

                                                        Filesize

                                                        389KB

                                                        MD5

                                                        5e3252e0248b484e76fcdbf8b42a645d

                                                        SHA1

                                                        11ae92fd16ac87f6ab755911e85e263253c16516

                                                        SHA256

                                                        01f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e

                                                        SHA512

                                                        540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                        Filesize

                                                        48KB

                                                        MD5

                                                        c1f89a855398ea4c1b39b49ee1e5d83a

                                                        SHA1

                                                        44692dd84002f2707262bc26b90684797f163ee5

                                                        SHA256

                                                        7f66e28b41bbe0be61d69e190b924309d073237418f43f2b450452bdd9bc54a1

                                                        SHA512

                                                        964cdec8509b1e4cfe2e298be60d47d6c13847f639b11ea80991fed8a23c37260e70ef8e4810f6c332ff15ad0a709f1c8eea2940883ca3698d682a7e42771735

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe

                                                        Filesize

                                                        196KB

                                                        MD5

                                                        5f782d0cb0f717ae9dfd1b4da1295f15

                                                        SHA1

                                                        b33575e428e19940f0585c747e054ca70a12d454

                                                        SHA256

                                                        0f233bd5fe96cf5f7efea0fa0634f98c37a3a095f72acc79a3544590bf228b43

                                                        SHA512

                                                        e373be20e06f31f81a8c0368e8fbee0bd7e98095a6e1f85ecb8969a35caf32e22194e2448de9213bb86478f454e708363ea6ab990648422b57f057a0516959ed

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe

                                                        Filesize

                                                        55KB

                                                        MD5

                                                        a739b889642ca9ce4ad3a37a3c521604

                                                        SHA1

                                                        18bcf6fd14c5aece67ae795a3c505a0c1a9d5175

                                                        SHA256

                                                        44b96244b823052fb19509b1f9576488750c4edab61840af24b10c208b47fc92

                                                        SHA512

                                                        92243e80fd77b9c3f9231c750935b34d9adcdc76e1a45a445c47888a1e98faca1c26f617459db0c1af4860a5172401f03e64039888e6f84726d2457cc550bae0

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config

                                                        Filesize

                                                        9KB

                                                        MD5

                                                        9d1528a2ce17522f6de064ae2c2b608e

                                                        SHA1

                                                        2f1ce8b589e57ab300bb93dde176689689f75114

                                                        SHA256

                                                        11c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311

                                                        SHA512

                                                        a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.6140.update

                                                        Filesize

                                                        9KB

                                                        MD5

                                                        14ffcf07375b3952bd3f2fe52bb63c14

                                                        SHA1

                                                        ab2eadde4c614eb8f1f2cae09d989c5746796166

                                                        SHA256

                                                        6ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed

                                                        SHA512

                                                        14a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log

                                                        Filesize

                                                        8KB

                                                        MD5

                                                        f3f97547bf98ed74ec05a9389c3ff68d

                                                        SHA1

                                                        e12bf4758725335c621f93019b7dfd29970107e0

                                                        SHA256

                                                        92ac4dadc354494fdaa105fa957693e818934477355ecadc812ecee55c8b2e50

                                                        SHA512

                                                        f27b121763ecd6b1524008339220cac39f4994ff11330a512e83ff0a983eddd42fe014953b661b0a089ca7a21653f6c66cfd938de0c1050047f4b445f1fa7f39

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore

                                                        Filesize

                                                        2B

                                                        MD5

                                                        81051bcc2cf1bedf378224b0a93e2877

                                                        SHA1

                                                        ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                                                        SHA256

                                                        7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                                                        SHA512

                                                        1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe

                                                        Filesize

                                                        54KB

                                                        MD5

                                                        77c613ffadf1f4b2f50d31eeec83af30

                                                        SHA1

                                                        76a6bfd488e73630632cc7bd0c9f51d5d0b71b4c

                                                        SHA256

                                                        2a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf

                                                        SHA512

                                                        29c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip

                                                        Filesize

                                                        334KB

                                                        MD5

                                                        b3e14504a48bed32c53ec7aab2cb2c8f

                                                        SHA1

                                                        0bc0d486a5ed1c4cdf2390229883ed3473926882

                                                        SHA256

                                                        adea6001759b5604f60bbaec8ce536a1e189adebc7394f9cff3921cae40c8c9b

                                                        SHA512

                                                        e5a5c09355eb9cb45dc872b59edbd54f62f15445ca6caaa3187e31e7928ef4453ae8405d9eee5d2aec4fa34965d3006dcf61c060b8691519a2312382612c683f

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe

                                                        Filesize

                                                        72KB

                                                        MD5

                                                        749c51599fbf82422791e0df1c1e841c

                                                        SHA1

                                                        bba9a471e9300bcd4ebe3359d3f73b53067b781d

                                                        SHA256

                                                        c176f54367f9de7272b24fd4173271fd00e26c2dbdbf944b42d7673a295a65e6

                                                        SHA512

                                                        f0a5059b326446a7bd8f4c5b1ba5858d1affdc48603f6ce36355daeaab4ed3d1e853359a2440c69c5dee3d47e84f7bf38d7adf8707c277cd056f6ebca5942cc5

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe

                                                        Filesize

                                                        50KB

                                                        MD5

                                                        c0f02eaa3eb28659d8f1bcba8de48479

                                                        SHA1

                                                        5be3c69e3f46daff4967484a09eb8c4a1f4a7f0f

                                                        SHA256

                                                        6befb51a6639cae7e25570f5259f7b1f2d9b9b6539177d64d2ed8be50dde6268

                                                        SHA512

                                                        47b536fa628608a58f6f382bbc99911eeff706becfaf4b1c5ff904ca768917f40c2e916ba5a31992df0335ba5a57755f047f70aafaac414fc655da0cd6f95e34

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe

                                                        Filesize

                                                        32KB

                                                        MD5

                                                        f531d3157e9ff57eea92db36c40e283e

                                                        SHA1

                                                        d0e49925476af438875fa9b1ccfb9077fa371ecc

                                                        SHA256

                                                        30aa4b3e85e20ada6fe045c7e93fee0d4642dcabd358a9987d7289c2c5582251

                                                        SHA512

                                                        27d247ab93ef313ce06ff5c1deca4b0819b688839c46808a6be709c205c81b93562181926a36a45a7da9570baea3b3152b6673a3bcce0b9326c7d3599a3d63c8

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe

                                                        Filesize

                                                        54KB

                                                        MD5

                                                        d11b2139d29e79d795054c3866898b7f

                                                        SHA1

                                                        020581c77ed4bc01c3f3912f304a46c12ca443e6

                                                        SHA256

                                                        11cdb5ec172389f93f80d8eff0b9e5d4a98cfeab6f2c0e0bc301a6895a747566

                                                        SHA512

                                                        de5def2efcba83a4b9301dd342391c306cf68d0bb64104839dfc329b343544fd40597a2b9867fd2a8739c63081d74157acfc9b59c0cb4878b2f5155f582a6f09

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

                                                        Filesize

                                                        588KB

                                                        MD5

                                                        17d74c03b6bcbcd88b46fcc58fc79a0d

                                                        SHA1

                                                        bc0316e11c119806907c058d62513eb8ce32288c

                                                        SHA256

                                                        13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

                                                        SHA512

                                                        f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

                                                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

                                                        Filesize

                                                        231B

                                                        MD5

                                                        1358374bb095596309eb189f9e14e176

                                                        SHA1

                                                        e6644a868186fe501a9453ada567f374b0da7244

                                                        SHA256

                                                        e654717a3567db3b086ad012bbd8e3e4a1f874822643d7c09749e6dde49d9769

                                                        SHA512

                                                        62ea4c6eb71aeb05d0ce6bd2def80eb4a291a9b362fb645dfdb110c5b81f3d30b6c188c7d79018215361c9972e363e380deb4c052acbbb1738c0656481be3762

                                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe

                                                        Filesize

                                                        9KB

                                                        MD5

                                                        1ef7574bc4d8b6034935d99ad884f15b

                                                        SHA1

                                                        110709ab33f893737f4b0567f9495ac60c37667c

                                                        SHA256

                                                        0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

                                                        SHA512

                                                        947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

                                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        f512536173e386121b3ebd22aac41a4e

                                                        SHA1

                                                        74ae133215345beaebb7a95f969f34a40dda922a

                                                        SHA256

                                                        a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

                                                        SHA512

                                                        1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

                                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe

                                                        Filesize

                                                        76KB

                                                        MD5

                                                        b40fe65431b18a52e6452279b88954af

                                                        SHA1

                                                        c25de80f00014e129ff290bf84ddf25a23fdfc30

                                                        SHA256

                                                        800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

                                                        SHA512

                                                        e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

                                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe

                                                        Filesize

                                                        80KB

                                                        MD5

                                                        3904d0698962e09da946046020cbcb17

                                                        SHA1

                                                        edae098e7e8452ca6c125cf6362dda3f4d78f0ae

                                                        SHA256

                                                        a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

                                                        SHA512

                                                        c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

                                                      • C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.InstallState

                                                        Filesize

                                                        7KB

                                                        MD5

                                                        362ce475f5d1e84641bad999c16727a0

                                                        SHA1

                                                        6b613c73acb58d259c6379bd820cca6f785cc812

                                                        SHA256

                                                        1f78f1056761c6ebd8965ed2c06295bafa704b253aff56c492b93151ab642899

                                                        SHA512

                                                        7630e1629cf4abecd9d3ddea58227b232d5c775cb480967762a6a6466be872e1d57123b08a6179fe1cfbc09403117d0f81bc13724f259a1d25c1325f1eac645b

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog.zip

                                                        Filesize

                                                        1.9MB

                                                        MD5

                                                        8de5a7a19d882820893d8b911c1710fb

                                                        SHA1

                                                        95cdf5855bc5e454c8944952697ab142f77124f7

                                                        SHA256

                                                        2bee5835a45e74f454648c57fef0d6fca40d64308f813cb759ccab1b2ab576a9

                                                        SHA512

                                                        3056784d9a1ae5a8a5dd92d7ed6ad1311e863e41a6ca5971aac5d626da1338da44d0828448aa9ab1f9edb88afbaaacd57660c4c102812bc94240654b8d5237a7

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote.zip

                                                        Filesize

                                                        1.1MB

                                                        MD5

                                                        9a9b1fd85b5f1dcd568a521399a0d057

                                                        SHA1

                                                        34ed149b290a3a94260d889ba50cb286f1795fa6

                                                        SHA256

                                                        88d5a5a4a1b56963d509989b9be1a914afe3e9ee25c2d786328df85da4a7820d

                                                        SHA512

                                                        7c1259dddff406fdaadb236bf4c7dfb734c9da34fd7bad9994839772e298ebf3f19f02eb0655e773ba82702aa9175337ba4416c561dc2cb604d08e271cc74776

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation.zip

                                                        Filesize

                                                        375KB

                                                        MD5

                                                        3c93b399b417b0d6a232d386e65a8b46

                                                        SHA1

                                                        bb26deae135f405229d6f76eb6faaeb9a3c45624

                                                        SHA256

                                                        29bc4577588116cbfea928b2587db3d0d26254163095e7fbbcde6e86fd0022d7

                                                        SHA512

                                                        a963f5cf2221436938f031b65079bea7c4bafbd48833a9e11cd9bdd1548d68ed968d9279299aa2adfc23311a6744d516cc50e6537aa45321e5653755ed56f149

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat.zip

                                                        Filesize

                                                        321KB

                                                        MD5

                                                        d3901e62166e9c42864fe3062cb4d8d5

                                                        SHA1

                                                        c9c19eec0fa04514f2f8b20f075d8f31b78bae70

                                                        SHA256

                                                        dbc0e52e6de93a0567a61c7b1e86daa51fbef725a4a31eef4c9bbff86f43671c

                                                        SHA512

                                                        ae33e57759e573773b9bb79944b09251f0dc4e07cdb8f373ec06963abfc1e6a6326df7f3b5fecf90bd2b060e3cb5a48b913b745cc853ac32d2558a8651c76111

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller.zip

                                                        Filesize

                                                        814KB

                                                        MD5

                                                        9b1f97a41bfb95f148868b49460d9d04

                                                        SHA1

                                                        768031d5e877e347a249dfdeab7c725df941324b

                                                        SHA256

                                                        09491858d849212847e4718d6cc8f2b1bc3caa671ceb165cf522290b960262e4

                                                        SHA512

                                                        9c8929a78cb459f519ace48db494d710efd588a19a7dbea84f46d02563cc9615db8aa78a020f08eca6fa2b99473d15c8192a513b4df8073aef595040d8962ae4

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace.zip

                                                        Filesize

                                                        1.2MB

                                                        MD5

                                                        e74d2a16da1ddb7f9c54f72b8a25897c

                                                        SHA1

                                                        32379af2dc1c1cb998dc81270b7d6be054f7c1a0

                                                        SHA256

                                                        a0c2f9479b5e3da9d7a213ebc59f1dd983881f4fc47a646ffc0a191e07966f46

                                                        SHA512

                                                        52b8de90dc9ca41388edc9ae637d5b4ce5c872538c87cc3e7d45edcf8eff78b0f5743ab4927490abda1cff38f2a19983b7ccc0fe3f854b0eacca9c9ce28eda75

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.ini

                                                        Filesize

                                                        11B

                                                        MD5

                                                        5eda46a55c61b07029e7202f8cf1781c

                                                        SHA1

                                                        862ee76fc1e20a9cc7bc1920309aa67de42f22d0

                                                        SHA256

                                                        12bf7eb46cb4cb90fae054c798b8fd527f42a5efc8d7833bb4f68414e2383442

                                                        SHA512

                                                        4cf17d20064be9475e45d5f46b4a3400cdb8180e5e375ecac8145d18b34c8fca24432a06aeec937f5bedc7c176f4ee29f4978530be20edbd7fed38966fe989d6

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.ini

                                                        Filesize

                                                        12B

                                                        MD5

                                                        5796d1f96bb31a9d07f4db8ae9f0ddb3

                                                        SHA1

                                                        93012724e6cc0a298838aede678806e6c0c6517d

                                                        SHA256

                                                        a90d255cce3b419641fa0b9ba74d4da464e0ce70638a9c2eba03d6b34fca1dc4

                                                        SHA512

                                                        890112ddcb3b92b739c0dd06721efa81926ce3aab04c55cdadb8c4e6b7a28c9796f08f508249db189547dc4755804aa80cc8b104dd65c813a0450aad2cdda21c

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                        Filesize

                                                        48KB

                                                        MD5

                                                        b4a865268d5aca5f93bab91d7d83c800

                                                        SHA1

                                                        95ac9334096f5a38ca1c92df31b1e73ae4586930

                                                        SHA256

                                                        5cbf60b0873660b151cf8cd62e326fe8006d1d0cbde2fad697e7f8ad3f284203

                                                        SHA512

                                                        c46ee29861f7e2a1e350cf32602b4369991510804b4b87985465090dd7af64cf6d8dbfa2300f73b2f90f6af95fc0cb5fd1e444b5ddb41dbc89746f04dca6137b

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                        Filesize

                                                        48KB

                                                        MD5

                                                        33b32c429f719ad1a5ef1e24e092ec55

                                                        SHA1

                                                        f456b5f1385d3f51b072dc23d515cba0116a1757

                                                        SHA256

                                                        aea281d2e79e4220f33245a0d6f9afd24975be70a71fb1f09b37c367a51d52fb

                                                        SHA512

                                                        1114ac84c47b13a232b4d31f786712154b26bdae3e08e939c10ea438420ce6da41f72e9102fced1d6d231cec23d8227e580e67bccdbd1fa4779b5aaba2761ae4

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db

                                                        Filesize

                                                        48KB

                                                        MD5

                                                        8eba8c4b7e75a88b123aa1d021a5c8bc

                                                        SHA1

                                                        bd645dad79c9dbaba14f2859624cbc0f0504ef5b

                                                        SHA256

                                                        dded9d354569aa4c34028cb7d2e48018186899d78c70fea57b3da01426fe06bc

                                                        SHA512

                                                        141370e95f3f02e4d87cc3a17c10c2da1dd9ba209cfe51381f6076f0a039f48637d23d82790dcc68fa492af99dc084936fb2d83f918e7eed462fe5aa076c82b5

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates.zip

                                                        Filesize

                                                        2.8MB

                                                        MD5

                                                        91453d3e1e2bc9586cf5495073fb3cf7

                                                        SHA1

                                                        09cfa9dc27545fb600dd7a60e44258c511eb43c4

                                                        SHA256

                                                        5d398c6ce0636eadd4b7f6920dbd6127388f698e9bc1a440cb7db3992acb6557

                                                        SHA512

                                                        462d59453ed01d8ddf54e06319aaefc0ab5ef70ed7b0a45ffd4d3f049692044acf0dee3599173e58a4c281bc69af63d8b64f9586a1b2f04991adfa6747f19bdc

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement.zip

                                                        Filesize

                                                        2.9MB

                                                        MD5

                                                        384d6da5c34ff401b18f0af41e3a2643

                                                        SHA1

                                                        3ddfbcf79e55904df77df2125f2112cfe7703eec

                                                        SHA256

                                                        0699c4ccaa2f9e6768475f7fbd0dd93dab1a0a0dc8859e9ee8f8a48ad1075d7d

                                                        SHA512

                                                        5b63245bedfc7260b27254a33f621a8b626a36c13c8f8ad516f51013bd6751770d37afdc1ff8f7646d9f972081acd24776314405cc397762a4f58d6dca0a7f32

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller.zip

                                                        Filesize

                                                        1.1MB

                                                        MD5

                                                        6c6f85e896655a6eb726482f04c49086

                                                        SHA1

                                                        2e0c55cd4894117428b34d21a1d53738fce4b02c

                                                        SHA256

                                                        e109400a93fede90201bbf37c1868c789888bce9d03a4ae5b46c48599939c34e

                                                        SHA512

                                                        b58303c149deffc9e374d5ba42a8a73b7ce890d35f9589fe0b09acec541a21d589d49fa5086b965277fa22dfe308357505124f13a6ff1e0de415ebc40ce61e15

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe.config

                                                        Filesize

                                                        541B

                                                        MD5

                                                        d0efb0a6d260dbe5d8c91d94b77d7acd

                                                        SHA1

                                                        e33a8c642d2a4b3af77e0c79671eab5200a45613

                                                        SHA256

                                                        7d38534766a52326a04972a47caca9c05e95169725d59ab4a995f8a498678102

                                                        SHA512

                                                        a3f1cff570201b8944780cf475b58969332c6af9bea0a6231e59443b05fc96df06a005ff05f78954dbe2fec42da207f6d26025aa558d0a30a36f0df23a44a35c

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.ini

                                                        Filesize

                                                        12B

                                                        MD5

                                                        3d66ae5ed06891e8ce75a39a24070844

                                                        SHA1

                                                        368064119835d4376727a14706c41384446183e8

                                                        SHA256

                                                        73dba8242fdb4de1393b367a239f730aca6713e6658be69f1d8992ad26479176

                                                        SHA512

                                                        c0b61f92bb61a7bf90225d1ba5a1bea0fc077c2481a2149663b546296421855ab3147c3a1f5372ebc920731624bc8578595c18ca9d138691c720fdcb86d03f8a

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools.zip

                                                        Filesize

                                                        646KB

                                                        MD5

                                                        7895698867d1ad33934a8553b4806dc5

                                                        SHA1

                                                        32704df55deaff9bf0b4ee0b887541856578938b

                                                        SHA256

                                                        ef5854b5e800a534a08c083d4a3956dfc0a474ff540cae9bf0a9077a213b2ff9

                                                        SHA512

                                                        20337093ddc5322c4b96c7bf26f1a0b966fafde70a96f7e9b5e9d36acac7d862bd2a50cae9a63731b23904a9256c94cd3bb4e19768130580511ec4c408536a58

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing.zip

                                                        Filesize

                                                        3.1MB

                                                        MD5

                                                        85e1898362165fc1315d18abb73c1b37

                                                        SHA1

                                                        289a48ba5ee27c0134f75e243c55a90d32c11a05

                                                        SHA256

                                                        d0594b261e16394244c64289dac00367fdc853a1a8e542e0e814a57494c5228a

                                                        SHA512

                                                        49fdbef67c2a85b5d319c26e6e55456c94d294b836c946b9966c8746fb33de4ede62b93ba91ad657df4db24fdb3ee1de7395652ae1086c876b7d0b85000d594a

                                                      • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent.zip

                                                        Filesize

                                                        569KB

                                                        MD5

                                                        9614d1da18956de06747c03068208d66

                                                        SHA1

                                                        fea2680ddb9e4ceea8489a132df9a1542febfe88

                                                        SHA256

                                                        dde9e0ca3fd274902f1a4c22cfec6870c6c4dbbccad17d2189477ab60f769dab

                                                        SHA512

                                                        d8e46a5819e9dced61471966646de153bf3480933054c50190d50de4900685265367b12c9147630f184ce8809786fc010bf6fcd1884035fb4c77cfde660a8b9d

                                                      • C:\ProgramData\Splashtop\Splashtop Remote Server\Credential\e2643c884ffabe37e47a15842e4a931b

                                                        Filesize

                                                        16KB

                                                        MD5

                                                        b2e89027a140a89b6e3eb4e504e93d96

                                                        SHA1

                                                        f3b1b34874b73ae3032decb97ef96a53a654228f

                                                        SHA256

                                                        5f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982

                                                        SHA512

                                                        93fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19

                                                      • C:\ProgramData\chocolatey\config\chocolatey.config

                                                        Filesize

                                                        809B

                                                        MD5

                                                        8b6737800745d3b99886d013b3392ac3

                                                        SHA1

                                                        bb94da3f294922d9e8d31879f2d145586a182e19

                                                        SHA256

                                                        86f10504ca147d13a157944f926141fe164a89fa8a71847458bda7102abb6594

                                                        SHA512

                                                        654dda9b645b4900ac6e5bb226494921194dab7de71d75806f645d9b94ed820055914073ef9a5407e468089c0b2ee4d021f03c2ea61e73889b553895e79713df

                                                      • C:\ProgramData\chocolatey\logs\chocolatey.log

                                                        Filesize

                                                        6KB

                                                        MD5

                                                        08c2d05c3703d4bf8d70556781e9e720

                                                        SHA1

                                                        165058142093c4a8e38b713b1cdbd374f7072ec7

                                                        SHA256

                                                        55f0020d6ce84665ba57843a42caa732160d275cb0c29a908716a167b2a4cc28

                                                        SHA512

                                                        feba96a1f18583d77cb7632790abef6603d5029e0ecb17acdfab71e9dbc6f73de3724862dbd32b851acc752f2033a708478478cf93e96e90e5faf806362830ff

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                        Filesize

                                                        471B

                                                        MD5

                                                        7795df33fc7dd3aa62e0bc052f9dfbad

                                                        SHA1

                                                        ea227ec994561b5bce01c5228f9c337286fbec9c

                                                        SHA256

                                                        6ad47d714f3dd55b2fe9072e829542851d2ecf60cb88254002c60449e8aca736

                                                        SHA512

                                                        de11027f0ca32119ebbb17976ecbe6582ab6af8caa7ce522d75c4185da722550f1f981064db9be6074eb1c6c096c933c2de7ee42b1f31b4fedc9982f87157f9d

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                        Filesize

                                                        727B

                                                        MD5

                                                        29dd7378778c44788bac45d70ea7b440

                                                        SHA1

                                                        7a3c5e30c0c9a9be505b18fd2c24422d5e3dbe56

                                                        SHA256

                                                        69354ff510301b85c14cc1ecd0e5b3c98308b820cfbce483389a7b9a437f67d5

                                                        SHA512

                                                        9e67bee1ae05b0f2408210a6662926cc9da6ee2864820a4704adffae9dd78b80e79ee32e83f5a5e35bed9603e82795a38570d56cc93384b82dc6254940079fe7

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                        Filesize

                                                        727B

                                                        MD5

                                                        eb9a1d98cc4b6ac3d674a6621df5a758

                                                        SHA1

                                                        5e9bc182d48b8e86a61d8a3f4b5add9c88da6800

                                                        SHA256

                                                        20d856d68dba3e2246ebb62a5eaedcefda221accfa1b9362b33afad33b6e48c7

                                                        SHA512

                                                        1054d82e5e1b2f2c1416d31f01ff2c172aca8dcc31a622cdd959f918b78a474bd9b40a9b7316122a8262fac24d6236860e2eadd665030a61d56c5c0a153f81c7

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

                                                        Filesize

                                                        400B

                                                        MD5

                                                        b58c07c1cbac6dee18cd2c1a92e607e8

                                                        SHA1

                                                        6b7093f27add116c8af4e7cef78a7fcadcb8d402

                                                        SHA256

                                                        6490e38a71773cca3cc08a70718f031d82c7a182b69b1e7af970ae51edfe5489

                                                        SHA512

                                                        720cfe6b4bbdb61b94f15dc338c8a275e1653f40f1b1e49a68e7e5ef17295d0567882b044b1d0f881f1a4c34d537ee469f27731e76a90cf85762ca1d55e4a3f4

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                        Filesize

                                                        404B

                                                        MD5

                                                        0c793bd915195b4e62afd96973f7273c

                                                        SHA1

                                                        947c4e959216e9d4b64b0e48f121d90b124e4d76

                                                        SHA256

                                                        16ad6dfd1739e6550cac99390a28ae11ed94dc1157010ae2f6346efcec88980b

                                                        SHA512

                                                        c41b906d726d73de36468566786acd144dc5a6dd40936022a0c37e356df890f3f832d485d7f694f57e25b62115b8163f1c51b3730c80dfcb7e0c8d108742793d

                                                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                        Filesize

                                                        412B

                                                        MD5

                                                        f698cb789748104e0d1142e66dac26d5

                                                        SHA1

                                                        bf2072acca3cdb31db1668134ac3643e6eab2751

                                                        SHA256

                                                        3e469598a525982d67101e15f8168146f290433b5036536eb8ad6197df700d59

                                                        SHA512

                                                        5dc595735e0e66b9ce9ad19e640d5e7934c7cffe87db7e2e8d6fdd883c14b2f7a5cc2271f7378bc87cb10d566e79294c6464268d63103e481b9d847680792ec2

                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log

                                                        Filesize

                                                        651B

                                                        MD5

                                                        9bbfe11735bac43a2ed1be18d0655fe2

                                                        SHA1

                                                        61141928bb248fd6e9cd5084a9db05a9b980fb3a

                                                        SHA256

                                                        549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

                                                        SHA512

                                                        a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

                                                      • C:\Windows\Installer\MSI119D.tmp

                                                        Filesize

                                                        4.5MB

                                                        MD5

                                                        25a0aa722268b17888b4e159a9f82f18

                                                        SHA1

                                                        68ccb5adae9095056a9d5592f6a850f30715a86b

                                                        SHA256

                                                        72896d8abeeeb40360596927c0feade8f0bc28f9937d35f646b9ba2a47f1edca

                                                        SHA512

                                                        79a574f95dbb5ff11e35f2938fcd6a9e22a3f1a35d7e032aceb099dd69ad45dcdf006d92aeb7d1086e3d0615241f6669e510d5dee6f7d262e0e3d4179822365d

                                                      • C:\Windows\Installer\MSI66D6.tmp-\System.Management.dll

                                                        Filesize

                                                        60KB

                                                        MD5

                                                        878e361c41c05c0519bfc72c7d6e141c

                                                        SHA1

                                                        432ef61862d3c7a95ab42df36a7caf27d08dc98f

                                                        SHA256

                                                        24de61b5cab2e3495fe8d817fb6e80094662846f976cf38997987270f8bbae40

                                                        SHA512

                                                        59a7cbb9224ee28a0f3d88e5f0c518b248768ff0013189c954a3012463e5c0ba63a7297497131c9c0306332646af935dd3a1acf0d3e4e449351c28ec9f1be1fa

                                                      • C:\Windows\Installer\MSIB12F.tmp

                                                        Filesize

                                                        509KB

                                                        MD5

                                                        88d29734f37bdcffd202eafcdd082f9d

                                                        SHA1

                                                        823b40d05a1cab06b857ed87451bf683fdd56a5e

                                                        SHA256

                                                        87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

                                                        SHA512

                                                        1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

                                                      • C:\Windows\Installer\MSIB12F.tmp-\AlphaControlAgentInstallation.dll

                                                        Filesize

                                                        25KB

                                                        MD5

                                                        aa1b9c5c685173fad2dabebeb3171f01

                                                        SHA1

                                                        ed756b1760e563ce888276ff248c734b7dd851fb

                                                        SHA256

                                                        e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

                                                        SHA512

                                                        d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

                                                      • C:\Windows\Installer\MSIB12F.tmp-\Microsoft.Deployment.WindowsInstaller.dll

                                                        Filesize

                                                        179KB

                                                        MD5

                                                        1a5caea6734fdd07caa514c3f3fb75da

                                                        SHA1

                                                        f070ac0d91bd337d7952abd1ddf19a737b94510c

                                                        SHA256

                                                        cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

                                                        SHA512

                                                        a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

                                                      • C:\Windows\Installer\MSIB3FF.tmp-\CustomAction.config

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        bc17e956cde8dd5425f2b2a68ed919f8

                                                        SHA1

                                                        5e3736331e9e2f6bf851e3355f31006ccd8caa99

                                                        SHA256

                                                        e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

                                                        SHA512

                                                        02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

                                                      • C:\Windows\Installer\MSIB3FF.tmp-\Newtonsoft.Json.dll

                                                        Filesize

                                                        695KB

                                                        MD5

                                                        715a1fbee4665e99e859eda667fe8034

                                                        SHA1

                                                        e13c6e4210043c4976dcdc447ea2b32854f70cc6

                                                        SHA256

                                                        c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

                                                        SHA512

                                                        bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

                                                      • C:\Windows\Installer\MSIBA1C.tmp

                                                        Filesize

                                                        211KB

                                                        MD5

                                                        a3ae5d86ecf38db9427359ea37a5f646

                                                        SHA1

                                                        eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                                                        SHA256

                                                        c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                                                        SHA512

                                                        96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                                                      • C:\Windows\Installer\e57b0b2.msi

                                                        Filesize

                                                        2.9MB

                                                        MD5

                                                        ab5c500b1c59ef0f6c6d0f7846f7a6f6

                                                        SHA1

                                                        91a5b9993e3b891d0e502e9b37a9e39afc93715c

                                                        SHA256

                                                        b42fa58e23432c66acf7d1ba65f2c938dac7bbcd0dbebeac7c52951555d07cdf

                                                        SHA512

                                                        1abde5aa2e93168fd676aca21678d9f52d9dc27623adeebf584ad561899d61f058e413848c627ec78788cc0a4c30999549f5c79c439440e1ecc50742f2708f14

                                                      • C:\Windows\System32\DriverStore\Temp\{98871dfc-ff5a-784d-9acc-c64babde70a5}\lci_iddcx.cat

                                                        Filesize

                                                        10KB

                                                        MD5

                                                        62458e58313475c9a3642a392363e359

                                                        SHA1

                                                        e63a3866f20e8c057933ba75d940e5fd2bf62bc6

                                                        SHA256

                                                        85620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562

                                                        SHA512

                                                        49fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad

                                                      • C:\Windows\System32\DriverStore\Temp\{98871dfc-ff5a-784d-9acc-c64babde70a5}\lci_iddcx.inf

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        1cec22ca85e1b5a8615774fca59a420b

                                                        SHA1

                                                        049a651751ef38321a1088af6a47c4380f9293fc

                                                        SHA256

                                                        60a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf

                                                        SHA512

                                                        0f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb

                                                      • C:\Windows\System32\DriverStore\Temp\{98871dfc-ff5a-784d-9acc-c64babde70a5}\x64\lci_iddcx.dll

                                                        Filesize

                                                        52KB

                                                        MD5

                                                        01e8bc64139d6b74467330b11331858d

                                                        SHA1

                                                        b6421a1d92a791b4d4548ab84f7140f4fc4eb829

                                                        SHA256

                                                        148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438

                                                        SHA512

                                                        4099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5

                                                      • C:\Windows\System32\DriverStore\Temp\{c81ff0ad-e5db-d34d-8d5c-5e6177db7e6a}\lci_proxywddm.cat

                                                        Filesize

                                                        12KB

                                                        MD5

                                                        8e16d54f986dbe98812fd5ec04d434e8

                                                        SHA1

                                                        8bf49fa8e12f801559cc2869365f0b184d7f93fe

                                                        SHA256

                                                        7c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd

                                                        SHA512

                                                        e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029

                                                      • C:\Windows\System32\DriverStore\Temp\{c81ff0ad-e5db-d34d-8d5c-5e6177db7e6a}\lci_proxywddm.inf

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        0315a579f5afe989154cb7c6a6376b05

                                                        SHA1

                                                        e352ff670358cf71e0194918dfe47981e9ccbb88

                                                        SHA256

                                                        d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d

                                                        SHA512

                                                        c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af

                                                      • C:\Windows\System32\DriverStore\Temp\{c81ff0ad-e5db-d34d-8d5c-5e6177db7e6a}\x64\lci_proxyumd.dll

                                                        Filesize

                                                        179KB

                                                        MD5

                                                        4dc11547a5fc28ca8f6965fa21573481

                                                        SHA1

                                                        d531b0d8d2f8d49d81a4c17fbaf3bc294845362c

                                                        SHA256

                                                        e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d

                                                        SHA512

                                                        bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6

                                                      • C:\Windows\System32\DriverStore\Temp\{c81ff0ad-e5db-d34d-8d5c-5e6177db7e6a}\x64\lci_proxyumd32.dll

                                                        Filesize

                                                        135KB

                                                        MD5

                                                        67ae7b2c36c9c70086b9d41b4515b0a8

                                                        SHA1

                                                        ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b

                                                        SHA256

                                                        79876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69

                                                        SHA512

                                                        4d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078

                                                      • C:\Windows\System32\DriverStore\Temp\{c81ff0ad-e5db-d34d-8d5c-5e6177db7e6a}\x64\lci_proxywddm.sys

                                                        Filesize

                                                        119KB

                                                        MD5

                                                        b9b0e9b4d93b18b99ece31a819d71d00

                                                        SHA1

                                                        2be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e

                                                        SHA256

                                                        0f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf

                                                        SHA512

                                                        465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53

                                                      • C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-12-28-40.dat

                                                        Filesize

                                                        602B

                                                        MD5

                                                        efb38c88c4fbd1968a6b782b104a66b0

                                                        SHA1

                                                        d0df7ec25238bd2983c9e92bc74ea39872132bf5

                                                        SHA256

                                                        373ca762dab6e00c3d27229d9e87a32c8790fa147c2d1bc565efc4bd2a549635

                                                        SHA512

                                                        f54fc5242f825fd4ce2b6646a428fa146cb16d67130136a1c392dbb72ab1f993b508e00afb688e4c44a149585985330812c64a8cd568d06121a03a41acf40e1a

                                                      • C:\Windows\Temp\InstallUtil.log

                                                        Filesize

                                                        4KB

                                                        MD5

                                                        059e3185b4e06cad1b71ec953be83f85

                                                        SHA1

                                                        82d5595bf5d0e7f64b21f90173ce3d0e436a3a5a

                                                        SHA256

                                                        9295718aff1455166a1358a1b4362c47bdf37aa9319d128b14a797ea67a19460

                                                        SHA512

                                                        3f05815b7258aad9e5ccdf72ecf613b957114c14350008eed4e763a03aae475c71581667a9d756db334c0de2f6d092203ffbc1dc53ebfcd2b51e2d144049b780

                                                      • C:\Windows\Temp\InstallUtil.log

                                                        Filesize

                                                        1KB

                                                        MD5

                                                        46d9a1f64cfec48535712c8f81fe006c

                                                        SHA1

                                                        70169d5c0db914f712d6bd76160f69650dacda40

                                                        SHA256

                                                        6924a36cf0a9b1266753addca90f519f7a322051dd1da96d7e5fb440442c1041

                                                        SHA512

                                                        6b3a64ee7bc3220b6ca4e94162ae3f472b3ca34c45c9767af9319ddc566f8363165efdc4abfa405e7d6f22a46e5ca91239897a9104e481c3a2706cea7790972b

                                                      • C:\Windows\Temp\PreVer.log

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        f337a874c6a32247f63e03bd33b72e07

                                                        SHA1

                                                        91976c7d0a06aa8664ae21744556bd4e846c31a3

                                                        SHA256

                                                        5543c1c3e96b634f004dcb1c074e6fd7d08ef0d7dd7d76b995294457d2075578

                                                        SHA512

                                                        fb78bec5f81f4652bc35044258c29b6acf1d2a1712866ba5d262d25026e798f5c81864e79ae0f1b197acadb78d747370241ee88a0dcdd19467f72901f987c2d7

                                                      • C:\Windows\Temp\unpack.log

                                                        Filesize

                                                        2KB

                                                        MD5

                                                        51ecd9159bcc95dc8c8ddf2ed3dd58b7

                                                        SHA1

                                                        33e2e12355789d5264be57402f1dc6c2422f5220

                                                        SHA256

                                                        68a9ec486cf1f5a66ec4ab26e637d4d9efa7a73342b190306960af76eee148fc

                                                        SHA512

                                                        7447cd726c16acd3c5a68a25a1b2d13e9eaaf936c0c89cad70d4486232efe61d362e6e37a3906a894b2cc5292254da40258cd8a133bf66b9d4a4f59f544cb367

                                                      • C:\Windows\Temp\unpack\PreVerCheck.exe

                                                        Filesize

                                                        2.7MB

                                                        MD5

                                                        df5eb1af99091a902effa52463eda084

                                                        SHA1

                                                        b04578b36490a4ec0092e9a44ae6b2679670450a

                                                        SHA256

                                                        83ef8e362af27279b63ef28379675a087984791e5eaf4a9272a5cb4e52dd059c

                                                        SHA512

                                                        663e11667ec5c6c7969ce61f90d869f3723cbd007236150478ef6dbd861ddc75cf5f96b0345319bd178cd87045daa39a0d6ca4af83cf8dcdb4ebe7462d3eeabd

                                                      • C:\Windows\Temp\{3E14021E-623C-4424-A96B-99D7EB5738B4}\ISRT.dll

                                                        Filesize

                                                        427KB

                                                        MD5

                                                        85315ad538fa5af8162f1cd2fce1c99d

                                                        SHA1

                                                        31c177c28a05fa3de5e1f934b96b9d01a8969bba

                                                        SHA256

                                                        70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

                                                        SHA512

                                                        877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

                                                      • C:\Windows\Temp\{3E14021E-623C-4424-A96B-99D7EB5738B4}\_isres_0x0409.dll

                                                        Filesize

                                                        1.8MB

                                                        MD5

                                                        befe2ef369d12f83c72c5f2f7069dd87

                                                        SHA1

                                                        b89c7f6da1241ed98015dc347e70322832bcbe50

                                                        SHA256

                                                        9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

                                                        SHA512

                                                        760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

                                                      • C:\Windows\Temp\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\IsConfig.ini

                                                        Filesize

                                                        571B

                                                        MD5

                                                        de10be3435fbcab7eeccaa67e2431619

                                                        SHA1

                                                        7afdb3c4c042692ea3f19f2d2275bada7cacfbfd

                                                        SHA256

                                                        d193eda99410268676293d315164ff29cd263ca0251a0238592a23a9d78476b0

                                                        SHA512

                                                        bda2f23885d4bb07c328622d7f637379f63f08b57eb54c4a665fb56d5f68e61d36ff4b4e3cc2b8b2b3d3c5f2e0d3dbb581770eec4fddf9a8c0f4b6555ad3c1af

                                                      • C:\Windows\Temp\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\String1033.txt

                                                        Filesize

                                                        182KB

                                                        MD5

                                                        1d4329601bef6492cd3227df5bcd5125

                                                        SHA1

                                                        d03a3c50ba7663b52c13b54b08b9284f40e4f848

                                                        SHA256

                                                        bd703470b2f35e3c4d917d3038bf806fcc7c155142d300806c95500274951efd

                                                        SHA512

                                                        b0cfc1aef000d428d1ff4f2df41539284a048571e26a2c1a217093e593e546f5af79bbc61be8458021a9829a7d79f68cb8728bf942475096b53c81a66094dd7b

                                                      • C:\Windows\Temp\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\_is730.exe

                                                        Filesize

                                                        179KB

                                                        MD5

                                                        7a1c100df8065815dc34c05abc0c13de

                                                        SHA1

                                                        3c23414ae545d2087e5462a8994d2b87d3e6d9e2

                                                        SHA256

                                                        e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

                                                        SHA512

                                                        bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

                                                      • C:\Windows\Temp\{F0C483E5-955A-46E4-8CE7-24AB2D449333}\setup.inx

                                                        Filesize

                                                        345KB

                                                        MD5

                                                        0376dd5b7e37985ea50e693dc212094c

                                                        SHA1

                                                        02859394164c33924907b85ab0aaddc628c31bf1

                                                        SHA256

                                                        c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415

                                                        SHA512

                                                        69d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5

                                                      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

                                                        Filesize

                                                        404B

                                                        MD5

                                                        ab264f8104b7f6d9cc822cd0e3330339

                                                        SHA1

                                                        a83074ce431f1372fb8f2c2d15389f407ca1f4d1

                                                        SHA256

                                                        bee37905026884eedf91d7bb32fc316d9941dfa2944d8b86b2aa65a4c7c90b5f

                                                        SHA512

                                                        f925204487306029aa42933b3134c098ad1c5787da5bde146fa8452a5950845a22ea8741458be4d023b53bf224a0fbbcef9c5de44ba50d06c0d264b694caff3d

                                                      • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

                                                        Filesize

                                                        412B

                                                        MD5

                                                        135dd2048e60e108004842d3b469ed23

                                                        SHA1

                                                        192b765e502695dbbc0b0350f43fd89d23125101

                                                        SHA256

                                                        e50aa56094bbfe3a93c6906e8837887953df72e66c08acdc0c5f51f09b359441

                                                        SHA512

                                                        0d30ed6dde00397d4ea4c75d5bdcd9f8ff9404d65647035cd25d6e07a8129c772076d9f3c90b527945edab5c9ba4e680fb93ae86da57f030e001f2a1cb1ac4a0

                                                      • memory/1184-1048-0x0000000003D70000-0x0000000003F37000-memory.dmp

                                                        Filesize

                                                        1.8MB

                                                      • memory/1184-478-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-1082-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-1045-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-1009-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-905-0x0000000003D60000-0x0000000003F27000-memory.dmp

                                                        Filesize

                                                        1.8MB

                                                      • memory/1184-902-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-481-0x0000000003D50000-0x0000000003F17000-memory.dmp

                                                        Filesize

                                                        1.8MB

                                                      • memory/1184-514-0x0000000010000000-0x0000000010114000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/1184-1085-0x0000000003D80000-0x0000000003F47000-memory.dmp

                                                        Filesize

                                                        1.8MB

                                                      • memory/1364-301-0x000002BF5B040000-0x000002BF5B0F2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/1364-302-0x000002BF42730000-0x000002BF4274C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/1364-300-0x000002BF41ED0000-0x000002BF41EE6000-memory.dmp

                                                        Filesize

                                                        88KB

                                                      • memory/2224-43-0x0000000003260000-0x000000000326C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/2224-39-0x0000000003220000-0x000000000324E000-memory.dmp

                                                        Filesize

                                                        184KB

                                                      • memory/2628-196-0x000002B1E77A0000-0x000002B1E77C2000-memory.dmp

                                                        Filesize

                                                        136KB

                                                      • memory/2628-241-0x000002B1E7950000-0x000002B1E7988000-memory.dmp

                                                        Filesize

                                                        224KB

                                                      • memory/2628-195-0x000002B1FFF30000-0x000002B1FFFE2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/2728-1135-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/2728-1336-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2728-1337-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/2728-1335-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/2728-2182-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2728-2183-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/2728-1218-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2728-2181-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/2728-1215-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/2728-1212-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/2728-1136-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/2728-1137-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/2776-1277-0x00000246B36B0000-0x00000246B36C2000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2776-1279-0x00000246CC840000-0x00000246CC8F2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/2776-1278-0x00000246B3AA0000-0x00000246B3ABC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/2776-1587-0x00000246B3FD0000-0x00000246B4024000-memory.dmp

                                                        Filesize

                                                        336KB

                                                      • memory/2828-160-0x000002137C560000-0x000002137C5F8000-memory.dmp

                                                        Filesize

                                                        608KB

                                                      • memory/2828-148-0x000002137A920000-0x000002137A948000-memory.dmp

                                                        Filesize

                                                        160KB

                                                      • memory/2828-164-0x000002137AD30000-0x000002137AD42000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/2828-165-0x000002137CF10000-0x000002137CF4C000-memory.dmp

                                                        Filesize

                                                        240KB

                                                      • memory/2836-1809-0x0000013162B30000-0x0000013162B64000-memory.dmp

                                                        Filesize

                                                        208KB

                                                      • memory/2836-1810-0x000001317BBE0000-0x000001317BC2A000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/2836-1814-0x000001317BC30000-0x000001317BC48000-memory.dmp

                                                        Filesize

                                                        96KB

                                                      • memory/2836-1812-0x000001317BB90000-0x000001317BBAC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/2836-1817-0x000001317BCA0000-0x000001317BCEA000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/2836-1816-0x000001317BBB0000-0x000001317BBBA000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/3420-1334-0x000002148C750000-0x000002148C770000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/3420-1333-0x00000214A54C0000-0x00000214A5572000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/3420-1331-0x000002148C280000-0x000002148C28C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/3420-1332-0x000002148C730000-0x000002148C748000-memory.dmp

                                                        Filesize

                                                        96KB

                                                      • memory/3520-1792-0x0000026187640000-0x000002618764A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/3520-1805-0x00000261A0790000-0x00000261A0842000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/3520-1796-0x0000026187E80000-0x0000026187E9A000-memory.dmp

                                                        Filesize

                                                        104KB

                                                      • memory/3804-2113-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/4168-110-0x00000000054D0000-0x0000000005536000-memory.dmp

                                                        Filesize

                                                        408KB

                                                      • memory/4224-348-0x0000024A33D30000-0x0000024A33D78000-memory.dmp

                                                        Filesize

                                                        288KB

                                                      • memory/4224-355-0x0000024A33DE0000-0x0000024A33DE8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/4224-357-0x0000024A33F30000-0x0000024A33F5A000-memory.dmp

                                                        Filesize

                                                        168KB

                                                      • memory/4224-358-0x0000024A34DF0000-0x0000024A34E2A000-memory.dmp

                                                        Filesize

                                                        232KB

                                                      • memory/4224-359-0x0000024A33F00000-0x0000024A33F26000-memory.dmp

                                                        Filesize

                                                        152KB

                                                      • memory/4224-356-0x0000024A33F70000-0x0000024A33FD8000-memory.dmp

                                                        Filesize

                                                        416KB

                                                      • memory/4224-354-0x0000024A33DD0000-0x0000024A33DD8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/4224-353-0x0000024A1B4E0000-0x0000024A1B4E8000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/4224-352-0x0000024A340C0000-0x0000024A34172000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/4224-351-0x0000024A33FE0000-0x0000024A340BC000-memory.dmp

                                                        Filesize

                                                        880KB

                                                      • memory/4224-350-0x0000024A1B440000-0x0000024A1B44A000-memory.dmp

                                                        Filesize

                                                        40KB

                                                      • memory/4224-349-0x0000024A1B430000-0x0000024A1B438000-memory.dmp

                                                        Filesize

                                                        32KB

                                                      • memory/4224-347-0x0000024A1B610000-0x0000024A1B65C000-memory.dmp

                                                        Filesize

                                                        304KB

                                                      • memory/4224-346-0x0000024A1AFA0000-0x0000024A1AFBC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/4224-342-0x0000024A1AB70000-0x0000024A1ABD4000-memory.dmp

                                                        Filesize

                                                        400KB

                                                      • memory/4224-345-0x0000024A1B480000-0x0000024A1B4CA000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/4456-275-0x0000028276D40000-0x0000028276DF0000-memory.dmp

                                                        Filesize

                                                        704KB

                                                      • memory/4456-80-0x00000000050C0000-0x0000000005414000-memory.dmp

                                                        Filesize

                                                        3.3MB

                                                      • memory/4456-76-0x0000000005000000-0x00000000050B2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/4456-277-0x000002825E240000-0x000002825E25C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/4456-272-0x000002825DBD0000-0x000002825DC00000-memory.dmp

                                                        Filesize

                                                        192KB

                                                      • memory/4456-79-0x0000000002C30000-0x0000000002C52000-memory.dmp

                                                        Filesize

                                                        136KB

                                                      • memory/4696-1801-0x000002D240120000-0x000002D24015A000-memory.dmp

                                                        Filesize

                                                        232KB

                                                      • memory/4696-1818-0x000002D259380000-0x000002D259432000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/5360-1758-0x00000217D6FC0000-0x00000217D6FE0000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/5360-1784-0x00000217EF820000-0x00000217EF8D2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/5360-1746-0x00000217D6660000-0x00000217D6670000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/5360-1788-0x00000217EF760000-0x00000217EF7C6000-memory.dmp

                                                        Filesize

                                                        408KB

                                                      • memory/5360-1789-0x00000217D6FE0000-0x00000217D6FF4000-memory.dmp

                                                        Filesize

                                                        80KB

                                                      • memory/5512-1226-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/5512-1227-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/5512-1153-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5512-1154-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/5512-1155-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/5512-2464-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/5512-2465-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/5512-2463-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5512-1225-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5520-1794-0x000001A67F920000-0x000001A67F96A000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/5520-1804-0x000001A67F8F0000-0x000001A67F90C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/5520-1791-0x000001A67F590000-0x000001A67F59C000-memory.dmp

                                                        Filesize

                                                        48KB

                                                      • memory/5584-1158-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/5584-1763-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5584-1156-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5584-1157-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/5584-1235-0x0000000072220000-0x000000007233C000-memory.dmp

                                                        Filesize

                                                        1.1MB

                                                      • memory/5584-1234-0x0000000072340000-0x000000007243D000-memory.dmp

                                                        Filesize

                                                        1012KB

                                                      • memory/5584-1781-0x0000000071E50000-0x0000000072214000-memory.dmp

                                                        Filesize

                                                        3.8MB

                                                      • memory/5796-1800-0x00000209885A0000-0x00000209885EA000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/5796-1799-0x0000020987D10000-0x0000020987D20000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/5796-1815-0x00000209A1050000-0x00000209A112C000-memory.dmp

                                                        Filesize

                                                        880KB

                                                      • memory/5796-1807-0x0000020988280000-0x000002098829C000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/5900-1808-0x000001830A3E0000-0x000001830A42A000-memory.dmp

                                                        Filesize

                                                        296KB

                                                      • memory/5900-1811-0x000001830A390000-0x000001830A3AC000-memory.dmp

                                                        Filesize

                                                        112KB

                                                      • memory/5900-1806-0x0000018309B40000-0x0000018309B52000-memory.dmp

                                                        Filesize

                                                        72KB

                                                      • memory/6140-1797-0x000001CC072E0000-0x000001CC07300000-memory.dmp

                                                        Filesize

                                                        128KB

                                                      • memory/6140-1795-0x000001CC1FC10000-0x000001CC1FCC2000-memory.dmp

                                                        Filesize

                                                        712KB

                                                      • memory/6140-1787-0x000001CC06E30000-0x000001CC06E40000-memory.dmp

                                                        Filesize

                                                        64KB

                                                      • memory/6140-1783-0x000001CC06A70000-0x000001CC06A80000-memory.dmp

                                                        Filesize

                                                        64KB