Overview

overview

10

Static

static

10

setup_the_...du.msi

windows7-x64

10

setup_the_...du.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 20:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup_the_australian_lending__investment_centre_kathmandu.msi

  • Size

    2.9MB

  • MD5

    db9d2b56b0b1f99c3c3759668311bc43

  • SHA1

    d38a991043b8e3dd1acf12be974adbf5c56914ce

  • SHA256

    dea4e36c02e72f6ad9570b5f098ffd20820e372a051f3c48db2c2c6b63203c4e

  • SHA512

    7b09d55bea24856e3f97b4b8cc9b86bcd74b8f399a7ddf417532321a88ce683f3f45a0f27e9ddf81aee23a9935f23fc443014d637d2cad0fd1a2f07188faefa4

  • SSDEEP

    49152:x+1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:x+lUlz9FKbsodq0YaH7ZPxMb8tT

Score
10/10
ateraagentbootkitdiscoverypersistenceprivilege_escalationratupx

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

    ratateraagent
  • Ateraagent family
    ateraagent
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Drops file in Drivers directory 6 IoCs
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • UPX packed file 25 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 61 IoCs
  • Executes dropped EXE 64 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 11 IoCs
    evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
    evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\setup_the_australian_lending__investment_centre_kathmandu.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4812
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1544
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2976
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 91BA541703B003DD6390596664C6A08E
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIEBD7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643281 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:216
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIEF62.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643937 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSIF743.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240646015 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:4528
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI477.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649359 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
        3⤵
        • Blocklisted process makes network request
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3124
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding B8037F69B51EF35BBEC04D808364CED5 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4612
      • C:\Windows\SysWOW64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2568
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2728
      • C:\Windows\SysWOW64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:3220
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="12" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="12" /AccountId="001Q300000KbIIcIAN" /AgentId="86075190-4acd-48f1-be12-06e210267b5d"
      2⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3872
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 29B4DEDA251141C8F075F15D55D4A018 E Global\MSI0000
      2⤵
      • Blocklisted process makes network request
      • Drops file in System32 directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{46C41191-897B-4F0B-9DFE-10A724C51DC2}
        3⤵
        • Executes dropped EXE
        PID:4292
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{122BF92A-4B24-40DC-A3C6-3B12E0E4AC7C}
        3⤵
        • Executes dropped EXE
        PID:1552
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47456690-D133-4108-A3A6-124400B4C322}
        3⤵
        • Executes dropped EXE
        PID:2580
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{803DA823-9368-4BB8-B4F6-03B234696C0B}
        3⤵
        • Executes dropped EXE
        PID:512
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{33856FF8-503B-46E0-9AEF-3A3513E09B93}
        3⤵
        • Executes dropped EXE
        PID:3040
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1B5C64F7-1CFC-4535-9F88-59869E3EFE96}
        3⤵
        • Executes dropped EXE
        PID:3992
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{90ED01B2-E865-4028-A77A-296E901A0D47}
        3⤵
        • Executes dropped EXE
        PID:3140
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DFBBFD54-D42B-4FF4-BFEE-7E98AFD2BF05}
        3⤵
        • Executes dropped EXE
        PID:2100
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{271E9966-A463-4F1C-ACAC-6DE39302A32B}
        3⤵
        • Executes dropped EXE
        PID:1492
      • C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe
        C:\Windows\TEMP\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_is3F27.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EF951185-E5A1-4580-BE8C-58225F8087DE}
        3⤵
        • Executes dropped EXE
        PID:4104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2400
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRServer.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:4220
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3532
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRApp.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:4008
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRAppPB.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:2560
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1688
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRFeature.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:1012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4344
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRFeatMini.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:2500
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2740
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRManager.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:4684
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2244
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRAgent.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:1012
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1468
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRChat.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:3224
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2500
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRAudioChat.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:3312
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4092
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill.exe /F /IM SRVirtualDisplay.exe /T
          4⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          PID:1492
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DCDF50D6-8B5E-4C04-8705-4E5A847F3EDC}
        3⤵
        • Executes dropped EXE
        PID:4304
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AE6740C-AD18-4F11-8476-19D307EE9A55}
        3⤵
        • Executes dropped EXE
        PID:3792
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B633332D-DE27-45A6-A839-7EB928C947DD}
        3⤵
        • Executes dropped EXE
        PID:1520
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0B587ED6-4593-4937-9ED4-E45F047EF20A}
        3⤵
        • Executes dropped EXE
        PID:228
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{70EEE2B4-5059-4C2C-865D-BF6FF898352B}
        3⤵
        • Executes dropped EXE
        PID:392
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8640990E-85B5-4B93-B9FD-04509D757024}
        3⤵
        • Executes dropped EXE
        PID:2720
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B1B67A48-6185-4EF0-A503-9628784F843C}
        3⤵
        • Executes dropped EXE
        PID:2980
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DF25C2D6-71CE-44CA-B37A-A246668B675D}
        3⤵
        • Executes dropped EXE
        PID:2504
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{56FF7A6A-D481-41DB-8CF2-D79963BCD7BC}
        3⤵
        • Executes dropped EXE
        PID:888
      • C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
        C:\Windows\TEMP\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7719FE6C-7915-483B-B47E-80479EC0411D}
        3⤵
        • Executes dropped EXE
        PID:3312
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59925CC1-FE4F-428B-82C5-1BA97254C882}
        3⤵
        • Executes dropped EXE
        PID:1012
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0610FED5-833B-4C97-B08D-12B8A63E3EEE}
        3⤵
        • Executes dropped EXE
        PID:4688
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{BE39F0D6-B6EB-4CCD-A587-F937DE9F9824}
        3⤵
        • Executes dropped EXE
        PID:2512
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D9489B06-610D-4CE4-9EA4-51EC55911966}
        3⤵
        • Executes dropped EXE
        PID:1056
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0ECC3E7C-29D3-4B39-99BE-0BDE885F0FB4}
        3⤵
        • Executes dropped EXE
        PID:4996
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{65AB759E-D65E-4034-ACEE-68D960EEAFA4}
        3⤵
        • Executes dropped EXE
        PID:332
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{611994BB-D6D9-402A-9099-32C85878FDC9}
        3⤵
        • Executes dropped EXE
        PID:4684
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F002CC8-74FF-4599-AD63-3712C0711A3D}
        3⤵
        • Executes dropped EXE
        PID:4220
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5EF3089D-E3A6-46E2-AA1E-53E492641C69}
        3⤵
        • Executes dropped EXE
        PID:3260
      • C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe
        C:\Windows\TEMP\{695DD333-9D24-4F6D-ACD0-98D74285ED0F}\_is5D6F.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{224746F2-DDEE-4A9B-BD1D-A6CE9BC605B9}
        3⤵
        • Executes dropped EXE
        PID:888
      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4432
      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2504
      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        PID:1472
        • C:\Windows\system32\cmd.exe
          "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
          4⤵
            PID:2512
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
            4⤵
              PID:1040
          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe
            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g
            3⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4176
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E171EE09-23CA-4C04-A26C-0BAA5F16A56C}
            3⤵
            • Executes dropped EXE
            PID:3188
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{854DCDC4-6084-413A-A5A6-0A4598199A7E}
            3⤵
            • Executes dropped EXE
            PID:3324
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B0FD919-99E8-40DD-B6FD-EC7672CEA9C3}
            3⤵
            • Executes dropped EXE
            PID:3884
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{788AFC50-C889-4C2F-8C0D-48C742496EF6}
            3⤵
            • Executes dropped EXE
            PID:228
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{37DC3AA9-AF2D-4EC9-BF48-3D6F20DEFB43}
            3⤵
            • Executes dropped EXE
            PID:4464
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DDFB5B37-FAEA-4B2A-8040-740FD4A289B1}
            3⤵
            • Executes dropped EXE
            PID:4292
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B8104188-2AC6-4209-B20D-0AB8D2C08DCF}
            3⤵
            • Executes dropped EXE
            PID:4452
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE121C88-E2F3-4E93-B602-E6EFA39D67A2}
            3⤵
            • Executes dropped EXE
            PID:4160
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{909EAAE6-F58D-4063-A3AC-6C35FE517029}
            3⤵
            • Executes dropped EXE
            PID:3188
          • C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe
            C:\Windows\TEMP\{0487E22E-2A63-4967-86C9-D2833F2AE311}\_is705D.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A931B61A-59E5-4795-ABA7-09BCC7B96CA9}
            3⤵
            • Executes dropped EXE
            PID:3324
          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:3344
            • C:\Windows\System32\Conhost.exe
              \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              4⤵
                PID:228
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D49E49C7-39FD-4450-B79E-201841C62CB5}
              3⤵
              • Executes dropped EXE
              PID:1580
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DF7D2F87-A3BC-4845-8299-3A944709CA0B}
              3⤵
              • Executes dropped EXE
              PID:1836
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66009113-49E3-4DA2-88F6-CD84A1FC6A26}
              3⤵
              • Executes dropped EXE
              PID:4772
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8F54A4A9-BDBB-4D8E-AF56-A5BBE08E56CF}
              3⤵
              • Executes dropped EXE
              PID:4820
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4F865FF7-A705-434D-BA61-68351D214EF5}
              3⤵
              • Executes dropped EXE
              PID:4008
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{47BE21BD-8652-41D6-841A-E121E3046643}
              3⤵
              • Executes dropped EXE
              PID:1504
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{48AE6C5E-2335-4391-B399-F8FF8950E0CD}
              3⤵
              • Executes dropped EXE
              PID:4452
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F44D5F98-7354-446B-97D2-4DAE6CA61A80}
              3⤵
              • Executes dropped EXE
              PID:4160
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{564C2E04-C5DA-494C-8B7D-D1F172E21C3E}
              3⤵
              • Executes dropped EXE
              PID:1040
            • C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe
              C:\Windows\TEMP\{3514E9D4-141E-4438-A05C-4EA760AEBFEC}\_is73B9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9E993793-4359-448A-A619-7A911DB5B5D7}
              3⤵
                PID:3044
              • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r
                3⤵
                • System Location Discovery: System Language Discovery
                PID:4104
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:2392
          • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
            "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
            1⤵
            • Drops file in System32 directory
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Modifies system certificate store
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:3036
            • C:\Windows\System32\sc.exe
              "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
              2⤵
              • Launches sc.exe
              PID:1688
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 86075190-4acd-48f1-be12-06e210267b5d "fa90578e-6975-4422-80bb-72a391cfb38a" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000KbIIcIAN
              2⤵
              • Drops file in System32 directory
              • Executes dropped EXE
              PID:2364
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 86075190-4acd-48f1-be12-06e210267b5d "53294d7f-a0d6-45cd-97e0-1bffcf55c2e2" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000KbIIcIAN
              2⤵
              • Executes dropped EXE
              PID:2736
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 86075190-4acd-48f1-be12-06e210267b5d "a75620fe-10e5-47b1-9344-d6b888c27d01" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000KbIIcIAN
              2⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:1932
              • C:\Windows\System32\cmd.exe
                "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4236
                • C:\Windows\system32\cscript.exe
                  cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  4⤵
                  • Modifies data under HKEY_USERS
                  PID:3388
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 86075190-4acd-48f1-be12-06e210267b5d "1e995ee4-c462-4893-af44-b3be2e83375e" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOm51bGwsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000KbIIcIAN
              2⤵
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:4980
              • C:\Windows\TEMP\SplashtopStreamer.exe
                "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                3⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4400
                • C:\Windows\Temp\unpack\PreVerCheck.exe
                  "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                  4⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:4608
                  • C:\Windows\SysWOW64\msiexec.exe
                    msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                    5⤵
                    • System Location Discovery: System Language Discovery
                    PID:3628
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 86075190-4acd-48f1-be12-06e210267b5d "a0122409-4d7b-4c4a-90d5-d4244089db01" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000KbIIcIAN
              2⤵
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Loads dropped DLL
              PID:2256
          • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
            "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
            1⤵
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious use of WriteProcessMemory
            PID:4704
            • C:\Windows\System32\sc.exe
              "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
              2⤵
              • Launches sc.exe
              PID:3792
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 86075190-4acd-48f1-be12-06e210267b5d "dcc34d56-900c-400d-b121-4eefe1b6834b" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000KbIIcIAN
              2⤵
                PID:2320
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  3⤵
                    PID:4368
                    • C:\Windows\system32\cscript.exe
                      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                      4⤵
                      • Modifies data under HKEY_USERS
                      PID:4492
                • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 86075190-4acd-48f1-be12-06e210267b5d "3455ab06-a828-4044-b024-c75157fa0c49" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000KbIIcIAN
                  2⤵
                    PID:2568
                  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 86075190-4acd-48f1-be12-06e210267b5d "70647bf3-dd75-4b9b-a663-b9654ebadbd7" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000KbIIcIAN
                    2⤵
                      PID:1912
                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=5cdbd09e5522a9175a7aa155f7efbff5&rmm_session_pwd_ttl=86400"
                        3⤵
                        • System Location Discovery: System Language Discovery
                        PID:3660
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe" 86075190-4acd-48f1-be12-06e210267b5d "54d196a4-7c0c-4dae-8013-5e9cf467cf86" agent-api.atera.com/Production 443 or8ixLi90Mf "syncinstalledapps" 001Q300000KbIIcIAN
                      2⤵
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      PID:1020
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 86075190-4acd-48f1-be12-06e210267b5d "c509ab86-aa1f-4365-88e5-db3f05fcc0d0" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000KbIIcIAN
                      2⤵
                      • Drops file in System32 directory
                      PID:5088
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 86075190-4acd-48f1-be12-06e210267b5d "fe68b538-7162-4df4-92ae-e8a0b435809e" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000KbIIcIAN
                      2⤵
                      • Writes to the Master Boot Record (MBR)
                      • Drops file in Program Files directory
                      PID:4008
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 86075190-4acd-48f1-be12-06e210267b5d "83d86614-9d90-477d-80b6-6b5c86e648cd" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000KbIIcIAN
                      2⤵
                      • Drops file in System32 directory
                      PID:3956
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 86075190-4acd-48f1-be12-06e210267b5d "22b1788d-5365-44e7-b365-ae01651b30aa" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000KbIIcIAN
                      2⤵
                      • Drops file in System32 directory
                      • Drops file in Program Files directory
                      PID:1224
                      • C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe
                        "C:\Windows\TEMP\Agent.Package.Availability\Agent.Package.Availability.exe" 86075190-4acd-48f1-be12-06e210267b5d 22b1788d-5365-44e7-b365-ae01651b30aa agent-api.atera.com/Production 443 or8ixLi90Mf connect 001Q300000KbIIcIAN
                        3⤵
                          PID:5176
                    • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                      "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"
                      1⤵
                      • System Location Discovery: System Language Discovery
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3048
                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"
                        2⤵
                        • Drops file in System32 directory
                        • Drops file in Program Files directory
                        • Loads dropped DLL
                        • System Location Discovery: System Language Discovery
                        • Modifies data under HKEY_USERS
                        • Suspicious behavior: EnumeratesProcesses
                        PID:1636
                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
                          -h -t
                          3⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of SetWindowsHookEx
                          PID:3128
                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
                          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"
                          3⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3260
                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe
                            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v
                            4⤵
                              PID:3948
                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe
                            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of SetWindowsHookEx
                            PID:2980
                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe
                            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:3240
                            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                              SRUtility.exe -r
                              4⤵
                              • System Location Discovery: System Language Discovery
                              PID:1672
                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe
                            "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"
                            3⤵
                            • Drops file in Program Files directory
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:3104
                            • C:\Windows\System32\cmd.exe
                              "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey
                              4⤵
                                PID:1932
                                • C:\Windows\system32\cmd.exe
                                  C:\Windows\system32\cmd.exe /c ver
                                  5⤵
                                    PID:5060
                                  • C:\Windows\system32\sc.exe
                                    sc query ddmgr
                                    5⤵
                                    • Launches sc.exe
                                    PID:1832
                                  • C:\Windows\system32\sc.exe
                                    sc query lci_proxykmd
                                    5⤵
                                    • Launches sc.exe
                                    PID:5384
                                  • C:\Windows\system32\rundll32.exe
                                    rundll32 x64\my_setup.dll do_install_lci_proxywddm
                                    5⤵
                                    • Drops file in Windows directory
                                    • Checks SCSI registry key(s)
                                    • Modifies data under HKEY_USERS
                                    PID:5720
                          • C:\Windows\system32\svchost.exe
                            C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                            1⤵
                            • Drops file in Windows directory
                            • Checks SCSI registry key(s)
                            PID:5804
                            • C:\Windows\system32\DrvInst.exe
                              DrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "0000000000000148" "WinSta0\Default" "0000000000000150" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"
                              2⤵
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              • Checks SCSI registry key(s)
                              • Modifies data under HKEY_USERS
                              PID:4652
                            • C:\Windows\system32\DrvInst.exe
                              DrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "000000000000017C" "WinSta0\Default" "0000000000000180" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"
                              2⤵
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              • Checks SCSI registry key(s)
                              • Modifies data under HKEY_USERS
                              PID:2996
                            • C:\Windows\system32\DrvInst.exe
                              DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "0000000000000178"
                              2⤵
                              • Drops file in Drivers directory
                              • Drops file in System32 directory
                              • Drops file in Windows directory
                              • Checks SCSI registry key(s)
                              PID:940
                            • C:\Windows\system32\DrvInst.exe
                              DrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"
                              2⤵
                              • Drops file in Drivers directory
                              • Drops file in Windows directory
                              • Checks SCSI registry key(s)
                              PID:3964

                          Network

                          MITRE ATT&CK Enterprise v15

                          Reconnaissance

                          Resource Development

                          Initial Access

                          Execution

                          Persistence

                          Event Triggered Execution

                          2
                          T1546

                          Component Object Model Hijacking

                          1
                          T1546.015

                          Installer Packages

                          1
                          T1546.016

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Privilege Escalation

                          Event Triggered Execution

                          2
                          T1546

                          Component Object Model Hijacking

                          1
                          T1546.015

                          Installer Packages

                          1
                          T1546.016

                          Defense Evasion

                          Modify Registry

                          1
                          T1112

                          Pre-OS Boot

                          1
                          T1542

                          Bootkit

                          1
                          T1542.003

                          Subvert Trust Controls

                          1
                          T1553

                          Install Root Certificate

                          1
                          T1553.004

                          System Binary Proxy Execution

                          1
                          T1218

                          Msiexec

                          1
                          T1218.007

                          Credential Access

                          Discovery

                          Peripheral Device Discovery

                          2
                          T1120

                          Query Registry

                          4
                          T1012

                          System Information Discovery

                          3
                          T1082

                          System Location Discovery

                          1
                          T1614

                          System Language Discovery

                          1
                          T1614.001

                          Lateral Movement

                          Collection

                          Command and Control

                          Exfiltration

                          Impact

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Config.Msi\e57eb4b.rbs
                            Filesize

                            8KB

                            MD5

                            5c3fa9c6597b7efeb498907ad3eacacb

                            SHA1

                            2479a2eca55cddeff80fc73667f2738de195e6f3

                            SHA256

                            afac58c4ad435498201c334b4aa4d4c011e56e7b8e937ea22e973c0de0c8a96c

                            SHA512

                            613a209bdfd578243118cced1d62557f04967bc3ba0aa88d2a77f823f157317e42b923c1ed5716b622d19109d898cef3371676d92a1a768fa4992b6386f2ce84

                            Download Submit

                          • C:\Config.Msi\e57eb50.rbs
                            Filesize

                            74KB

                            MD5

                            56f9584fb64b2a9df9713214eccf6203

                            SHA1

                            11da5b3bb46034283a6e327438be40b312fdc657

                            SHA256

                            755f696d08ffe761b0fdeb1e51c93d7d978e7c6220fc2cd818a82a8ad6af0f63

                            SHA512

                            e735a425dc22cfb2a04eea8af1c977e0c564429a1882dce89a580daa6c670d97a4ac0a2f22d54924f30661433aa7fa456d4cdbf9305e5e116e74e98804d55bec

                            Download Submit

                          • C:\Config.Msi\e57eb52.rbs
                            Filesize

                            464B

                            MD5

                            c152d6f534ee0219abb3424d3300be8b

                            SHA1

                            0d51a369d0c7e1c89444b72b2b6d544c57259e2a

                            SHA256

                            bac407109e55cd7ff1a6b941d2d96903c6a88270115b2ff4ebd746bd3702a5ed

                            SHA512

                            471db1a01aa32fc0495dcd4bb20f3fc62fed036f4525f472bfcafabd9b3a8f7d6cd07292ed62f22a741bf63660d6f2cbb99f1ab199ef9191eea81ea616c83e09

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                            Filesize

                            142KB

                            MD5

                            477293f80461713d51a98a24023d45e8

                            SHA1

                            e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

                            SHA256

                            a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

                            SHA512

                            23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
                            Filesize

                            1KB

                            MD5

                            b3bb71f9bb4de4236c26578a8fae2dcd

                            SHA1

                            1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

                            SHA256

                            e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

                            SHA512

                            fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
                            Filesize

                            210KB

                            MD5

                            c106df1b5b43af3b937ace19d92b42f3

                            SHA1

                            7670fc4b6369e3fb705200050618acaa5213637f

                            SHA256

                            2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

                            SHA512

                            616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
                            Filesize

                            693KB

                            MD5

                            2c4d25b7fbd1adfd4471052fa482af72

                            SHA1

                            fd6cd773d241b581e3c856f9e6cd06cb31a01407

                            SHA256

                            2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

                            SHA512

                            f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                            Filesize

                            158KB

                            MD5

                            1922740d2479c7d0cd6fb57c3d739543

                            SHA1

                            877a807a396156be1d0c2782391cabc29ea15760

                            SHA256

                            20443f66e184311fd412158cb162e36b0172332cd6d401cec9ee5fe17df75e58

                            SHA512

                            d624bad0fcd8afc190a5de241da341a3f39d6aaa0e5eacdf8b14e8e74515b688f06e2cdc75da0634880ea98238a1d26cd2d2bfaedb6d92067dace99d0963975c

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                            Filesize

                            51KB

                            MD5

                            3180c705182447f4bcc7ce8e2820b25d

                            SHA1

                            ad6486557819a33d3f29b18d92b43b11707aae6e

                            SHA256

                            5b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22

                            SHA512

                            228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
                            Filesize

                            12B

                            MD5

                            eb053699fc80499a7185f6d5f7d55bfe

                            SHA1

                            9700472d22b1995c320507917fa35088ae4e5f05

                            SHA256

                            bce3dfdca8f0b57846e914d497f4bb262e3275f05ea761d0b4f4b778974e6967

                            SHA512

                            d66fa39c69d9c6448518cb9f98cbdad4ce5e93ceef8d20ce0deef91fb3e512b5d5a9458f7b8a53d4b68d693107872c5445e99f87c948878f712f8a79bc761dbf

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                            Filesize

                            173KB

                            MD5

                            fd9df72620bca7c4d48bc105c89dffd2

                            SHA1

                            2e537e504704670b52ce775943f14bfbaf175c1b

                            SHA256

                            847d0cd49cce4975bafdeb67295ed7d2a3b059661560ca5e222544e9dfc5e760

                            SHA512

                            47228cbdba54cd4e747dba152feb76a42bfc6cd781054998a249b62dd0426c5e26854ce87b6373f213b4e538a62c08a89a488e719e2e763b7b968e77fbf4fc02

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
                            Filesize

                            546B

                            MD5

                            158fb7d9323c6ce69d4fce11486a40a1

                            SHA1

                            29ab26f5728f6ba6f0e5636bf47149bd9851f532

                            SHA256

                            5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

                            SHA512

                            7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll
                            Filesize

                            688KB

                            MD5

                            3ef8d12aa1d48dec3ac19a0ceabd4fd8

                            SHA1

                            c81b7229a9bd55185a0edccb7e6df3b8e25791cf

                            SHA256

                            18c1ddbdbf47370cc85fa2cf7ba043711ab3eadbd8da367638686dfd6b735c85

                            SHA512

                            0ff2e8dbfef7164b22f9ae9865e83154096971c3f0b236d988ab947e803c1ed03d86529ab80d2be9ff33af305d34c9b30082f8c26e575f0979ca9287b415f9f9

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip
                            Filesize

                            3.4MB

                            MD5

                            e010d1f614b1a830482d3df4ba056f24

                            SHA1

                            5873e22b8c51a808c06a3bbf425fcf02b2a80328

                            SHA256

                            98a98dd1df25d31a01d47eaf4fa65d5f88bc0ad166f8f31d68f2994b4f739a9b

                            SHA512

                            727877929530e08062611868fd751d1b64e4c7d28c26b70f14c7cd942b1ae1579cba2a2ef038bad07032ef728ae277963ffb3e1ab7a5c28351326fabad84daa6

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                            Filesize

                            389KB

                            MD5

                            5e3252e0248b484e76fcdbf8b42a645d

                            SHA1

                            11ae92fd16ac87f6ab755911e85e263253c16516

                            SHA256

                            01f464fbb9b0bfd0e16d4ad6c5de80f7aad0f126e084d7f41fef36be6ec2fc8e

                            SHA512

                            540d6b3ca9c01e3e09673601514af701a41e7d024070de1257249c3c077ac53852bd04ab4ac928a38c9c84f423a6a3a89ab0676501a9edc28f95de83818fb699

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db
                            Filesize

                            48KB

                            MD5

                            d1e0585f473009240b81ff5abd84853f

                            SHA1

                            ddd8d71751ea98494ec5340be5075edf4835ae64

                            SHA256

                            23f2276294a4948d3faa7a8a305f31ab2c1a8c772be03ea2d0bc1bbac35a322c

                            SHA512

                            e73d55918ad8305493138f1e60cc04707b2dd174726100cfd1ca244fced3d5674370a85672526a3ed67cb1390354622c039f48ea9e8cd87ddd5b620c0b68eb07

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\AgentPackageProgramManagement.exe
                            Filesize

                            56KB

                            MD5

                            0f33a7acb33960d1306ba418405d8264

                            SHA1

                            bc24c37727b00d514446c8b5fb6c04f36254a067

                            SHA256

                            a43f099127bfe1640deca971252e573fe1745b04f29aa6b2fd672226799739c6

                            SHA512

                            72a99786acd4b1322e63eb253bbc651d5ec0fee83984e5214c3faf7aff489389375bf724ecfcfce5e78905bdb3e7d8a99dbae424a59b73d38a55be0657c1ec33

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config
                            Filesize

                            9KB

                            MD5

                            9d1528a2ce17522f6de064ae2c2b608e

                            SHA1

                            2f1ce8b589e57ab300bb93dde176689689f75114

                            SHA256

                            11c9ad150a0d6c391c96e2b7f8ad20e774bdd4e622fcdfbf4f36b6593a736311

                            SHA512

                            a19b54ed24a2605691997d5293901b52b42f6af7d6f6fda20b9434c9243cc47870ec3ae2b72bdea0e615f4e98c09532cb3b87f20c4257163e782c7ab76245e94

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\config\chocolatey.config.1020.update
                            Filesize

                            9KB

                            MD5

                            14ffcf07375b3952bd3f2fe52bb63c14

                            SHA1

                            ab2eadde4c614eb8f1f2cae09d989c5746796166

                            SHA256

                            6ccfdb5979e715d12e597b47e1d56db94cf6d3a105b94c6e5f4dd8bab28ef5ed

                            SHA512

                            14a32151f7f7c45971b4c1adfb61f6af5136b1db93b50d00c6e1e3171e25b19749817b4e916d023ee1822caee64961911103087ca516cf6a0eafce1d17641fc4

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\logs\chocolatey.log
                            Filesize

                            8KB

                            MD5

                            0a3367e38631a827774cf3b9a89f9747

                            SHA1

                            29e8ded36fd1af414acae59b52249cc3c0052c49

                            SHA256

                            216bf08c72870ea2dd2a9ee8e523716bd7aa5a57a484689bc820cf1648a8edfc

                            SHA512

                            d07a722ee3bc86c3dd194c804e45964ec4f7fc290e904dafa9f35535a7e1e029f383883ba4139d2676a61cedbc8972cba706666e5cab6888513d8c10b5568190

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageProgramManagement\redirects\cpush.exe.ignore
                            Filesize

                            2B

                            MD5

                            81051bcc2cf1bedf378224b0a93e2877

                            SHA1

                            ba8ab5a0280b953aa97435ff8946cbcbb2755a27

                            SHA256

                            7eb70257593da06f682a3ddda54a9d260d4fc514f645237f5ca74b08f8da61a6

                            SHA512

                            1b302a2f1e624a5fb5ad94ddc4e5f8bfd74d26fa37512d0e5face303d8c40eee0d0ffa3649f5da43f439914d128166cb6c4774a7caa3b174d7535451eb697b5d

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip
                            Filesize

                            334KB

                            MD5

                            2e2e6e6702fa92da8c08fa85617fa861

                            SHA1

                            bee96d85e39faa0d6f60fc797e0c4f0e9c01ed67

                            SHA256

                            565bbd4ed69c929cb00ce6552633382bfe46248b6e9db3293b9c031875c02b35

                            SHA512

                            35eaf569f94c69749308d30722589331ea1957f3a11f440b1eccc4aa32284681162128b2febef76c75181b49e5e57d780685a22e14e1900ffc7add3f83ac075e

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                            Filesize

                            71KB

                            MD5

                            5129e29d4d9a8ed94e04099622316b37

                            SHA1

                            be1c537ad5fc51bd28bd3ea23e16cbfbdaf01dfd

                            SHA256

                            17c1a413747e1dbf203f1824e45ddc0dc7afe4c529bca88cdb670f019d95db11

                            SHA512

                            7b8a1d79c069cdcbebd57255d11d96e13e291df8b99c15d6c969a66ef8af8639fac92e22b233b4b6f8b33a9c52ba2936fe59ecee2acf78c571f4920ea075e4bb

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                            Filesize

                            50KB

                            MD5

                            254dcbee3213189461b66e962ce8cc05

                            SHA1

                            cf970344713cdfad9e35f85acdb0fa1e1721ca1c

                            SHA256

                            e2e7190e062d57287e242730c9daa32f32eeec26836f75290e66fc566f1ea119

                            SHA512

                            7955ba42cbf7b36831e663be7c9591656f7ad2b4ea5e8249a5458a1598a226bb28f1e7130f135cf590011170117ddcf425acf93c0725899b4e4ca54404a93be4

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                            Filesize

                            56KB

                            MD5

                            e9794f785780945d2dde78520b9bb59f

                            SHA1

                            293cae66cedbc7385cd49819587d3d5a61629422

                            SHA256

                            0568e0d210de9b344f9ce278291acb32106d8425bdd467998502c1a56ac92443

                            SHA512

                            1a3c15e18557a14f0df067478f683e8b527469126792fae7b78361dad29317ff7b9d307b5a35e303487e2479d34830aa7e894f2906efff046436428ada9a4534

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll
                            Filesize

                            588KB

                            MD5

                            17d74c03b6bcbcd88b46fcc58fc79a0d

                            SHA1

                            bc0316e11c119806907c058d62513eb8ce32288c

                            SHA256

                            13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

                            SHA512

                            f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

                            Download Submit

                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt
                            Filesize

                            209B

                            MD5

                            dd8507615f7fa99cb66fb21f6710351e

                            SHA1

                            25d7064ae4ec3deeffa79811d11a05041d80b7ea

                            SHA256

                            edb8a98d5e321a71a81de94bbad4bbe1f8a77f548b078d638549b00f5799e926

                            SHA512

                            2bfbd7b1846d460e2847a6259a154d9fd70f71db74cbb8070df3db1f7329cd43a512a6cf06832c4ec4e8f95179b9e9bb6600a3a9cf46920a604f9069f286908a

                            Download Submit

                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe
                            Filesize

                            9KB

                            MD5

                            1ef7574bc4d8b6034935d99ad884f15b

                            SHA1

                            110709ab33f893737f4b0567f9495ac60c37667c

                            SHA256

                            0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

                            SHA512

                            947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

                            Download Submit

                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe
                            Filesize

                            10KB

                            MD5

                            f512536173e386121b3ebd22aac41a4e

                            SHA1

                            74ae133215345beaebb7a95f969f34a40dda922a

                            SHA256

                            a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

                            SHA512

                            1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

                            Download Submit

                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe
                            Filesize

                            76KB

                            MD5

                            b40fe65431b18a52e6452279b88954af

                            SHA1

                            c25de80f00014e129ff290bf84ddf25a23fdfc30

                            SHA256

                            800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

                            SHA512

                            e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

                            Download Submit

                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe
                            Filesize

                            80KB

                            MD5

                            3904d0698962e09da946046020cbcb17

                            SHA1

                            edae098e7e8452ca6c125cf6362dda3f4d78f0ae

                            SHA256

                            a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

                            SHA512

                            c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

                            Download Submit

                          • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3
                            Filesize

                            92KB

                            MD5

                            65bf8a6abe7770745291ee79a0f2d1da

                            SHA1

                            ed17f40b619153457ec7df75c230cfa5353df10c

                            SHA256

                            43cc89dd9c3c62e52b1e45ec9376c3a0484f2bcb11d7c44cf9cf7616d9fdd042

                            SHA512

                            91b5cf2747a5d2463496ef968fd1608a6fe34a9f53a73878d951c4a27d8f196aff8539ea956795b7839c9080972e73f35646ba0c6eee802d5f85ed080f2d1ff3

                            Download Submit

                          • C:\ProgramData\Splashtop\Splashtop Remote Server\Credential\98c6d341ec19b915ba1adc9ea0018f40
                            Filesize

                            16KB

                            MD5

                            b2e89027a140a89b6e3eb4e504e93d96

                            SHA1

                            f3b1b34874b73ae3032decb97ef96a53a654228f

                            SHA256

                            5f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982

                            SHA512

                            93fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                            Filesize

                            471B

                            MD5

                            b6102b47f3d2450f02c1167e5b337e9b

                            SHA1

                            91a6e5d7b3540556c971bcd6cdf52abd2cffcbfe

                            SHA256

                            e0c2d57c8661d444666ae009725ee84cd33a29ac48738277ea37bfd56b3cf8c4

                            SHA512

                            62bb67b325b56c41544956928ef0991262df019a470fc5792ba5abb7096e419f7ea3c8326560ffbe2b50ed0612fbc968fdf7564793a4d550b2465b799cbfcedf

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                            Filesize

                            727B

                            MD5

                            a433d0bd40ae75fbd372efe3fd3e2bc6

                            SHA1

                            137005873f5a1d269a7047adbcd08f5d204a323b

                            SHA256

                            83599ee2c90c3ef5da0f1d87bb6155bdcd2e70b97ad2163e4247f74f0925e1ec

                            SHA512

                            dca032c59d56db32821d19d913cb7519fbc0545bdc5b19cc6ca9eebf2faa8dca9739d4190b269c34438bca85879a271108f0641c2b653df37f08bfb9224150cb

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                            Filesize

                            727B

                            MD5

                            1dc1121e24814ab2e9102c631f6368e5

                            SHA1

                            55f7935319102e893d0df7ba28c35343456300ee

                            SHA256

                            8ed09687565336351ef88085dcf6cfc841af12a63433ecc12c2f13a9557c3c59

                            SHA512

                            132158f8f2bdf5d66cd4f3fed37405027d4233c79a365027e5d8d0ea20c5d23805bd298358df371b625486282867ba93a3ff5945dddf3ae8d91dd2630e477df4

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                            Filesize

                            400B

                            MD5

                            984fd4b31ea1c072593910100e638c03

                            SHA1

                            9075f1a6596ba0ad9cb3b1e92ddca02ef7386e57

                            SHA256

                            bc9b59704533f2ac71e47fc2522b1d5b09a343576e32b2fdef30dbbfc285a9c3

                            SHA512

                            fb7f028f9d817c267ca7d08c2a8c8fecd93ed96cb4557758fa45f2d24b348c3f4f8c78a3ef867cf07d8c4a5c8b58f3adb87606b9fa91e3dc8ed01ef783365c57

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                            Filesize

                            404B

                            MD5

                            cc3f960563ff8bf806a5368c40fd866b

                            SHA1

                            f6b2017436386a97bf2aca05008df54df91bd446

                            SHA256

                            b9a8cca6d7db5dac1f7fcaf4f1e791f577267a910edbc850486bbc4bcc0d0c15

                            SHA512

                            00a58743f39620417b292a49d3edf7becfa4668ef5c62964c163675855558c2aa847a54c425140164b9a1a7887ab6df273e3b7672ddab4e61d022ac7aeeffc00

                            Download Submit

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                            Filesize

                            412B

                            MD5

                            1b733da44e521756d2d8a0ff2d006a15

                            SHA1

                            769e7afad62095dbb23e6662c34b93529772cb31

                            SHA256

                            34b387a12decb3f28047cafcd5ae8e2aa042edcdd652428c64dcc45212b3a7d5

                            SHA512

                            d0f6ee7322970bc8ed29032ce181fd6b19fa0171d28cf70d80c501288da232f0516013c707265bdfd5a998f39feecec6fa4f7ebf599e82de6a1d1f77f8a23751

                            Download Submit

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                            Filesize

                            651B

                            MD5

                            9bbfe11735bac43a2ed1be18d0655fe2

                            SHA1

                            61141928bb248fd6e9cd5084a9db05a9b980fb3a

                            SHA256

                            549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

                            SHA512

                            a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

                            Download Submit

                          • C:\Windows\Installer\MSI5C91.tmp
                            Filesize

                            4.5MB

                            MD5

                            08211c29e0d617a579ffa2c41bde1317

                            SHA1

                            4991dae22d8cdc6ca172ad1846010e3d9e35c301

                            SHA256

                            3334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621

                            SHA512

                            d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f

                            Download Submit

                          • C:\Windows\Installer\MSIEBD7.tmp
                            Filesize

                            509KB

                            MD5

                            88d29734f37bdcffd202eafcdd082f9d

                            SHA1

                            823b40d05a1cab06b857ed87451bf683fdd56a5e

                            SHA256

                            87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

                            SHA512

                            1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

                            Download Submit

                          • C:\Windows\Installer\MSIEBD7.tmp-\AlphaControlAgentInstallation.dll
                            Filesize

                            25KB

                            MD5

                            aa1b9c5c685173fad2dabebeb3171f01

                            SHA1

                            ed756b1760e563ce888276ff248c734b7dd851fb

                            SHA256

                            e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

                            SHA512

                            d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

                            Download Submit

                          • C:\Windows\Installer\MSIEBD7.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                            Filesize

                            179KB

                            MD5

                            1a5caea6734fdd07caa514c3f3fb75da

                            SHA1

                            f070ac0d91bd337d7952abd1ddf19a737b94510c

                            SHA256

                            cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

                            SHA512

                            a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

                            Download Submit

                          • C:\Windows\Installer\MSIEF62.tmp-\CustomAction.config
                            Filesize

                            1KB

                            MD5

                            bc17e956cde8dd5425f2b2a68ed919f8

                            SHA1

                            5e3736331e9e2f6bf851e3355f31006ccd8caa99

                            SHA256

                            e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

                            SHA512

                            02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

                            Download Submit

                          • C:\Windows\Installer\MSIEF62.tmp-\Newtonsoft.Json.dll
                            Filesize

                            695KB

                            MD5

                            715a1fbee4665e99e859eda667fe8034

                            SHA1

                            e13c6e4210043c4976dcdc447ea2b32854f70cc6

                            SHA256

                            c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

                            SHA512

                            bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

                            Download Submit

                          • C:\Windows\Installer\MSIF977.tmp
                            Filesize

                            211KB

                            MD5

                            a3ae5d86ecf38db9427359ea37a5f646

                            SHA1

                            eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                            SHA256

                            c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                            SHA512

                            96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                            Download Submit

                          • C:\Windows\Installer\e57eb4a.msi
                            Filesize

                            2.9MB

                            MD5

                            db9d2b56b0b1f99c3c3759668311bc43

                            SHA1

                            d38a991043b8e3dd1acf12be974adbf5c56914ce

                            SHA256

                            dea4e36c02e72f6ad9570b5f098ffd20820e372a051f3c48db2c2c6b63203c4e

                            SHA512

                            7b09d55bea24856e3f97b4b8cc9b86bcd74b8f399a7ddf417532321a88ce683f3f45a0f27e9ddf81aee23a9935f23fc443014d637d2cad0fd1a2f07188faefa4

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{1b3f7063-1eb6-5b44-8548-ae1fe52ac639}\lci_proxywddm.cat
                            Filesize

                            12KB

                            MD5

                            8e16d54f986dbe98812fd5ec04d434e8

                            SHA1

                            8bf49fa8e12f801559cc2869365f0b184d7f93fe

                            SHA256

                            7c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd

                            SHA512

                            e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{1b3f7063-1eb6-5b44-8548-ae1fe52ac639}\lci_proxywddm.inf
                            Filesize

                            2KB

                            MD5

                            0315a579f5afe989154cb7c6a6376b05

                            SHA1

                            e352ff670358cf71e0194918dfe47981e9ccbb88

                            SHA256

                            d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d

                            SHA512

                            c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{1b3f7063-1eb6-5b44-8548-ae1fe52ac639}\x64\lci_proxyumd.dll
                            Filesize

                            179KB

                            MD5

                            4dc11547a5fc28ca8f6965fa21573481

                            SHA1

                            d531b0d8d2f8d49d81a4c17fbaf3bc294845362c

                            SHA256

                            e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d

                            SHA512

                            bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{1b3f7063-1eb6-5b44-8548-ae1fe52ac639}\x64\lci_proxyumd32.dll
                            Filesize

                            135KB

                            MD5

                            67ae7b2c36c9c70086b9d41b4515b0a8

                            SHA1

                            ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b

                            SHA256

                            79876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69

                            SHA512

                            4d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{1b3f7063-1eb6-5b44-8548-ae1fe52ac639}\x64\lci_proxywddm.sys
                            Filesize

                            119KB

                            MD5

                            b9b0e9b4d93b18b99ece31a819d71d00

                            SHA1

                            2be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e

                            SHA256

                            0f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf

                            SHA512

                            465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{ca8c1292-fb9c-b64e-9539-7263b6922f76}\lci_iddcx.cat
                            Filesize

                            10KB

                            MD5

                            62458e58313475c9a3642a392363e359

                            SHA1

                            e63a3866f20e8c057933ba75d940e5fd2bf62bc6

                            SHA256

                            85620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562

                            SHA512

                            49fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{ca8c1292-fb9c-b64e-9539-7263b6922f76}\lci_iddcx.inf
                            Filesize

                            4KB

                            MD5

                            1cec22ca85e1b5a8615774fca59a420b

                            SHA1

                            049a651751ef38321a1088af6a47c4380f9293fc

                            SHA256

                            60a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf

                            SHA512

                            0f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb

                            Download Submit

                          • C:\Windows\System32\DriverStore\Temp\{ca8c1292-fb9c-b64e-9539-7263b6922f76}\x64\lci_iddcx.dll
                            Filesize

                            52KB

                            MD5

                            01e8bc64139d6b74467330b11331858d

                            SHA1

                            b6421a1d92a791b4d4548ab84f7140f4fc4eb829

                            SHA256

                            148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438

                            SHA512

                            4099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5

                            Download Submit

                          • C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-20-46-58.dat
                            Filesize

                            602B

                            MD5

                            709524d09dac7bf84f37fb8f1524d3b1

                            SHA1

                            cb23f9d959af03b5664eaf84f4bcd3c4c507af24

                            SHA256

                            0c8bdff553c74b146f1e53f0981f83c97bab75c57367de76a6841c1ff5d39685

                            SHA512

                            63a92276213cd5d3668633475c53d088a7f46b61d32814c43fae4dfdfa0c7e86316f82c93ac9b33269da593d2d394e8ea0958ad9ac0ebb80bdd008de82ff9743

                            Download Submit

                          • C:\Windows\Temp\InstallUtil.log
                            Filesize

                            4KB

                            MD5

                            e52b7f7afe832ccf217d96926a933581

                            SHA1

                            910f7815a0535d4be91f34124396a14432823b7c

                            SHA256

                            33dd59ccbbbab6073042b37f4e835335e6e64a2df8b9dc6bc80413a9f1e8e839

                            SHA512

                            fef023e0979fc312fec7d19385451c94465954456fa89daaf6fa4ecc3ac1d54d83a8d22c99e3e806dddbfcc683532443f1ba728ec504321295d8e205d565d8b3

                            Download Submit

                          • C:\Windows\Temp\InstallUtil.log
                            Filesize

                            1KB

                            MD5

                            7b9b9e1e9fb3d2d14266efde210328fc

                            SHA1

                            82815dc1f7a4a961d5fd5190749a156ba941c6bf

                            SHA256

                            a10555c3d22cd7dae693d8d3c6312ccd7135c7ace1668661224991038a88c5e9

                            SHA512

                            26a9f4a6a63cd07f30c952a10801660f2aab5037f02697b358ad3961133cac5a818fd8b3b8d3d702c519dc8768da2b91be305d5888cbb27b5ff0b7b35e23cde9

                            Download Submit

                          • C:\Windows\Temp\PreVer.log
                            Filesize

                            2KB

                            MD5

                            cfdfcd9ed9920c708ee7369da7dfb58f

                            SHA1

                            cbd53b7e11b0ca44550c02807190fb872efea2cc

                            SHA256

                            c8b06568363b59b2e81c4207f12b88f6473e1230b1055bcb0a9634e5327e27e0

                            SHA512

                            824ff4a1e61ce6cd304bd1ab823abbc75bb83b354ce889a5244f6f385bebff7609799118a7fbb8ace31a6bb57313df2d910605f8751d71e4322fa602442ce819

                            Download Submit

                          • C:\Windows\Temp\TmpD675.tmp
                            Filesize

                            3KB

                            MD5

                            560af444a6a7faa0b0ca94dc16ca2a58

                            SHA1

                            df31453fafde354870a0a9a8ca50b18e284c32e4

                            SHA256

                            94739ca46676bd602a78671257fbfce39feaabc9664c6326bf4970a0108e3429

                            SHA512

                            7c853176c088d56a517e52c6687b6debf08f6f9726376720ade9d13fafc9be0ca72f0f2b35562a61ece653aeb789c838c60447f463b2bbe70c21bfc8c039b681

                            Download Submit

                          • C:\Windows\Temp\unpack.log
                            Filesize

                            4KB

                            MD5

                            397136ef54e5b6ec7741dd8c22692d1f

                            SHA1

                            03246717647edf7cbdd486d03ae7e5cef560ed82

                            SHA256

                            cd00324027794ddf5df97e19034dd1d397c32652f36b55fddd105c36faa47972

                            SHA512

                            58c907e67b4746f8c16641ace5f165295779024c7b072601fcf4952dfd1807d69a620f1d7896c3d2f6107d557e61fbc0271d426a3794a0db25080ddc48d680a1

                            Download Submit

                          • C:\Windows\Temp\unpack\PreVerCheck.exe
                            Filesize

                            3.2MB

                            MD5

                            2c18826adf72365827f780b2a1d5ea75

                            SHA1

                            a85b5eae6eba4af001d03996f48d97f7791e36eb

                            SHA256

                            ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be

                            SHA512

                            474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167

                            Download Submit

                          • C:\Windows\Temp\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\ISRT.dll
                            Filesize

                            427KB

                            MD5

                            85315ad538fa5af8162f1cd2fce1c99d

                            SHA1

                            31c177c28a05fa3de5e1f934b96b9d01a8969bba

                            SHA256

                            70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

                            SHA512

                            877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

                            Download Submit

                          • C:\Windows\Temp\{37D75F99-5E82-4FA1-9538-9E7EF26C52BC}\_isres_0x0409.dll
                            Filesize

                            1.8MB

                            MD5

                            befe2ef369d12f83c72c5f2f7069dd87

                            SHA1

                            b89c7f6da1241ed98015dc347e70322832bcbe50

                            SHA256

                            9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

                            SHA512

                            760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

                            Download Submit

                          • C:\Windows\Temp\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\IsConfig.ini
                            Filesize

                            571B

                            MD5

                            d239b8964e37974225ad69d78a0a8275

                            SHA1

                            cf208e98a6f11d1807cd84ca61504ad783471679

                            SHA256

                            0ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73

                            SHA512

                            88eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8

                            Download Submit

                          • C:\Windows\Temp\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\String1033.txt
                            Filesize

                            182KB

                            MD5

                            99bbffd900115fe8672c73fb1a48a604

                            SHA1

                            8f587395fa6b954affef337c70781ce00913950e

                            SHA256

                            57ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc

                            SHA512

                            d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff

                            Download Submit

                          • C:\Windows\Temp\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\_is5020.exe
                            Filesize

                            179KB

                            MD5

                            7a1c100df8065815dc34c05abc0c13de

                            SHA1

                            3c23414ae545d2087e5462a8994d2b87d3e6d9e2

                            SHA256

                            e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

                            SHA512

                            bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

                            Download Submit

                          • C:\Windows\Temp\{7038C1EF-F54A-4DFA-B3EC-E1C65BF83590}\setup.inx
                            Filesize

                            345KB

                            MD5

                            0376dd5b7e37985ea50e693dc212094c

                            SHA1

                            02859394164c33924907b85ab0aaddc628c31bf1

                            SHA256

                            c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415

                            SHA512

                            69d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                            Filesize

                            404B

                            MD5

                            16412bc5c716f28cf1c12d0e12c3d737

                            SHA1

                            e5155a1c405ae6116266616c05f6251e9fe2e26b

                            SHA256

                            8d05661a3c6276091d39dc9ecb51bb0cdd9158e1964aa59ece301cbc20a47791

                            SHA512

                            8fdeb14f6ef15c56de32334e0382a165c431c21f0ebcd4e4ceec126a2bf7bc304ff3ea9fa56dc4385f72751f38c2c0504e6bd8f21f2190ced33cf946374ef98f

                            Download Submit

                          • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                            Filesize

                            412B

                            MD5

                            7cea23610f3abd37b1a1fdd7fb73e7f3

                            SHA1

                            0ef3e4bcd910192cedc53f295858d48e596be8df

                            SHA256

                            13410dc90a568ee4b82738af944b56c34aca926cfa99ee89905fc861b7bb1fb3

                            SHA512

                            a9dfd31c36b619355e157eb802d12e17e7b3320aac1aaed5294cf891f5def8d20981aabe72e6aaba6042e4e569fbd959ba5f32f6763841883ae2ba99015ce1ea

                            Download Submit

                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                            Filesize

                            24.1MB

                            MD5

                            953b0fe5bd1cba2e8a0a1f986f307661

                            SHA1

                            1f685c36a65742cdbef8c28e3f2693c7bd3d486c

                            SHA256

                            3f595c1251f3e8e279bd9b89ee3a5f278fa28515ddba5c52d7a7718a886d6ca5

                            SHA512

                            8743f3da1eedaa552aec448d4a4da44859931b921c711c75c2c9baad06f252ba95a2d0535cb78c2d4132771835f9fc66b2e0a248f42026480424720928aefe7c

                            Download Submit

                          • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a8724b91-790a-4c1c-96e4-0d41147a39fb}_OnDiskSnapshotProp
                            Filesize

                            6KB

                            MD5

                            cdb27f583503a461380dfd19cbece198

                            SHA1

                            a6402301ee178271d1a7c615ff2fa532e0e15234

                            SHA256

                            3add4dbcab41928a75aaedf2daa6cfde2c2de1656f2c0833df5d21a61df4923e

                            SHA512

                            deb7c7072afe28ac4331db9dffadd5ca0cc86d298fe793df0921ccff9abf3889e01a5b7e700f270fb7399462cc56b2097448afb67f899aa824f87ceb55457a9a

                            Download Submit

                          • memory/216-39-0x0000000004E40000-0x0000000004E6E000-memory.dmp

                            Filesize

                            184KB

                            Download

                          • memory/216-43-0x0000000004E80000-0x0000000004E8C000-memory.dmp

                            Filesize

                            48KB

                            Download

                          • memory/1020-1461-0x0000014043880000-0x00000140438C6000-memory.dmp

                            Filesize

                            280KB

                            Download

                          • memory/1020-1311-0x000001402A4B0000-0x000001402A4D0000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/1020-1562-0x0000014042D00000-0x0000014042D1E000-memory.dmp

                            Filesize

                            120KB

                            Download

                          • memory/1020-1561-0x0000014043A10000-0x0000014043A86000-memory.dmp

                            Filesize

                            472KB

                            Download

                          • memory/1020-1646-0x0000014043DD0000-0x0000014043E3E000-memory.dmp

                            Filesize

                            440KB

                            Download

                          • memory/1020-1560-0x0000014043940000-0x0000014043990000-memory.dmp

                            Filesize

                            320KB

                            Download

                          • memory/1020-1382-0x0000014043E90000-0x00000140444EC000-memory.dmp

                            Filesize

                            6.4MB

                            Download

                          • memory/1020-1309-0x000001402A480000-0x000001402A490000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/1020-1308-0x0000014029C40000-0x0000014029C52000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/1020-1310-0x0000014042DC0000-0x0000014042E72000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/1636-2110-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1636-1216-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1636-1217-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/1636-1149-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/1636-1148-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1636-2111-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/1636-1784-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/1636-1785-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/2256-354-0x00000245E7370000-0x00000245E744C000-memory.dmp

                            Filesize

                            880KB

                            Download

                          • memory/2256-357-0x00000245E72A0000-0x00000245E72A8000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2256-350-0x00000245E7090000-0x00000245E70DC000-memory.dmp

                            Filesize

                            304KB

                            Download

                          • memory/2256-352-0x00000245CE910000-0x00000245CE918000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2256-351-0x00000245E70E0000-0x00000245E7128000-memory.dmp

                            Filesize

                            288KB

                            Download

                          • memory/2256-353-0x00000245E7040000-0x00000245E704A000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/2256-355-0x00000245E7450000-0x00000245E7502000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/2256-347-0x00000245CDF30000-0x00000245CDF94000-memory.dmp

                            Filesize

                            400KB

                            Download

                          • memory/2256-356-0x00000245E7290000-0x00000245E7298000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2256-349-0x00000245CE8F0000-0x00000245CE90C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/2256-358-0x00000245E72B0000-0x00000245E72B8000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/2256-359-0x00000245E7510000-0x00000245E7578000-memory.dmp

                            Filesize

                            416KB

                            Download

                          • memory/2256-360-0x00000245E72F0000-0x00000245E731A000-memory.dmp

                            Filesize

                            168KB

                            Download

                          • memory/2256-362-0x00000245E72C0000-0x00000245E72E6000-memory.dmp

                            Filesize

                            152KB

                            Download

                          • memory/2256-348-0x00000245CE920000-0x00000245CE96A000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/2256-361-0x00000245E81D0000-0x00000245E820A000-memory.dmp

                            Filesize

                            232KB

                            Download

                          • memory/2364-277-0x0000024558A00000-0x0000024558AB0000-memory.dmp

                            Filesize

                            704KB

                            Download

                          • memory/2364-278-0x00000245400D0000-0x00000245400EC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/2364-274-0x000002453F860000-0x000002453F890000-memory.dmp

                            Filesize

                            192KB

                            Download

                          • memory/2568-1250-0x00000227994E0000-0x0000022799534000-memory.dmp

                            Filesize

                            336KB

                            Download

                          • memory/2568-1245-0x00000227995A0000-0x0000022799652000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/2568-1243-0x0000022780410000-0x0000022780422000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/2568-1244-0x0000022780D90000-0x0000022780DAC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/3036-197-0x000002AAF9830000-0x000002AAF98E2000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/3036-243-0x000002AAF9DC0000-0x000002AAF9DF8000-memory.dmp

                            Filesize

                            224KB

                            Download

                          • memory/3036-198-0x000002AAF97C0000-0x000002AAF97E2000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/3128-2189-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3128-1248-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3128-1249-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3128-2188-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3128-1755-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3128-1159-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3128-1158-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3128-1754-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3260-1246-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3260-1154-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3260-1157-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3260-2190-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3260-2191-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3260-1247-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3660-1274-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3660-1277-0x0000000075720000-0x000000007583C000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/3660-1278-0x00000000746E0000-0x0000000074AAD000-memory.dmp

                            Filesize

                            3.8MB

                            Download

                          • memory/3872-166-0x00000210AB630000-0x00000210AB642000-memory.dmp

                            Filesize

                            72KB

                            Download

                          • memory/3872-167-0x00000210ACF80000-0x00000210ACFBC000-memory.dmp

                            Filesize

                            240KB

                            Download

                          • memory/3872-162-0x00000210C5910000-0x00000210C59A8000-memory.dmp

                            Filesize

                            608KB

                            Download

                          • memory/3872-150-0x00000210AB230000-0x00000210AB258000-memory.dmp

                            Filesize

                            160KB

                            Download

                          • memory/3956-1480-0x0000026B62130000-0x0000026B62138000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/3956-1422-0x0000026B7ABA0000-0x0000026B7AC52000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/3956-1421-0x0000026B7AAA0000-0x0000026B7AB7C000-memory.dmp

                            Filesize

                            880KB

                            Download

                          • memory/3956-1420-0x0000026B620F0000-0x0000026B6210C000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/3956-1419-0x0000026B62180000-0x0000026B621CA000-memory.dmp

                            Filesize

                            296KB

                            Download

                          • memory/3956-1418-0x0000026B61790000-0x0000026B617A0000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/4008-1483-0x0000024ED9F70000-0x0000024ED9F96000-memory.dmp

                            Filesize

                            152KB

                            Download

                          • memory/4008-1670-0x0000024EDA2B0000-0x0000024EDA2B8000-memory.dmp

                            Filesize

                            32KB

                            Download

                          • memory/4528-112-0x0000000005550000-0x00000000055B6000-memory.dmp

                            Filesize

                            408KB

                            Download

                          • memory/4656-905-0x0000000010000000-0x0000000010114000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4656-486-0x0000000002F20000-0x00000000030E7000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/4656-483-0x0000000010000000-0x0000000010114000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4656-1084-0x0000000010000000-0x0000000010114000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4656-1050-0x0000000003420000-0x00000000035E7000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/4656-975-0x0000000010000000-0x0000000010114000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4656-908-0x0000000002F60000-0x0000000003127000-memory.dmp

                            Filesize

                            1.8MB

                            Download

                          • memory/4656-517-0x0000000010000000-0x0000000010114000-memory.dmp

                            Filesize

                            1.1MB

                            Download

                          • memory/4864-78-0x0000000004800000-0x00000000048B2000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/4864-81-0x0000000004760000-0x0000000004782000-memory.dmp

                            Filesize

                            136KB

                            Download

                          • memory/4864-82-0x00000000048C0000-0x0000000004C14000-memory.dmp

                            Filesize

                            3.3MB

                            Download

                          • memory/4980-302-0x000001DF9F0E0000-0x000001DF9F0FC000-memory.dmp

                            Filesize

                            112KB

                            Download

                          • memory/4980-301-0x000001DFB7E40000-0x000001DFB7EF2000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/4980-300-0x000001DF9ECD0000-0x000001DF9ECE6000-memory.dmp

                            Filesize

                            88KB

                            Download

                          • memory/5088-1383-0x000002681DC80000-0x000002681DC90000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/5088-1416-0x0000026836D20000-0x0000026836D34000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/5088-1384-0x000002681E5E0000-0x000002681E600000-memory.dmp

                            Filesize

                            128KB

                            Download

                          • memory/5088-1385-0x0000026836DE0000-0x0000026836E92000-memory.dmp

                            Filesize

                            712KB

                            Download

                          • memory/5088-1414-0x0000026837750000-0x00000268377B6000-memory.dmp

                            Filesize

                            408KB

                            Download