Overview

overview

10

Static

static

10

pdf946946.msi

windows7-x64

10

pdf946946.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250207-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2025, 11:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pdf946946.msi

  • Size

    2.9MB

  • MD5

    8b6b0ec93209591b6f987b27b150f803

  • SHA1

    dd64e5c25c9237b6a52f68dcc6a5777c83c5fef3

  • SHA256

    768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6

  • SHA512

    0e892754f982114ab1d99bef288123563543c1010289f312f9b9e8c3abd8845c907ef665dc60dd744b3c840fe11c4546c1bee5bcbebeb67469cda4e3409e0a39

  • SSDEEP

    49152:++1Ypn4N2MGVv1zyIBWGppT9jnMHRjOOozjcqZJN8dUZTwYaH7oqPxMbY+K/tzQz:++lUlz9FKbsodq0YaH7ZPxMb8tT

Score
10/10
ateraagentbootkitdiscoveryexecutionpersistenceprivilege_escalationratupx

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

    ratateraagent
  • Ateraagent family
    ateraagent
  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 5 IoCs
  • Drops file in Drivers directory 6 IoCs
  • Downloads MZ/PE file 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Drops file in System32 directory 64 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • UPX packed file 28 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 61 IoCs
  • Executes dropped EXE 64 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 64 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 49 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • System Time Discovery 1 TTPs 3 IoCs

    Adversary may gather the system time and/or time zone settings from a local or remote system.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 11 IoCs
    defense_evasion
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 64 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    defense_evasionspywaretrojan
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\pdf946946.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5064
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4140
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2796
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 0407459A356BF2A022CF6FFAD83555A8
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3636
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIE5EB.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240641734 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.GenerateAgentId
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:1476
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIE8F9.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240642296 6 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiStart
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3384
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSIEE98.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240643750 10 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
          3⤵
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:552
        • C:\Windows\SysWOW64\rundll32.exe
          rundll32.exe "C:\Windows\Installer\MSI467.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240649343 32 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ReportMsiEnd
          3⤵
          • Blocklisted process makes network request
          • Drops file in Windows directory
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:3384
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A5FA865B462AEEF45E28769AE399B0F7 E Global\MSI0000
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1452
        • C:\Windows\SysWOW64\NET.exe
          "NET" STOP AteraAgent
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2448
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 STOP AteraAgent
            4⤵
            • System Location Discovery: System Language Discovery
            PID:4820
        • C:\Windows\SysWOW64\TaskKill.exe
          "TaskKill.exe" /f /im AteraAgent.exe
          3⤵
          • System Location Discovery: System Language Discovery
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1584
      • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
        "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q300000QMzFeIAL" /AgentId="60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59"
        2⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        PID:2348
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding A293BCEE0F8D6798BB66DA8A7B7C325B E Global\MSI0000
        2⤵
        • Blocklisted process makes network request
        • Drops file in System32 directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Modifies registry class
        PID:5576
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1F523876-517C-42E4-96B5-E9C1AAAC1E0D}
          3⤵
          • Executes dropped EXE
          PID:5736
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{517F6BFA-6CF9-4723-8408-569945302E0C}
          3⤵
          • Executes dropped EXE
          PID:5772
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{59CECA7A-E07D-419D-8FF2-CD1ABAE116D4}
          3⤵
          • Executes dropped EXE
          PID:5808
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A84DDF23-F500-4AAB-A119-78A128970C91}
          3⤵
          • Executes dropped EXE
          PID:5840
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{32F7917E-9332-44C6-8419-9CC0EB81F1E4}
          3⤵
          • Executes dropped EXE
          PID:5872
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C67E73FB-2733-44B7-A202-A30E67DFCBA7}
          3⤵
          • Executes dropped EXE
          PID:5948
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4AA06572-254A-4C60-8BEE-E02B71EE680B}
          3⤵
          • Executes dropped EXE
          PID:5980
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0918A97E-794E-4451-B993-9C622BAE2803}
          3⤵
          • Executes dropped EXE
          PID:6012
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B3C3E8C2-D14E-4EE9-B338-5B0EFCD6AFE1}
          3⤵
          • Executes dropped EXE
          PID:6044
        • C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe
          C:\Windows\TEMP\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_is61A3.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5059218-995C-4B18-8948-281BAACEEEE8}
          3⤵
          • Executes dropped EXE
          PID:6076
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRServer.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:6116
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRServer.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:5188
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRApp.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5248
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRApp.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:4404
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAppPB.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:3804
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAppPB.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3124
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeature.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5332
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRFeature.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:5364
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRFeatMini.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5404
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRFeatMini.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3972
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRManager.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5476
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRManager.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:5612
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAgent.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:776
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAgent.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:5708
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRChat.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5732
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRChat.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:3060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRAudioChat.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:4388
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRAudioChat.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:1360
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\SysWOW64\cmd.exe /C "taskkill.exe /F /IM SRVirtualDisplay.exe /T"
          3⤵
          • System Location Discovery: System Language Discovery
          PID:5804
          • C:\Windows\SysWOW64\taskkill.exe
            taskkill.exe /F /IM SRVirtualDisplay.exe /T
            4⤵
            • System Location Discovery: System Language Discovery
            • Kills process with taskkill
            PID:5856
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73F8056C-3077-4E61-8009-3FDFB8E060C4}
          3⤵
          • Executes dropped EXE
          PID:6032
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4A24B10-AE8B-41A7-90DE-2E135DFBF2AE}
          3⤵
          • Executes dropped EXE
          PID:6064
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FB5DA57C-50DE-4263-A9A4-8218740373FD}
          3⤵
          • Executes dropped EXE
          PID:6096
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0BECA92F-44AB-4EE7-BAE0-0514A7BF170B}
          3⤵
          • Executes dropped EXE
          PID:6076
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B9B810D8-5C49-4946-A3CC-8AA87C75A274}
          3⤵
          • Executes dropped EXE
          PID:5184
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7CC2EDBC-4959-4701-8B00-2A9072678165}
          3⤵
          • Executes dropped EXE
          PID:5192
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2162A573-8C2A-4ED8-9F6B-DF26396D12FE}
          3⤵
          • Executes dropped EXE
          PID:5256
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{60C3BAA2-D586-4F87-84EA-5FA04B5F0744}
          3⤵
          • Executes dropped EXE
          PID:4520
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EB7E6730-E42F-458C-A321-403973E9DD10}
          3⤵
          • Executes dropped EXE
          PID:5196
        • C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
          C:\Windows\TEMP\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6AF22758-373F-4A54-9017-28D76B2534E3}
          3⤵
          • Executes dropped EXE
          PID:5388
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{6142B704-40CF-4C3A-A369-3C3D910F7AF7}
          3⤵
          • Executes dropped EXE
          PID:6124
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{2D517386-3D3C-4B1D-9447-94B15ED3598B}
          3⤵
          • Executes dropped EXE
          PID:6020
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5A389EF5-6D21-4092-8B4B-ED69CFB04448}
          3⤵
          • Executes dropped EXE
          PID:6068
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{55FA3AB7-A404-448A-8DF7-964261FF3C7D}
          3⤵
          • Executes dropped EXE
          PID:6100
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C3740996-7B03-4145-850E-40F479DEB492}
          3⤵
          • Executes dropped EXE
          PID:5992
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A8C6A729-462C-4E58-97C0-8216BC09D5BC}
          3⤵
          • Executes dropped EXE
          PID:2232
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0192C40C-215F-4414-89DA-079696FA5A97}
          3⤵
          • Executes dropped EXE
          PID:1452
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{50A4EB3E-6D43-43D4-B076-38BEF49B629F}
          3⤵
          • Executes dropped EXE
          PID:5304
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3C8C9F9B-AA89-4CE7-88A9-38A617BCCD53}
          3⤵
          • Executes dropped EXE
          PID:2084
        • C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe
          C:\Windows\TEMP\{B4C491DD-E454-40D5-8E14-61D6FE8A31F8}\_is81EF.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{D1134CA6-61F3-412A-9750-E6D3AB2D0D5F}
          3⤵
          • Executes dropped EXE
          PID:5360
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ADDUSERINFO /V "sec_opt=0,confirm_d=0,hidewindow=1"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5796
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P USERSESSIONID
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5496
        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe
          "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Support\SetupUtil.exe" /P ST_EVENT
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:3060
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" um "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
            4⤵
              PID:5148
            • C:\Windows\system32\cmd.exe
              "C:\Windows\sysnative\cmd.exe" /C "C:\Windows\system32\wevtutil.exe" im "C:\ProgramData\Splashtop\Common\Event\stevt_srs_provider.man"
              4⤵
                PID:5808
            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe
              "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRSelfSignCertUtil.exe" -g
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:6056
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B3D5E0C-6B1E-4A4F-BE44-9DEF0160E2BB}
              3⤵
              • Executes dropped EXE
              PID:5316
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{823059FF-64D8-4928-88D7-AA11A8DC6A34}
              3⤵
              • Executes dropped EXE
              PID:1640
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{9B0DA4D7-ED21-4B89-99A4-8328841418D3}
              3⤵
              • Executes dropped EXE
              PID:5388
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{550E148D-314C-4142-ABF5-EE89CEA07512}
              3⤵
              • Executes dropped EXE
              PID:5336
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{CC1587B5-C68A-4FBE-8390-6D98CEEF8E60}
              3⤵
              • Executes dropped EXE
              PID:5468
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1FD88D4D-0E65-40A1-98A1-516ECA481664}
              3⤵
              • Executes dropped EXE
              PID:5632
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{73096694-56AC-47C2-B4C7-9889965C3F90}
              3⤵
              • Executes dropped EXE
              PID:5264
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C916351E-9809-406B-8DA8-537A6040EEC0}
              3⤵
              • Executes dropped EXE
              PID:5720
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B2BAED10-0288-4285-B732-C284D4B61DA2}
              3⤵
              • Executes dropped EXE
              PID:552
            • C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe
              C:\Windows\TEMP\{05471725-8203-48BC-AC72-9FF30082A286}\_is9634.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8335DF9D-1F09-4652-B652-42FC908B296E}
              3⤵
              • Executes dropped EXE
              PID:5704
            • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
              "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -i
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2492
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C977B594-619A-4922-ABA8-14ABA19C53DC}
              3⤵
              • Executes dropped EXE
              PID:4892
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{3123C814-5CBF-4B26-BE7D-8A1E9A9A5ABD}
              3⤵
              • Executes dropped EXE
              PID:5868
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AA203E82-16E0-4FF5-91C2-65359A367587}
              3⤵
              • Executes dropped EXE
              PID:436
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87225F98-3CFD-4852-A893-3534DAD17C2B}
              3⤵
              • Executes dropped EXE
              PID:5708
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A4D77393-1E32-4615-A496-9FEAD2F85514}
              3⤵
              • Executes dropped EXE
              PID:5952
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{95B1809E-E4AF-48FB-9ACD-1BC4804F9F29}
              3⤵
              • Executes dropped EXE
              PID:5136
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EE3BAA62-1375-4220-82D4-38CF5A8EB1C5}
              3⤵
              • Executes dropped EXE
              PID:5144
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{347EE4CA-18FC-4973-966B-A4CB6F7F5829}
              3⤵
              • Executes dropped EXE
              PID:6108
            • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
              C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8A098C5D-34AD-4A11-A2B4-D3D7CC1CE0C3}
              3⤵
                PID:3260
              • C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe
                C:\Windows\TEMP\{A1FC7A2B-90DF-4105-B66D-703CF8EC7AFB}\_is9AB9.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{66D95C14-3F64-44A7-9C7C-07CF940B10E0}
                3⤵
                  PID:6100
                • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                  "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe" -r
                  3⤵
                  • System Location Discovery: System Language Discovery
                  PID:5160
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
              • Checks SCSI registry key(s)
              • Suspicious use of AdjustPrivilegeToken
              PID:1480
            • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
              "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7NTc4Qzk3N0EtQjQzNC00M0M4LTkyQjQtMkY1MEY5NDhGRkY0fSIgdXNlcmlkPSJ7NEY3REMzOUEtMkE2MC00RDU1LUFBNDctNkYxQjQwRjA5MjhGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MDIzNDFDRDMtNjc4Qy00OTlCLUFDMDMtMTlFODU1RUZGNzM2fSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI3IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDY4ODkiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTM2NTgwOTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTA0MDQ4NjMwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
              1⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:2416
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
              1⤵
              • Drops file in System32 directory
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:3476
              • C:\Windows\System32\sc.exe
                "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                2⤵
                • Launches sc.exe
                PID:1416
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "e5c88d81-013a-4478-bb74-57263dbf7796" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QMzFeIAL
                2⤵
                • Drops file in System32 directory
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:1052
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "14ad44ac-e539-4c05-8bd6-e022950778fe" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification" 001Q300000QMzFeIAL
                2⤵
                • Drops file in System32 directory
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                PID:2768
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "fb0e9177-f018-43d6-883b-de14a70ccdb0" agent-api.atera.com/Production 443 or8ixLi90Mf "identified" 001Q300000QMzFeIAL
                2⤵
                • Executes dropped EXE
                PID:1640
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "e327e258-c607-47e6-8cf1-0e9e848cec01" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo fromGui" 001Q300000QMzFeIAL
                2⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:1416
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"
                  3⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • Modifies data under HKEY_USERS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4436
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3068
                  • C:\Windows\system32\cscript.exe
                    cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                    4⤵
                    • Modifies data under HKEY_USERS
                    PID:3340
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "307b2309-6ff4-40a0-8b40-acc8fe133712" agent-api.atera.com/Production 443 or8ixLi90Mf "install eyJSbW1Db2RlIjoiaFpDREZQaEs3NW1KIiwiUmVxdWVzdFBlcm1pc3Npb25PcHRpb24iOjMsIlJlcXVpcmVQYXNzd29yZE9wdGlvbiI6bnVsbCwiUGFzc3dvcmQiOm51bGx9" 001Q300000QMzFeIAL
                2⤵
                • Downloads MZ/PE file
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2036
                • C:\Windows\TEMP\SplashtopStreamer.exe
                  "C:\Windows\TEMP\SplashtopStreamer.exe" prevercheck /s /i sec_opt=0,confirm_d=0,hidewindow=1
                  3⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Modifies data under HKEY_USERS
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:5216
                  • C:\Windows\Temp\unpack\PreVerCheck.exe
                    "C:\Windows\Temp\unpack\PreVerCheck.exe" /s /i sec_opt=0,confirm_d=0,hidewindow=1
                    4⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of WriteProcessMemory
                    PID:5420
                    • C:\Windows\SysWOW64\msiexec.exe
                      msiexec /norestart /i "setup.msi" /qn /l*v "C:\Windows\TEMP\PreVer.log.txt" CA_EXTPATH=1 USERINFO="sec_opt=0,confirm_d=0,hidewindow=1"
                      5⤵
                      • System Location Discovery: System Language Discovery
                      PID:5516
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "f4da21ec-0142-4884-a657-f7804b704169" agent-api.atera.com/Production 443 or8ixLi90Mf "syncprofile" 001Q300000QMzFeIAL
                2⤵
                • Drops file in System32 directory
                • Executes dropped EXE
                • Loads dropped DLL
                PID:2796
            • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
              "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
              1⤵
              • Drops file in Program Files directory
              • Executes dropped EXE
              • Modifies data under HKEY_USERS
              • Modifies system certificate store
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of WriteProcessMemory
              PID:2896
              • C:\Windows\System32\sc.exe
                "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
                2⤵
                • Launches sc.exe
                PID:2460
              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "a90a5ac0-15c5-489a-a5fc-7038252471fb" agent-api.atera.com/Production 443 or8ixLi90Mf "generalinfo" 001Q300000QMzFeIAL
                2⤵
                • Drops file in Program Files directory
                PID:2232
                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                  "powershell.exe" -NoProfile -File "C:\Windows\TEMP\Windows 11 Readiness.ps1"
                  3⤵
                  • Drops file in System32 directory
                  • Command and Scripting Interpreter: PowerShell
                  • Modifies data under HKEY_USERS
                  PID:6116
                • C:\Windows\System32\cmd.exe
                  "C:\Windows\System32\cmd.exe" /c cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                  3⤵
                    PID:816
                    • C:\Windows\system32\cscript.exe
                      cscript "C:\Program Files\Microsoft Office\Office16\ospp.vbs" /dstatus
                      4⤵
                      • Modifies data under HKEY_USERS
                      PID:5400
                • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "2395c645-0fb5-4d4f-8860-885cdec5c624" agent-api.atera.com/Production 443 or8ixLi90Mf "downloadifneeded" 001Q300000QMzFeIAL
                  2⤵
                    PID:3884
                    • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                      "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe" -a "st-streamer://com.splashtop.streamer?rmm_code=hZCDFPhK75mJ&rmm_session_pwd=92b0cae0a78bf42c08526cbf2a820f27&rmm_session_pwd_ttl=86400"
                      3⤵
                      • System Location Discovery: System Language Discovery
                      PID:5088
                  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "0a9c5c83-92ce-44cf-95ea-5cdd3522dbcd" agent-api.atera.com/Production 443 or8ixLi90Mf "maintain" 001Q300000QMzFeIAL
                    2⤵
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    • Modifies registry class
                    PID:5700
                  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "53334a8f-a490-496e-9326-52a15cc59c1d" agent-api.atera.com/Production 443 or8ixLi90Mf "pollAll" 001Q300000QMzFeIAL
                    2⤵
                    • Drops file in System32 directory
                    • Drops file in Program Files directory
                    PID:5516
                  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                    "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "77b6dad2-b2d7-49ae-a547-448b28f99285" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QMzFeIAL
                    2⤵
                      PID:4220
                    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "56c9392a-7fc8-4c2f-a7b3-c1f43202f8ac" agent-api.atera.com/Production 443 or8ixLi90Mf "connect" 001Q300000QMzFeIAL
                      2⤵
                        PID:4376
                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "d810a1d4-eba1-40e1-a852-72f759aedad7" agent-api.atera.com/Production 443 or8ixLi90Mf "agentprovision" 001Q300000QMzFeIAL
                        2⤵
                        • Drops file in System32 directory
                        • Modifies data under HKEY_USERS
                        PID:5744
                      • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                        "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "d4db5e64-41af-4af8-ad9d-5636ae8ace35" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIybWFpbnRlbmFuY2VcdTAwMjIsXHUwMDIyRW5hYmxlZFx1MDAyMjpmYWxzZSxcdTAwMjJSZXBlYXRJbnRlcnZhbE1pbnV0ZXNcdTAwMjI6MTAsXHUwMDIyRGF5c0ludGVydmFsXHUwMDIyOjEsXHUwMDIyUmVwZWF0RHVyYXRpb25EYXlzXHUwMDIyOjF9In0=" 001Q300000QMzFeIAL
                        2⤵
                          PID:5916
                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe
                          "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "2dc35372-4876-4db8-a12c-ae2a25c0808d" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBcmd1bWVudHMiOiJ7XHUwMDIyQ29tbWFuZE5hbWVcdTAwMjI6XHUwMDIyZ2V0LWluc3RhbGxlZC1zb2Z0d2FyZVx1MDAyMn0ifQ==" 001Q300000QMzFeIAL
                          2⤵
                            PID:6128
                          • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                            "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "203aa50f-956e-4d80-839e-cad8e4be241d" agent-api.atera.com/Production 443 or8ixLi90Mf "getlistofallupdates" 001Q300000QMzFeIAL
                            2⤵
                              PID:5608
                            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "331a288a-63f4-4c9c-8798-a1ad9795005a" agent-api.atera.com/Production 443 or8ixLi90Mf "monitor" 001Q300000QMzFeIAL
                              2⤵
                              • Writes to the Master Boot Record (MBR)
                              • Drops file in Program Files directory
                              PID:1316
                            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "d00fb3fb-f346-48c9-97e8-69c689188fbb" agent-api.atera.com/Production 443 or8ixLi90Mf "probe" 001Q300000QMzFeIAL
                              2⤵
                              • Drops file in System32 directory
                              PID:1572
                            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "5cca5ced-21a1-42df-a24b-1cefd086a551" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJBZENvbW1hbmRUeXBlIjo1LCJJbnN0YWxsYXRpb25GaWxlVXJsIjoiaHR0cHM6Ly9nZXQuYW55ZGVzay5jb20vOENRc3U5a3YvQW55RGVza19DdXN0b21fQ2xpZW50Lm1zaSIsIkZvcmNlSW5zdGFsbCI6ZmFsc2UsIlRhcmdldFZlcnNpb24iOiIifQ==" 001Q300000QMzFeIAL
                              2⤵
                              • Drops file in System32 directory
                              PID:372
                            • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                              "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "3bcddcd8-b470-4d92-b543-9e9022fcbd76" agent-api.atera.com/Production 443 or8ixLi90Mf "eyJDb21tYW5kTmFtZSI6Imluc3RhbGxkb3RuZXQiLCJEb3ROZXRWZXJzaW9uIjoiOC4wLjExIiwiTWFjQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzU1ZWIyYTQ5LTI1MjMtNDAyZS1iNjIzLTdhOTAxN2I4YmRlZi84Y2NkNDBhMjEzZWMyOTY0YWY0MTlmOWY3MjI2MzAyNy9kb3RuZXQtcnVudGltZS04LjAuMTEtb3N4LWFybTY0LnBrZyIsIk1hY1g2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci8zZjkyNmRkMi1kMjM0LTQzN2EtOGY2YS1lYTZkNzdjMzY4NGMvM2U4MzZhMzQ1YjEzNjA5MTcxM2E3NjliODdmMzQ5OTMvZG90bmV0LXJ1bnRpbWUtOC4wLjExLW9zeC14NjQucGtnIiwiV2luQVJNRG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByLzljZjYyYmI3LTAyZmEtNDA3Mi1iNzY1LTVlMDRhZDA4OTc4OC8zZjM0ZGQ1NjU5Zjk5MTcyYWVhN2M0Y2M5ZGM3YTk3NS9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLWFybTY0LmV4ZSIsIldpblg2NERvd25sb2FkVXJsIjoiaHR0cHM6Ly9kb3dubG9hZC52aXN1YWxzdHVkaW8ubWljcm9zb2Z0LmNvbS9kb3dubG9hZC9wci81M2U5ZTQxYy1iMzYyLTQ1OTgtOTk4NS00NWY5ODk1MTgwMTYvNTNjNWUxOTE5YmEyZmUyMzI3M2YyYWJhZmY2NTU5NWIvZG90bmV0LXJ1bnRpbWUtOC4wLjExLXdpbi14NjQuZXhlIiwiV2luWDg2RG93bmxvYWRVcmwiOiJodHRwczovL2Rvd25sb2FkLnZpc3VhbHN0dWRpby5taWNyb3NvZnQuY29tL2Rvd25sb2FkL3ByL2E4ZDFhNDg5LTYwZDYtNGU2My05M2VlLWFiOWM0NGQ3OGIwZC81NTE5Zjk5ZmY1MGRlNmUwOTZiYjFkMjY2ZGQwZTY2Ny9kb3RuZXQtcnVudGltZS04LjAuMTEtd2luLXg4Ni5leGUiLCJNYWNBUk1DaGVja3N1bSI6Im1kZUhHZFVWTllIM21IcW1FMGJMaG5mNUpqNWNVaUZvdHFVSUk3bXltVEZKTXkwYzNvNWZ2YlFJSFx1MDAyQlU4bHA2QVdWZllPeS9wbXFLREpZZ3lTN3gyNEE9PSIsIk1hY1g2NENoZWNrc3VtIjoiTUdaVmR6Z0xqbjlIWmFZU21OWi9oMDZibVNRWS9ZSVJQeTdhQzNkM0kveWtLTFx1MDAyQkNubmUweUtQd1h5TW9pSHpONEtqWGZIeGdwcW0wWHJuaDlNSE04Zz09IiwiV2luQVJNQ2hlY2tzdW0iOiJWMEs0bVZwbFx1MDAyQjkxd0FYMWlZWEZyV2EyTTdORldYSjAvT29KSjMzQklWRlV1WXRzSE14TUsydWxnaTdcdTAwMkJQc1QwY1paeFBORDlhZ2t0dWZXRnZwMDl0b1E9PSIsIldpblg2NENoZWNrc3VtIjoiM05UbUVqazRubEg2Tm5ra1RmS2N1L1E5M1FNRlZHUjUxa3hlSGFQQTlESXZZS0N2VmpkYUxUNEpVY2x6VkcyL2djQW1pXHUwMDJCVXlrYXJkV2piR1hEXHUwMDJCUUh3PT0iLCJXaW5YODZDaGVja3N1bSI6InREanNWcmljT3g4RkJ1TEFzUjFVTXd4d2tQUktLOHhVdURSVVQ0L0E1b3NrdjVKdE03UzFrejBuU2FFMXRzY2JtcDROeDZ3SUNPUmZxRkJINzNlUnF3PT0iLCJXb3Jrc3BhY2VJZCI6ImJmMGNlNDlkLTc3Y2YtNDcyMS1iZjcwLTU3Njg2MzgzYzlhYiIsIkxvZ05hbWUiOiJEb3ROZXRSdW50aW1lSW5zdGFsbGF0aW9uUmVwb3J0IiwiU2hhcmVkS2V5IjoialVJUy9UOUNSVkRlS3hZZzRVcjNhQ2hoV1F1Y1k3UFZ2d2cwekh1cUpzY3JUampRMkx3SzZVamZ1N2NBMk5wckFSMHIvU1JBWEpZWWxkUEtLRnlLS1E9PSJ9" 001Q300000QMzFeIAL
                              2⤵
                              • Downloads MZ/PE file
                              PID:5620
                              • C:\Windows\SYSTEM32\cmd.exe
                                "cmd.exe" /K "cd /d C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\" /
                                3⤵
                                • System Time Discovery
                                PID:5680
                                • C:\Program Files\dotnet\dotnet.exe
                                  dotnet --list-runtimes
                                  4⤵
                                  • System Time Discovery
                                  PID:2824
                              • C:\Program Files\dotnet\dotnet.exe
                                "C:\Program Files\dotnet\dotnet" --list-runtimes
                                3⤵
                                • System Time Discovery
                                PID:5536
                                • C:\Windows\System32\Conhost.exe
                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                  4⤵
                                    PID:1572
                              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "921d1502-0abd-478e-b397-7f163108b894" agent-api.atera.com/Production 443 or8ixLi90Mf "checkforupdates" 001Q300000QMzFeIAL
                                2⤵
                                • Modifies data under HKEY_USERS
                                PID:4688
                              • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "77b6dad2-b2d7-49ae-a547-448b28f99285" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QMzFeIAL
                                2⤵
                                  PID:6092
                                • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                  "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe" 60876dc5-6e0b-41bb-b3f3-fc8c8e1f3b59 "77b6dad2-b2d7-49ae-a547-448b28f99285" agent-api.atera.com/Production 443 or8ixLi90Mf "heartbeat" 001Q300000QMzFeIAL
                                  2⤵
                                    PID:4004
                                • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
                                  "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe"
                                  1⤵
                                  • Drops file in Program Files directory
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:5296
                                  • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe
                                    "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRManager.exe"
                                    2⤵
                                    • Drops file in System32 directory
                                    • Drops file in Program Files directory
                                    • Loads dropped DLL
                                    • System Location Discovery: System Language Discovery
                                    • Modifies data under HKEY_USERS
                                    • Suspicious behavior: EnumeratesProcesses
                                    PID:5308
                                    • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRServer.exe
                                      -h -t
                                      3⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious use of SetWindowsHookEx
                                      PID:5740
                                    • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
                                      "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe"
                                      3⤵
                                      • Drops file in Program Files directory
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:3332
                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe
                                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\BdEpSDK.exe" -v
                                        4⤵
                                          PID:2732
                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe
                                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAppPB.exe"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious behavior: EnumeratesProcesses
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5788
                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe
                                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        PID:5840
                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe
                                          SRUtility.exe -r
                                          4⤵
                                          • System Location Discovery: System Language Discovery
                                          PID:5844
                                      • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe
                                        "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRVirtualDisplay.exe"
                                        3⤵
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:5784
                                        • C:\Windows\System32\cmd.exe
                                          "C:\Windows\System32\cmd.exe" /c "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\install_driver64.bat" nosetkey
                                          4⤵
                                            PID:3104
                                            • C:\Windows\system32\cmd.exe
                                              C:\Windows\system32\cmd.exe /c ver
                                              5⤵
                                                PID:816
                                              • C:\Windows\system32\sc.exe
                                                sc query ddmgr
                                                5⤵
                                                • Launches sc.exe
                                                PID:1988
                                              • C:\Windows\system32\sc.exe
                                                sc query lci_proxykmd
                                                5⤵
                                                • Launches sc.exe
                                                PID:2252
                                              • C:\Windows\system32\rundll32.exe
                                                rundll32 x64\my_setup.dll do_install_lci_proxywddm
                                                5⤵
                                                • Drops file in Windows directory
                                                • Checks SCSI registry key(s)
                                                • Modifies data under HKEY_USERS
                                                PID:1060
                                      • C:\Windows\system32\wbem\wmiprvse.exe
                                        C:\Windows\system32\wbem\wmiprvse.exe -Embedding
                                        1⤵
                                          PID:552
                                        • C:\Windows\system32\svchost.exe
                                          C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
                                          1⤵
                                          • Drops file in Windows directory
                                          • Checks SCSI registry key(s)
                                          PID:5636
                                          • C:\Windows\system32\DrvInst.exe
                                            DrvInst.exe "4" "1" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10\lci_iddcx.inf" "9" "4804066df" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\LciDisplay\win10"
                                            2⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            • Checks SCSI registry key(s)
                                            PID:640
                                          • C:\Windows\system32\DrvInst.exe
                                            DrvInst.exe "4" "1" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10\lci_proxywddm.inf" "9" "4a8a251e7" "0000000000000178" "WinSta0\Default" "000000000000017C" "208" "c:\program files (x86)\splashtop\splashtop remote\server\driver\lcidisplay\win10"
                                            2⤵
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            • Checks SCSI registry key(s)
                                            • Modifies data under HKEY_USERS
                                            PID:5960
                                          • C:\Windows\system32\DrvInst.exe
                                            DrvInst.exe "2" "211" "ROOT\SYSTEM\0001" "C:\Windows\INF\oem4.inf" "oem4.inf:c276d4b8d1e66062:lci_proxywddm.Install:1.0.2018.1204:root\lci_proxywddm," "4a8a251e7" "0000000000000178"
                                            2⤵
                                            • Drops file in Drivers directory
                                            • Drops file in System32 directory
                                            • Drops file in Windows directory
                                            • Checks SCSI registry key(s)
                                            PID:1268
                                          • C:\Windows\system32\DrvInst.exe
                                            DrvInst.exe "1" "0" "LCI\IDDCX\1&79f5d87&0&WHO_CARE" "" "" "48ef22a9f" "0000000000000000"
                                            2⤵
                                            • Drops file in Drivers directory
                                            • Drops file in Windows directory
                                            • Checks SCSI registry key(s)
                                            PID:2232

                                        Network

                                        MITRE ATT&CK Enterprise v15

                                        Reconnaissance

                                        Resource Development

                                        Initial Access

                                        Execution

                                        Command and Scripting Interpreter

                                        1
                                        T1059

                                        PowerShell

                                        1
                                        T1059.001

                                        Persistence

                                        Event Triggered Execution

                                        2
                                        T1546

                                        Component Object Model Hijacking

                                        1
                                        T1546.015

                                        Installer Packages

                                        1
                                        T1546.016

                                        Pre-OS Boot

                                        1
                                        T1542

                                        Bootkit

                                        1
                                        T1542.003

                                        Privilege Escalation

                                        Event Triggered Execution

                                        2
                                        T1546

                                        Component Object Model Hijacking

                                        1
                                        T1546.015

                                        Installer Packages

                                        1
                                        T1546.016

                                        Defense Evasion

                                        Modify Registry

                                        1
                                        T1112

                                        Pre-OS Boot

                                        1
                                        T1542

                                        Bootkit

                                        1
                                        T1542.003

                                        Subvert Trust Controls

                                        1
                                        T1553

                                        Install Root Certificate

                                        1
                                        T1553.004

                                        System Binary Proxy Execution

                                        1
                                        T1218

                                        Msiexec

                                        1
                                        T1218.007

                                        Credential Access

                                        Discovery

                                        Peripheral Device Discovery

                                        2
                                        T1120

                                        Query Registry

                                        4
                                        T1012

                                        System Information Discovery

                                        3
                                        T1082

                                        System Location Discovery

                                        1
                                        T1614

                                        System Language Discovery

                                        1
                                        T1614.001

                                        System Network Configuration Discovery

                                        1
                                        T1016

                                        Internet Connection Discovery

                                        1
                                        T1016.001

                                        System Time Discovery

                                        1
                                        T1124

                                        Lateral Movement

                                        Collection

                                        Command and Control

                                        Exfiltration

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • C:\Config.Msi\e57e540.rbs
                                          Filesize

                                          8KB

                                          MD5

                                          96b698546ddbb23261eb2851bc834e41

                                          SHA1

                                          7af553979a3b8133591ed7454ef9b819af69964a

                                          SHA256

                                          aa6e5776efba9ce675734f8a1b4add1f6b9e2875c0fd3a498feca1fd00a2cced

                                          SHA512

                                          56bcba37e6fd51076818e2ee5cf058a7495d2a24e6fffcdcf9e05949a8180348356bdb1ae1ca09bc643a78d0ad635741854e2e1dbbebc78bd82b7b5359eddcd2

                                          Download Submit

                                        • C:\Config.Msi\e57e545.rbs
                                          Filesize

                                          74KB

                                          MD5

                                          9a90c373364a438c7fbcbbb000bfc347

                                          SHA1

                                          69067e53f83905e0bb8f71b1a9a266914f62c310

                                          SHA256

                                          81f79159e40ec43a96e87ce266761300122190bd9de6e4386f2c0acd7fa56c80

                                          SHA512

                                          a1c9c56ea0214d9b8cdbfd1e6e9a97f7207fcfda79523214e2cf22cc0eeb782b2be116650dfe976a491b84816219e1669dd35d52c826ca0b082d32cfef3ac2c6

                                          Download Submit

                                        • C:\Config.Msi\e57e547.rbs
                                          Filesize

                                          464B

                                          MD5

                                          cd1168a4caf47c2101964596f57301e6

                                          SHA1

                                          ce0715dda92650f6ad6ae0bca46172e081f550ea

                                          SHA256

                                          253696109be180d24f728bc4b44fef79e8a80c902d6d2469a48cb96e5070c49a

                                          SHA512

                                          2e889eff71816bee6b6952642fb9a39c4b52bac29bee3dd0e3f411c3256946e8f5f1ab980e524cbe04c955ff6a7ac29d9b540d28f70a75ea8479e1d7a18eac46

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
                                          Filesize

                                          142KB

                                          MD5

                                          477293f80461713d51a98a24023d45e8

                                          SHA1

                                          e9aa4e6c514ee951665a7cd6f0b4a4c49146241d

                                          SHA256

                                          a96a0ba7998a6956c8073b6eff9306398cc03fb9866e4cabf0810a69bb2a43b2

                                          SHA512

                                          23f3bd44a5fb66be7fea3f7d6440742b657e4050b565c1f8f4684722502d46b68c9e54dcc2486e7de441482fcc6aa4ad54e94b1d73992eb5d070e2a17f35de2f

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config
                                          Filesize

                                          1KB

                                          MD5

                                          b3bb71f9bb4de4236c26578a8fae2dcd

                                          SHA1

                                          1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

                                          SHA256

                                          e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

                                          SHA512

                                          fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll
                                          Filesize

                                          210KB

                                          MD5

                                          c106df1b5b43af3b937ace19d92b42f3

                                          SHA1

                                          7670fc4b6369e3fb705200050618acaa5213637f

                                          SHA256

                                          2b5b7a2afbc88a4f674e1d7836119b57e65fae6863f4be6832c38e08341f2d68

                                          SHA512

                                          616e45e1f15486787418a2b2b8eca50cacac6145d353ff66bf2c13839cd3db6592953bf6feed1469db7ddf2f223416d5651cd013fb32f64dc6c72561ab2449ae

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll
                                          Filesize

                                          693KB

                                          MD5

                                          2c4d25b7fbd1adfd4471052fa482af72

                                          SHA1

                                          fd6cd773d241b581e3c856f9e6cd06cb31a01407

                                          SHA256

                                          2a7a84768cc09a15362878b270371daad9872caacbbeebe7f30c4a7ed6c03ca7

                                          SHA512

                                          f7f94ec00435466db2fb535a490162b906d60a3cfa531a36c4c552183d62d58ccc9a6bb8bbfe39815844b0c3a861d3e1f1178e29dbcb6c09fa2e6ebbb7ab943a

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Availability\Agent.Package.Availability.exe
                                          Filesize

                                          146KB

                                          MD5

                                          8d477b63bc5a56ae15314bda8dea7a3a

                                          SHA1

                                          3ca390584cd3e11172a014784e4c968e7cbb18f5

                                          SHA256

                                          9eec91cdd39cbb560ad5b1d063df67088f412da4b851ae41e71304fb8a444293

                                          SHA512

                                          44e3d91ad96b4cb919c06ccb91d3c3e31165b2412e1d78bfbaca0bee6f0c1a3253b3e3ddf19009cebf12c261a0392f6a0b7091cf8aba1d0cc4c1ed61c1b6dc42

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Software\Agent.Package.Software.exe
                                          Filesize

                                          145KB

                                          MD5

                                          84a9f9fe8ceceea17c1e22c5afcdf65a

                                          SHA1

                                          4f2c2bfeb2273eae55f7ba738962de1c6f5717f0

                                          SHA256

                                          0e4d4c1ce8faad3c60b5fbe10f31ab2288305eefd47531f5dd785a4a294bf099

                                          SHA512

                                          a9a9f6b4c66864eca64eb92e961ce8d87e2bd68eb257d885f7d6b37980c8512e348e8c7741b792971dce5743a2fe4cf020378b7a4aff2df1ba441c82cf3d6947

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\Agent.Package.Watchdog\Agent.Package.Watchdog.exe
                                          Filesize

                                          145KB

                                          MD5

                                          2b9beb2fdbc41afc48d68d32ef41dd08

                                          SHA1

                                          4a9ea4cf8e02e34ef2dd0ef849ffc0cd9ea6f91c

                                          SHA256

                                          977d48979e30a146417937d7e11b26334edec2abddfae1369a9c4348e34857b1

                                          SHA512

                                          3e3c3e39ff2df0d1ed769e6c5acba6f7c5d2737d3c426fb4f0e19f3cf6c604707155917584e454a3f208524ed46766b7a3d2d861fa7419f8258c3b6022238e10

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageADRemote\AgentPackageADRemote.exe
                                          Filesize

                                          51KB

                                          MD5

                                          3180c705182447f4bcc7ce8e2820b25d

                                          SHA1

                                          ad6486557819a33d3f29b18d92b43b11707aae6e

                                          SHA256

                                          5b536eda4bff1fdb5b1db4987e66da88c6c0e1d919777623344cd064d5c9ba22

                                          SHA512

                                          228149e1915d8375aa93a0aff8c5a1d3417df41b46f5a6d9a7052715dbb93e1e0a034a63f0faad98d4067bcfe86edb5eb1ddf750c341607d33931526c784eb35

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI
                                          Filesize

                                          12B

                                          MD5

                                          1e065e191e89cc811ff49c96fa8fa5e6

                                          SHA1

                                          bc50ff2a20a8b83683583684fcac640a91689ed4

                                          SHA256

                                          d88faf6d47342587ea5fbcaf2ef88fb403f7fcdc08fcab67d4f4f381c237a61e

                                          SHA512

                                          5a710e168316c30ca10f7b126e870621f46cca6200e206a9984d144abd11fea045bc475599b18597bbed1e4f00e832d94576837f643b22ffaee56871629290dd

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
                                          Filesize

                                          247KB

                                          MD5

                                          aa5cf64d575b7544eefd77f256c4dc57

                                          SHA1

                                          bd23989db4f9af0aae34d032e817d802c06ca5a9

                                          SHA256

                                          79c5afd94d0ffa3519a90e691a6d47f9c2eec93277f7d369aa34e64b171fc920

                                          SHA512

                                          774aeb5188c536d556a8c7a0cd3dfd9ab22d7bc0ad13353d11c9153232585da352552a69eb967a741372a99db490df355a5a47696b2ea446582c834c963cfeff

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config
                                          Filesize

                                          546B

                                          MD5

                                          158fb7d9323c6ce69d4fce11486a40a1

                                          SHA1

                                          29ab26f5728f6ba6f0e5636bf47149bd9851f532

                                          SHA256

                                          5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

                                          SHA512

                                          7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
                                          Filesize

                                          27KB

                                          MD5

                                          797c9554ec56fd72ebb3f6f6bef67fb5

                                          SHA1

                                          40af8f7e72222ba9ec2ea2dd1e42ff51dc2eb1bb

                                          SHA256

                                          7138b6beda7a3f640871e232d93b4307065ab3cd9cfac1bd7964a6bec9e60f49

                                          SHA512

                                          4f461a8a25da59f47ced0c0dbf59318ddb30c21758037e22bbaa3b03d08ff769bfd1bfc7f43f0e020df8ae4668355ab4b9e42950dca25435c2dd3e9a341c4a08

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageInternalPoller\AgentPackageInternalPoller.exe
                                          Filesize

                                          214KB

                                          MD5

                                          01807774f043028ec29982a62fa75941

                                          SHA1

                                          afc25cf6a7a90f908c0a77f2519744f75b3140d4

                                          SHA256

                                          9d4727352bf6d1cca9cba16953ebd1be360b9df570fd7ba022172780179c251e

                                          SHA512

                                          33bd2b21db275dc8411da6a1c78effa6f43b34afd2f57959e2931aa966edea46c78d7b11729955879889cbe8b81a8e3fb9d3f7e4988e3b7f309cbd1037e0dc02

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMarketplace\AgentPackageMarketplace.exe
                                          Filesize

                                          37KB

                                          MD5

                                          efb4712c8713cb05eb7fe7d87a83a55a

                                          SHA1

                                          c94d106bba77aecf88540807da89349b50ea5ae7

                                          SHA256

                                          30271d8a49c2547ab63a80bc170f42e9f240cf359a844b10bc91340444678e75

                                          SHA512

                                          3594955ad79a07f75c697229b0de30c60c2c7372b5a94186a705159a25d2e233e398b9e2dc846b8b47e295dcddd1765a8287b13456c0a3b3c4e296409a428ef8

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring.zip
                                          Filesize

                                          3.5MB

                                          MD5

                                          c841eadd1786b7a780b96c2a44351cc9

                                          SHA1

                                          bde0a8f67bd2b54678fc9a9135ed49821f75f212

                                          SHA256

                                          3749a43d5297ec2328ddd6af6708de29a5b66efde7423ff72706ab4ca92f56f0

                                          SHA512

                                          edbc3d526e32de1bf8b7ac6e35fb558b250c7026ec38d5af214dfd47f934375e99da775d3147ce641acd8e51e240df32177b825aa403a40af3291cbb56f3a6b1

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
                                          Filesize

                                          397KB

                                          MD5

                                          99f67d47a8dbdee98407885a1ac58e7c

                                          SHA1

                                          3cb9d10a8e6ed1acfa802045aca6e931ba7a8759

                                          SHA256

                                          0aa983060464d62b3da159e533769e8440612e3ec23fb8eff4fc52a0d79cc00e

                                          SHA512

                                          1a0779480bc3e268882d99206f621ea0feb9548df362f1920b793804fbbbf3fc530e263f0307f3cacbc8af54fd503f3f15b967a1464facd273c16bbbb56a27ab

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\package_2.db
                                          Filesize

                                          48KB

                                          MD5

                                          346ec21dc5001680d329883092150b6b

                                          SHA1

                                          5d93c0c508d910656ab04af9c476fda976242acb

                                          SHA256

                                          a02c122d749d03bee7fe62e736d149033e90b0010587295e9c8c32be3c03fda5

                                          SHA512

                                          f34860e8dc52393b34117d53a8e89569115537fd28371dfb62df8d896ef2076c409b763b2d2d6fd02dd25c3023428f7137ab92d98023b8808e6bb1a91e4d08b6

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageOsUpdates\AgentPackageOsUpdates.exe
                                          Filesize

                                          197KB

                                          MD5

                                          d0d21e16e57a1a73056eae228da1e287

                                          SHA1

                                          ab5a27b1d3d977a7f657d0acdf047067c625869f

                                          SHA256

                                          3db5809f23020f9988d5db0cf494f014a87b9dc1547cf804ae9d66667505a60c

                                          SHA512

                                          470bac3e691525ff6007293bac32198c0021a1411ba9d069f88f8603189b1617c2265fe6553c1f60ef788e69afcb8aa790714c59260b7c015a5be5b149222c48

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageRuntimeInstaller\AgentPackageRuntimeInstaller.exe
                                          Filesize

                                          54KB

                                          MD5

                                          77c613ffadf1f4b2f50d31eeec83af30

                                          SHA1

                                          76a6bfd488e73630632cc7bd0c9f51d5d0b71b4c

                                          SHA256

                                          2a0ead6e9f424cbc26ef8a27c1eed1a3d0e2df6419e7f5f10aa787377a28d7cf

                                          SHA512

                                          29c8ae60d195d525650574933bad59b98cf8438d47f33edf80bbdf0c79b32d78f0c0febe69c9c98c156f52219ecd58d7e5e669ae39d912abe53638092ed8b6c3

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote.zip
                                          Filesize

                                          333KB

                                          MD5

                                          745714d838c4d4f88c6e0db6a434f444

                                          SHA1

                                          90689ce709bf2464b678c7afa7b1e18f080d52bb

                                          SHA256

                                          e35302995dad1d5e4b7147d8763f7262500271cf01eac8edfa896b392ac7139f

                                          SHA512

                                          08cbfac0b604530108978c757ad8481c69ed62deac5520777bacee9751f3f260d2c3158609fd723819d8d6626c46b302fe7da7005efc09ab571871ac9d58a0ed

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
                                          Filesize

                                          70KB

                                          MD5

                                          e9b3a59f67febdd7f8fbe68d71c5d0ab

                                          SHA1

                                          22bd3ec3f8e0be2f317ade9d553acdb3ea11f52e

                                          SHA256

                                          bff4de54dacec104e1e63659857ca99d3e9658dcc09d6e1cbf54dc7b22629cbf

                                          SHA512

                                          00e95ea600777025a30e23c755522b869320ca445ac5bd74f123306457d0793efa338220cba9d064e5d25cc3dcf19d66e4e48d3a1c72d196eeb77fb61e4b0688

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageSystemTools\AgentPackageSystemTools.exe
                                          Filesize

                                          50KB

                                          MD5

                                          5bb0687e2384644ea48f688d7e75377b

                                          SHA1

                                          44e4651a52517570894cfec764ec790263b88c4a

                                          SHA256

                                          963a4c7863beae55b1058f10f38b5f0d026496c28c78246230d992fd7b19b70a

                                          SHA512

                                          260b661f52287af95c5033b0a03ac2e182211d165cadb7c4a19e5a8ca765e76fc84b0daf298c3eccb4904504a204194a9bf2547fc91039c3ec2d41f9977ff650

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageTicketing\AgentPackageTicketing.exe
                                          Filesize

                                          32KB

                                          MD5

                                          80eb4e033338fa114a4d010e9ce0b195

                                          SHA1

                                          f907ba4231bd21ac056375f23a36be648f5b2ba7

                                          SHA256

                                          b82e5dfecd3118dca11c86bf7829205fe3e5fcf0eeb57e1999e2fd2f9bd63d52

                                          SHA512

                                          26d4096f8c9652ea4e3920dc67144a082e069e22b85504f64f15b47f5106ef1df0601bdd7e0c34f4f534d920a520872847e6d57bc985f6e20636a26e0f7acb20

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageUpgradeAgent\AgentPackageUpgradeAgent.exe
                                          Filesize

                                          60KB

                                          MD5

                                          5c5c5f5be28276fb9a808d93eef71267

                                          SHA1

                                          e89938944bdf0cf7d91bc37ff1f129749f2989f9

                                          SHA256

                                          6ee89d62bde6c8656a70dfeb3665e96288dc3c77ea67e955ff041c6bef8065dc

                                          SHA512

                                          ee568509ba54c90c82423f36d7bf34407a34fd748df38871f53d4e35b28502d50fb2f6dddaf1e55c427c4ad99142a9e1e9b9763abbc2a8cee457af349df23f7b

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll
                                          Filesize

                                          588KB

                                          MD5

                                          17d74c03b6bcbcd88b46fcc58fc79a0d

                                          SHA1

                                          bc0316e11c119806907c058d62513eb8ce32288c

                                          SHA256

                                          13774cc16c1254752ea801538bfb9a9d1328f8b4dd3ff41760ac492a245fbb15

                                          SHA512

                                          f1457a8596a4d4f9b98a7dcb79f79885fa28bd7fc09a606ad3cd6f37d732ec7e334a64458e51e65d839ddfcdf20b8b5676267aa8ced0080e8cf81a1b2291f030

                                          Download Submit

                                        • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt
                                          Filesize

                                          215B

                                          MD5

                                          f330b495fe62ccc91fb04ae7ce4d96b5

                                          SHA1

                                          8893a49559190949c47923ac5bd310736331e1d7

                                          SHA256

                                          902a448264b7a79779f982c7bb2f012f8dfd4f86c5589edbdbc8055b1809c430

                                          SHA512

                                          5c49af9ba000f366a1039e98d6a20570783cb6a45cac1e4f84aa24ca4cff25fa20aa3b5499b225988740cca4668dcc787b944b229ebb9f5e2ff8df2ae8689e1a

                                          Download Submit

                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd.exe
                                          Filesize

                                          9KB

                                          MD5

                                          1ef7574bc4d8b6034935d99ad884f15b

                                          SHA1

                                          110709ab33f893737f4b0567f9495ac60c37667c

                                          SHA256

                                          0814aad232c96a4661081e570cf1d9c5f09a8572cfd8e9b5d3ead0fa0f5ca271

                                          SHA512

                                          947c306a3a1eec7fce29eaa9b8d4b5e00fd0918fe9d7a25e262d621fb3ee829d5f4829949e766a660e990d1ac14f87e13e5dbd5f7c8252ae9b2dc82e2762fb73

                                          Download Submit

                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVAD\utils\DIFxCmd64.exe
                                          Filesize

                                          10KB

                                          MD5

                                          f512536173e386121b3ebd22aac41a4e

                                          SHA1

                                          74ae133215345beaebb7a95f969f34a40dda922a

                                          SHA256

                                          a993872ad05f33cb49543c00dfca036b32957d2bd09aaa9dafe33b934b7a3e4a

                                          SHA512

                                          1efa432ef2d61a6f7e7fc3606c5c982f1b95eabc4912ea622d533d540ddca1a340f8a5f4652af62a9efc112ca82d4334e74decf6ddbc88b0bd191060c08a63b9

                                          Download Submit

                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon.exe
                                          Filesize

                                          76KB

                                          MD5

                                          b40fe65431b18a52e6452279b88954af

                                          SHA1

                                          c25de80f00014e129ff290bf84ddf25a23fdfc30

                                          SHA256

                                          800e396be60133b5ab7881872a73936e24cbebd7a7953cee1479f077ffcf745e

                                          SHA512

                                          e58cf187fd71e6f1f5cf7eac347a2682e77bc9a88a64e79a59e1a480cac20b46ad8d0f947dd2cb2840a2e0bb6d3c754f8f26fcf2d55b550eea4f5d7e57a4d91d

                                          Download Submit

                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\Driver\STVideo\utils\devcon64.exe
                                          Filesize

                                          80KB

                                          MD5

                                          3904d0698962e09da946046020cbcb17

                                          SHA1

                                          edae098e7e8452ca6c125cf6362dda3f4d78f0ae

                                          SHA256

                                          a51e25acc489948b31b1384e1dc29518d19b421d6bc0ced90587128899275289

                                          SHA512

                                          c24ab680981d8d6db042b52b7b5c5e92078df83650cad798874fc09ce8c8a25462e1b69340083f4bcad20d67068668abcfa8097e549cfa5ad4f1ee6a235d6eea

                                          Download Submit

                                        • C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3
                                          Filesize

                                          96KB

                                          MD5

                                          1b2db2f6a82eb5a030cdd8a359429621

                                          SHA1

                                          e29837e9c2685212403f678bb51ba24ffec551e3

                                          SHA256

                                          cdcb67b72d4685bb72cb35bf214f8e7c49a6d88d28ecc490bcb467523b1e17c8

                                          SHA512

                                          87b3d26707770a211a40057d947cda8d6dc9e39cac5524d574584b7a7e58754a8f02396bfcdd842eea7a09751d98391277b0e8f3ccaf6eaaa7f616dc25f6fc1d

                                          Download Submit

                                        • C:\ProgramData\Splashtop\Splashtop Remote Server\Credential\5ae32e5515785fd5d2141ee06cafa587
                                          Filesize

                                          16KB

                                          MD5

                                          b2e89027a140a89b6e3eb4e504e93d96

                                          SHA1

                                          f3b1b34874b73ae3032decb97ef96a53a654228f

                                          SHA256

                                          5f97b3a9d3702d41e15c0c472c43bea25f825401adbc6e0e1425717e75174982

                                          SHA512

                                          93fc993af1c83f78fd991cc3d145a81ee6229a89f2c70e038c723032bf5ad12d9962309005d94cdbe0ef1ab11dc5205f57bcf1bc638ee0099fedf88977b99a19

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                          Filesize

                                          471B

                                          MD5

                                          5a6ad86366d524d0c97575a793f9341a

                                          SHA1

                                          37c1d9a31181095aa815c91b174e7556dab24b06

                                          SHA256

                                          a8b872392b38fa5ab1b500a3c6636bace1beb21fe017a7a85cc018e643e82191

                                          SHA512

                                          a88fb5809703642704b333a68f5757fee28f0e42d387aea880a3382a2f320a32db0e5ab55a692b4d992df8ee52752646bb733b89042e80b496f5c5424168da0e

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
                                          Filesize

                                          727B

                                          MD5

                                          6498b81e536259e376affad98816dc4e

                                          SHA1

                                          4ce492a3d6b47b663ec9a111e6c9c600fe78d742

                                          SHA256

                                          4d59e8fd0e13f77745e95f28527c1fde5e9dc217c4eba4bc3d708d9311386b9c

                                          SHA512

                                          fdb75f84b07bd773895081d2e98bbd14efbcd052ec8746b297056ad728e4bbf01693499a19999c0a89b6b6abf63aa8a8c38637dc48c23665dcc4e391fe818903

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                          Filesize

                                          727B

                                          MD5

                                          d39eae67869deeb84112085d89c9ed81

                                          SHA1

                                          2e96a6861bf3f56538522bb855f0cdc614e6bfb8

                                          SHA256

                                          34b726e85a86b363eab542888911a131e5bade3b5fab69ae747d4395f76c2462

                                          SHA512

                                          9d2348d0fdc1d50ee85be71f231c742ac0063145d0d57c88e0b5a62c13fd2c950be16b308a15f1fe7b699a2a54acff2cbe9a01562331656c0593b3caa2023490

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
                                          Filesize

                                          400B

                                          MD5

                                          fa35483d605d298ce41196b4e8dcd4fc

                                          SHA1

                                          c3bbf498a5e22575fd3d777e59ccb8665183d2c9

                                          SHA256

                                          d35233a9ed74bc6da82ecb00a001e3f01300fe9b24ce8e7a91d039c77ade738a

                                          SHA512

                                          6321d4c96ae45332b60a689d0f2abf69d75540d9530602e7b9939d463e5026a4fa408ced14e862537dfba7f47de3a9346ab25c821f8040278ad29e941fcb61a3

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_93E8F0A6DF0B1F1414474691911362FC
                                          Filesize

                                          412B

                                          MD5

                                          694df2ffb24bc0948092358825c321d3

                                          SHA1

                                          a708620d8ac5df76ed9168301c80d651599c05e2

                                          SHA256

                                          83677aa445b8a45417291736d9833ac9dc0424dfaa7052d61632a60ffef21a65

                                          SHA512

                                          021af889e06b7bbc35e0b462695dc50349c4eecb8eada2b8d437530dc0c52fe0ea39975f832aefe47e91a6ba03e4805b9212493448307b7cf6fedb192b689826

                                          Download Submit

                                        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                          Filesize

                                          412B

                                          MD5

                                          f8905a96ec66d145fd5e4b1f9b3aecc6

                                          SHA1

                                          b2bdff63973574c5fe39d8e5c129ce34931cd00e

                                          SHA256

                                          d0e9f138d5c0e9887db7b84d174e2e398753b4348d8c0c4add3cc9ca55b48ca7

                                          SHA512

                                          b0ad35545357a5a3579cc6979422c3444d40796dda89c3926a4a81831bb261425fbf68e16571987db3c3960d258c61f431a09166c100d9276d701688a9977757

                                          Download Submit

                                        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rundll32.exe.log
                                          Filesize

                                          651B

                                          MD5

                                          9bbfe11735bac43a2ed1be18d0655fe2

                                          SHA1

                                          61141928bb248fd6e9cd5084a9db05a9b980fb3a

                                          SHA256

                                          549953bd4fc8acc868a9374ec684ebd9e7b23939adf551016f3433b642697b74

                                          SHA512

                                          a78c52b2ddc057dabf260eeb744b9f55eab3374ad96e1938a291d2b17f204a0d6e1aa02802de75f0b2cd6d156540d2ddee15e889b89d5e619207054df4c1d483

                                          Download Submit

                                        • C:\Windows\Installer\MSI80D2.tmp
                                          Filesize

                                          4.5MB

                                          MD5

                                          08211c29e0d617a579ffa2c41bde1317

                                          SHA1

                                          4991dae22d8cdc6ca172ad1846010e3d9e35c301

                                          SHA256

                                          3334a7025ff6cd58d38155a8f9b9867f1a2d872964c72776c9bf4c50f51f9621

                                          SHA512

                                          d6ae36a09745fdd6d0d508b18eb9f3499a06a7eeafa0834bb47a7004f4b7d54f15fec0d0a45b7e6347a85c8091ca52fe4c679f6f23c3668efe75a660a8ce917f

                                          Download Submit

                                        • C:\Windows\Installer\MSIE5EB.tmp
                                          Filesize

                                          509KB

                                          MD5

                                          88d29734f37bdcffd202eafcdd082f9d

                                          SHA1

                                          823b40d05a1cab06b857ed87451bf683fdd56a5e

                                          SHA256

                                          87c97269e2b68898be87b884cd6a21880e6f15336b1194713e12a2db45f1dccf

                                          SHA512

                                          1343ed80dccf0fa4e7ae837b68926619d734bc52785b586a4f4102d205497d2715f951d9acacc8c3e5434a94837820493173040dc90fb7339a34b6f3ef0288d0

                                          Download Submit

                                        • C:\Windows\Installer\MSIE5EB.tmp-\AlphaControlAgentInstallation.dll
                                          Filesize

                                          25KB

                                          MD5

                                          aa1b9c5c685173fad2dabebeb3171f01

                                          SHA1

                                          ed756b1760e563ce888276ff248c734b7dd851fb

                                          SHA256

                                          e44a6582cd3f84f4255d3c230e0a2c284e0cffa0ca5e62e4d749e089555494c7

                                          SHA512

                                          d3bfb4bd7e7fdb7159fbfc14056067c813ce52cdd91e885bdaac36820b5385fb70077bf58ec434d31a5a48245eb62b6794794618c73fe7953f79a4fc26592334

                                          Download Submit

                                        • C:\Windows\Installer\MSIE5EB.tmp-\Microsoft.Deployment.WindowsInstaller.dll
                                          Filesize

                                          179KB

                                          MD5

                                          1a5caea6734fdd07caa514c3f3fb75da

                                          SHA1

                                          f070ac0d91bd337d7952abd1ddf19a737b94510c

                                          SHA256

                                          cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

                                          SHA512

                                          a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

                                          Download Submit

                                        • C:\Windows\Installer\MSIE8F9.tmp-\CustomAction.config
                                          Filesize

                                          1KB

                                          MD5

                                          bc17e956cde8dd5425f2b2a68ed919f8

                                          SHA1

                                          5e3736331e9e2f6bf851e3355f31006ccd8caa99

                                          SHA256

                                          e4ff538599c2d8e898d7f90ccf74081192d5afa8040e6b6c180f3aa0f46ad2c5

                                          SHA512

                                          02090daf1d5226b33edaae80263431a7a5b35a2ece97f74f494cc138002211e71498d42c260395ed40aee8e4a40474b395690b8b24e4aee19f0231da7377a940

                                          Download Submit

                                        • C:\Windows\Installer\MSIE8F9.tmp-\Newtonsoft.Json.dll
                                          Filesize

                                          695KB

                                          MD5

                                          715a1fbee4665e99e859eda667fe8034

                                          SHA1

                                          e13c6e4210043c4976dcdc447ea2b32854f70cc6

                                          SHA256

                                          c5c83bbc1741be6ff4c490c0aee34c162945423ec577c646538b2d21ce13199e

                                          SHA512

                                          bf9744ccb20f8205b2de39dbe79d34497b4d5c19b353d0f95e87ea7ef7fa1784aea87e10efcef11e4c90451eaa47a379204eb0533aa3018e378dd3511ce0e8ad

                                          Download Submit

                                        • C:\Windows\Installer\MSIF198.tmp
                                          Filesize

                                          211KB

                                          MD5

                                          a3ae5d86ecf38db9427359ea37a5f646

                                          SHA1

                                          eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

                                          SHA256

                                          c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

                                          SHA512

                                          96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

                                          Download Submit

                                        • C:\Windows\Installer\e57e53f.msi
                                          Filesize

                                          2.9MB

                                          MD5

                                          8b6b0ec93209591b6f987b27b150f803

                                          SHA1

                                          dd64e5c25c9237b6a52f68dcc6a5777c83c5fef3

                                          SHA256

                                          768eaad977f0e47869a05f653895ef1c14b3c83905a91e2b8dc56b718e056de6

                                          SHA512

                                          0e892754f982114ab1d99bef288123563543c1010289f312f9b9e8c3abd8845c907ef665dc60dd744b3c840fe11c4546c1bee5bcbebeb67469cda4e3409e0a39

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{b711acd6-858c-3442-9523-5938fadf3104}\lci_iddcx.cat
                                          Filesize

                                          10KB

                                          MD5

                                          62458e58313475c9a3642a392363e359

                                          SHA1

                                          e63a3866f20e8c057933ba75d940e5fd2bf62bc6

                                          SHA256

                                          85620d87874f27d1aaf1743c0ca47e210c51d9afd0c9381fc0cd8acca3854562

                                          SHA512

                                          49fb8ca58aecf97a6ab6b97de7d367accb7c5be76fbcd324af4ce75efe96642e8c488f273c0363250f7a5bcea7f7055242d28fd4b1f130b68a1a5d9a078e7fad

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{b711acd6-858c-3442-9523-5938fadf3104}\lci_iddcx.inf
                                          Filesize

                                          4KB

                                          MD5

                                          1cec22ca85e1b5a8615774fca59a420b

                                          SHA1

                                          049a651751ef38321a1088af6a47c4380f9293fc

                                          SHA256

                                          60a018f46d17b7640fc34587667cd852a16fa8e82f957a69522637f22e5fe5cf

                                          SHA512

                                          0f24fe3914aef080a0d109df6cfac548a880947fb85e7490f0d8fa174a606730b29dc8d2ae10525dba4d1ca05ac9b190e4704629b86ac96867188df4ca3168bb

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{b711acd6-858c-3442-9523-5938fadf3104}\x64\lci_iddcx.dll
                                          Filesize

                                          52KB

                                          MD5

                                          01e8bc64139d6b74467330b11331858d

                                          SHA1

                                          b6421a1d92a791b4d4548ab84f7140f4fc4eb829

                                          SHA256

                                          148359a84c637d05c20a58f5038d8b2c5390f99a5a229be8eccbb5f85e969438

                                          SHA512

                                          4099e8038d65d95d3f00fd32eba012f55ae16d0da3828e5d689ef32e20352fdfcc278cd6f78536dc7f28fb97d07185e654fe6eee610822ea8d9e9d5af696dff5

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{e7905d72-adae-eb45-9767-aa926006b820}\lci_proxywddm.cat
                                          Filesize

                                          12KB

                                          MD5

                                          8e16d54f986dbe98812fd5ec04d434e8

                                          SHA1

                                          8bf49fa8e12f801559cc2869365f0b184d7f93fe

                                          SHA256

                                          7c772fb24326e90d6e9c60a08495f32f7d5def1c52037d78cbd0436ad70549cd

                                          SHA512

                                          e1da797044663ad6362641189fa78116cc4b8e611f9d33c89d6c562f981d5913920acb12a4f7ef6c1871490563470e583910045378bda5c7a13db25f987e9029

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{e7905d72-adae-eb45-9767-aa926006b820}\lci_proxywddm.inf
                                          Filesize

                                          2KB

                                          MD5

                                          0315a579f5afe989154cb7c6a6376b05

                                          SHA1

                                          e352ff670358cf71e0194918dfe47981e9ccbb88

                                          SHA256

                                          d10fa136d6ae9a15216202e4dd9f787b3a148213569e438da3bf82b618d8001d

                                          SHA512

                                          c7ce8278bc5ee8f8b4738ef8bb2c0a96398b40dc65eea1c28688e772ae0f873624311146f4f4ec8971c91df57983d2d8cdbec1fe98eaa7f9d15a2c159d80e0af

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{e7905d72-adae-eb45-9767-aa926006b820}\x64\lci_proxyumd.dll
                                          Filesize

                                          179KB

                                          MD5

                                          4dc11547a5fc28ca8f6965fa21573481

                                          SHA1

                                          d531b0d8d2f8d49d81a4c17fbaf3bc294845362c

                                          SHA256

                                          e9db5cd21c8d709a47fc0cfb2c6ca3bb76a3ed8218bed5dc37948b3f9c7bd99d

                                          SHA512

                                          bd0f0a3bbc598480a9b678aa1b35728b2380bf57b195b0249936d0eaaa014f219031a563f486871099bf1c78ccc758f6b25b97cfc5296a73fc60b6caff9877f6

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{e7905d72-adae-eb45-9767-aa926006b820}\x64\lci_proxyumd32.dll
                                          Filesize

                                          135KB

                                          MD5

                                          67ae7b2c36c9c70086b9d41b4515b0a8

                                          SHA1

                                          ba735d6a338c8fdfa61c98f328b97bf3e8e48b8b

                                          SHA256

                                          79876f242b79269fe0fe3516f2bdb0a1922c86d820ce1dd98500b385511dac69

                                          SHA512

                                          4d8320440f3472ee0e9bd489da749a738370970de07b0920b535642723c92de848f4b3d7f898689c817145ce7b08f65128abe91d816827aeb7e5e193d7027078

                                          Download Submit

                                        • C:\Windows\System32\DriverStore\Temp\{e7905d72-adae-eb45-9767-aa926006b820}\x64\lci_proxywddm.sys
                                          Filesize

                                          119KB

                                          MD5

                                          b9b0e9b4d93b18b99ece31a819d71d00

                                          SHA1

                                          2be1ad570f3ccb2e6f2e2b16d1e0002ca4ec8d9e

                                          SHA256

                                          0f1c64c0fa08fe45beac15dc675d3b956525b8f198e92e0ccac21d2a70ce42cf

                                          SHA512

                                          465e389806f3b87a544ab8b0b7b49864feeba2eeef4fb51628d40175573ed1ba00b26d6a2abebc74c31369194206ed31d32c68471dddcf817fdd2d26e3da7a53

                                          Download Submit

                                        • C:\Windows\Temp\B7C5EA94-B96A-41F5-BE95-25D78B486678-11-01-45.dat
                                          Filesize

                                          602B

                                          MD5

                                          6ae2e3b85dd404e53ffe3cec49750557

                                          SHA1

                                          9de4c26cb2ac5e771b8c7d2633fd79b6ad3d5306

                                          SHA256

                                          0877fb4c6e907ce6f3b56b5a3cfc1e9a52ea843b847f8ef1b82af5d723bd5a1d

                                          SHA512

                                          cd8da943964f916f2f0552ab7b0543f0616a500f818545ff2c1a584f05ac5e4c137ae8748c8a795209dee0c3584d94815064836cd11ac18e30bb3a39317f9e80

                                          Download Submit

                                        • C:\Windows\Temp\InstallUtil.log
                                          Filesize

                                          4KB

                                          MD5

                                          447b390e37ca7df6ecee45bb59659e02

                                          SHA1

                                          2ce434404761e4f62070055710c352e7797951fc

                                          SHA256

                                          ad531caca61603b5b0b3fb0b96e173a4ee1c9ea0cb00420350c3a270a3ff5d16

                                          SHA512

                                          8aad9db97c7e939538ed555f472fa72193e21158e2a469e7ce93606f0ab5a4d7b4f8ddd97b655ff10c7d357209e355f23d0f8112a701b1227558ef3531d5d13a

                                          Download Submit

                                        • C:\Windows\Temp\InstallUtil.log
                                          Filesize

                                          708B

                                          MD5

                                          9ec907d0ff9830a4cfe2fe3cb4c455da

                                          SHA1

                                          5a52308a37209bda5b18d0ef0420c44fb3b84ab6

                                          SHA256

                                          0c8a05cfc3a8d4737280fc5dac5a52bae29a549ce97e7b9c9331f948e8bea75c

                                          SHA512

                                          4fe0037c4a7d163ee2d5544cc2fde1038a4aec6c33583c19f60285c84d656b40182b7cb97a71d730d6e9be2a3e5fef624a6ce7346d511601a38e36bf779451b0

                                          Download Submit

                                        • C:\Windows\Temp\PreVer.log
                                          Filesize

                                          2KB

                                          MD5

                                          6271a745d23d1e578047bdfd81be4e79

                                          SHA1

                                          d4ce6304da701d5e18304efa453d5ab78a103916

                                          SHA256

                                          9facd98934ef3c6649ae323be4b20563c745b9f277961b50feae3da489e7743e

                                          SHA512

                                          f4c65c9db784e9569122e1a8e03765799dfe57b0f4d792163b7d5c72d8ff82ad6803491b24a5199ed9a942446229ed9c0ba0d72de069274b077f2ae7fc399dad

                                          Download Submit

                                        • C:\Windows\Temp\__PSScriptPolicyTest_wvgczo51.w52.ps1
                                          Filesize

                                          60B

                                          MD5

                                          d17fe0a3f47be24a6453e9ef58c94641

                                          SHA1

                                          6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                          SHA256

                                          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                          SHA512

                                          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                          Download Submit

                                        • C:\Windows\Temp\unpack.log
                                          Filesize

                                          2KB

                                          MD5

                                          6379c2d4f472b1c293a4c3e29a2f37d2

                                          SHA1

                                          d19dfa6060d376176e0f981bad17a00fd0041912

                                          SHA256

                                          001cdabb24da28193aa8f778bf117b4be38174b134d2f84b7da9444e7da138e7

                                          SHA512

                                          6bc6bca19078c02398dda9da0f53a3be179aa93544706c26461447bc4ae76399cb7405b161404cfd39539592868ea989b829b8ce465590ca6359318512268c41

                                          Download Submit

                                        • C:\Windows\Temp\unpack.log
                                          Filesize

                                          4KB

                                          MD5

                                          c3999d34e2946144c606bc13b8e2777b

                                          SHA1

                                          d045805a38f992a89d708d422f51cc9f3288b2de

                                          SHA256

                                          98a1f298599b29b5f3088a17ad35929b4afaeef0a42056a43b506735caee3f89

                                          SHA512

                                          fe0de571cf74124f95a31bb9e01f4002b0a162c44d1668590a5030e30fd32e35bef3301700345f2a7f3919628d481d13cc32f59003473b1273710ecce6cc4a20

                                          Download Submit

                                        • C:\Windows\Temp\unpack\PreVerCheck.exe
                                          Filesize

                                          3.2MB

                                          MD5

                                          2c18826adf72365827f780b2a1d5ea75

                                          SHA1

                                          a85b5eae6eba4af001d03996f48d97f7791e36eb

                                          SHA256

                                          ae06a5a23b6c61d250e8c28534ed0ffa8cc0c69b891c670ffaf54a43a9bf43be

                                          SHA512

                                          474fce1ec243b9f63ea3d427eb1117ad2ebc5a122f64853c5015193e6727ffc8083c5938117b66e572da3739fd0a86cd5bc118f374c690fa7a5fe9f0c071c167

                                          Download Submit

                                        • C:\Windows\Temp\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\IsConfig.ini
                                          Filesize

                                          571B

                                          MD5

                                          d239b8964e37974225ad69d78a0a8275

                                          SHA1

                                          cf208e98a6f11d1807cd84ca61504ad783471679

                                          SHA256

                                          0ce4b4c69344a2d099dd6ca99e44801542fa2011b5505dd9760f023570049b73

                                          SHA512

                                          88eb06ae80070203cb7303a790ba0e8a63c503740ca6e7d70002a1071c89b640f9b43f376ddc3c9d6ee29bae0881f736fa71e677591416980b0a526b27ee41e8

                                          Download Submit

                                        • C:\Windows\Temp\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\String1033.txt
                                          Filesize

                                          182KB

                                          MD5

                                          99bbffd900115fe8672c73fb1a48a604

                                          SHA1

                                          8f587395fa6b954affef337c70781ce00913950e

                                          SHA256

                                          57ceff2d980d9224c53a910a6f9e06475dc170f42a0070ae4934868ccd13d2dc

                                          SHA512

                                          d578b1931a8daa1ef0f0238639a0c1509255480b5dbd464c639b4031832e2e7537f003c646d7bd65b75e721a7ad584254b4dfa7efc41cf6c8fbd6b72d679eeff

                                          Download Submit

                                        • C:\Windows\Temp\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\_is6B58.exe
                                          Filesize

                                          179KB

                                          MD5

                                          7a1c100df8065815dc34c05abc0c13de

                                          SHA1

                                          3c23414ae545d2087e5462a8994d2b87d3e6d9e2

                                          SHA256

                                          e46c768950aad809d04c91fb4234cb4b2e7d0b195f318719a71e967609e3bbed

                                          SHA512

                                          bbec114913bc2f92e8de7a4dd9513bff31f6b0ef4872171b9b6b63fef7faa363cf47e63e2d710dd32e9fc84c61f828e0fae3d48d06b76da023241bee9d4a6327

                                          Download Submit

                                        • C:\Windows\Temp\{1BFDC91F-40D4-4AE9-BEA0-BA88681692D2}\setup.inx
                                          Filesize

                                          345KB

                                          MD5

                                          0376dd5b7e37985ea50e693dc212094c

                                          SHA1

                                          02859394164c33924907b85ab0aaddc628c31bf1

                                          SHA256

                                          c9e6af6fb0bdbeb532e297436a80eb92a2ff7675f9c777c109208ee227f73415

                                          SHA512

                                          69d79d44908f6305eee5d8e6f815a0fee0c6d913f4f40f0c2c9f2f2e50f24bf7859ebe12c85138d971e5db95047f159f077ae687989b8588f76517cab7d3e0d5

                                          Download Submit

                                        • C:\Windows\Temp\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\ISRT.dll
                                          Filesize

                                          427KB

                                          MD5

                                          85315ad538fa5af8162f1cd2fce1c99d

                                          SHA1

                                          31c177c28a05fa3de5e1f934b96b9d01a8969bba

                                          SHA256

                                          70735b13f629f247d6af2be567f2da8112039fbced5fbb37961e53a2a3ec1ec7

                                          SHA512

                                          877eb3238517eeb87c2a5d42839167e6c58f9ca7228847db3d20a19fb13b176a6280c37decda676fa99a6ccf7469569ddc0974eccf4ad67514fdedf9e9358556

                                          Download Submit

                                        • C:\Windows\Temp\{D176F15D-2937-4B7E-B9FB-44BEDAD09E80}\_isres_0x0409.dll
                                          Filesize

                                          1.8MB

                                          MD5

                                          befe2ef369d12f83c72c5f2f7069dd87

                                          SHA1

                                          b89c7f6da1241ed98015dc347e70322832bcbe50

                                          SHA256

                                          9652ffae3f5c57d1095c6317ab6d75a9c835bb296e7c8b353a4d55d55c49a131

                                          SHA512

                                          760631b05ef79c308570b12d0c91c1d2a527427d51e4e568630e410b022e4ba24c924d6d85be6462ba7f71b2f0ba05587d3ec4b8f98fcdb8bb4f57949a41743b

                                          Download Submit

                                        • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                          Filesize

                                          727B

                                          MD5

                                          1167bcb840f031161de408717b54bdce

                                          SHA1

                                          cc7efcf77db65f5192777492adf5b1b8968a1728

                                          SHA256

                                          9da91d23cdc033b7044075e32ae09312dfc7207fe3dbf537fd19703471d2f62b

                                          SHA512

                                          53e384e03b465b3f3aa8df7408fac93385434844cd57c34e89ffd4aff918fdb969a229a5d08f03805133c31fe209aae89b0e1c547157ff5550e1680e5716d1c7

                                          Download Submit

                                        • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944
                                          Filesize

                                          404B

                                          MD5

                                          d474f6e4fc797036d4712320101d484d

                                          SHA1

                                          bd6a5f252e0c14b28b33ee92a8fbbfa750dd4ac4

                                          SHA256

                                          417995a5b2ac5b33d48a3b59f031e42d94e2518eb335c2249e7c7f73ef41462e

                                          SHA512

                                          3a38df81dbaf6aaf3d5ba3fc8bf459ea56342d441e985f3f6ec10f7a97e7e236da65a9024c004e53f19a970cb6a0d98e79d9742931aad2f72523f7b84a0fbd80

                                          Download Submit

                                        • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
                                          Filesize

                                          412B

                                          MD5

                                          6b55c80fc866451f9f6d3f4b3d894507

                                          SHA1

                                          4ff7c903d4855dc2b0ee3b4bd0332d8ff7420fbd

                                          SHA256

                                          8c0f5893d755fc81e543098edae14504a151d84bad4b86a0603fbd830442625d

                                          SHA512

                                          7400f04410cca968a6a851057c325e8724cd9a76e24754e8408b921a4bc189e903c46797afd3b69062b5cbaebf0a98afcfab66faeb248405302e6998784ef58c

                                          Download Submit

                                        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                                          Filesize

                                          24.1MB

                                          MD5

                                          866f6333901e654c909c031777b1aee4

                                          SHA1

                                          46bbba8dd613727a257a8b508d40326576b4780b

                                          SHA256

                                          96927fdfd527bdab672d7693e6575aa009687c6e57c67f270006f98510a6a42f

                                          SHA512

                                          aa846725884cf196be68073b481ec4b912b84d6e1279c09d2bcbbcbd616a61140b896e8986779f69645c827b04d9ee99324bcc34a0ed2b2fcb1c3741b275bf9f

                                          Download Submit

                                        • \??\Volume{50c46ab9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{87407b09-66ea-4ad4-be7b-cde8d32f7133}_OnDiskSnapshotProp
                                          Filesize

                                          6KB

                                          MD5

                                          124d132d27c0b944f807f72a67ac4c94

                                          SHA1

                                          11a544c3c67408d7038c5d0762d192b4cfa31f3f

                                          SHA256

                                          b7011640428dcc89b1c0778fb20fb935177cf2a1907beb800337b115f08f8c27

                                          SHA512

                                          3aa0e9a35995a7ac0a2b639fcfd4e254fdab87d23bc8c8171362cc7468c26f0f20aeb02d3375a808a22e956156b5baa6dea91658b4a2271bc0bb8b6d8ff7984d

                                          Download Submit

                                        • memory/372-1886-0x000001A71D040000-0x000001A71D08A000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/372-1949-0x000001A735CD0000-0x000001A735D82000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/372-1932-0x000001A735BF0000-0x000001A735CCC000-memory.dmp

                                          Filesize

                                          880KB

                                          Download

                                        • memory/372-1950-0x000001A71D090000-0x000001A71D098000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/372-1889-0x000001A71CC60000-0x000001A71CC7C000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/372-1885-0x000001A71C7D0000-0x000001A71C7E0000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/552-111-0x0000000002CF0000-0x0000000002D56000-memory.dmp

                                          Filesize

                                          408KB

                                          Download

                                        • memory/1052-287-0x00000206F9310000-0x00000206F9352000-memory.dmp

                                          Filesize

                                          264KB

                                          Download

                                        • memory/1052-289-0x00000206FA480000-0x00000206FA530000-memory.dmp

                                          Filesize

                                          704KB

                                          Download

                                        • memory/1052-290-0x00000206F9CD0000-0x00000206F9CEC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/1316-1987-0x0000022AE8D40000-0x0000022AE8D70000-memory.dmp

                                          Filesize

                                          192KB

                                          Download

                                        • memory/1316-2033-0x0000022AE8D40000-0x0000022AE8D70000-memory.dmp

                                          Filesize

                                          192KB

                                          Download

                                        • memory/1476-44-0x0000000002340000-0x000000000234C000-memory.dmp

                                          Filesize

                                          48KB

                                          Download

                                        • memory/1476-40-0x0000000002300000-0x000000000232E000-memory.dmp

                                          Filesize

                                          184KB

                                          Download

                                        • memory/1572-1849-0x0000014979180000-0x0000014979232000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/1572-1850-0x0000014979CC0000-0x0000014979D26000-memory.dmp

                                          Filesize

                                          408KB

                                          Download

                                        • memory/1572-1846-0x000001495FF40000-0x000001495FF50000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/1572-1848-0x0000014960300000-0x0000014960320000-memory.dmp

                                          Filesize

                                          128KB

                                          Download

                                        • memory/1572-1851-0x00000149607C0000-0x00000149607D4000-memory.dmp

                                          Filesize

                                          80KB

                                          Download

                                        • memory/2036-318-0x0000026C3B680000-0x0000026C3B732000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/2036-317-0x0000026C22540000-0x0000026C22556000-memory.dmp

                                          Filesize

                                          88KB

                                          Download

                                        • memory/2036-319-0x0000026C22EB0000-0x0000026C22ECC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/2348-149-0x000001DE76400000-0x000001DE76428000-memory.dmp

                                          Filesize

                                          160KB

                                          Download

                                        • memory/2348-166-0x000001DE78260000-0x000001DE7829C000-memory.dmp

                                          Filesize

                                          240KB

                                          Download

                                        • memory/2348-165-0x000001DE781D0000-0x000001DE781E2000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/2348-161-0x000001DE78A20000-0x000001DE78AB8000-memory.dmp

                                          Filesize

                                          608KB

                                          Download

                                        • memory/2796-387-0x000001841EFB0000-0x000001841F018000-memory.dmp

                                          Filesize

                                          416KB

                                          Download

                                        • memory/2796-378-0x000001841EDA0000-0x000001841EDEC000-memory.dmp

                                          Filesize

                                          304KB

                                          Download

                                        • memory/2796-382-0x000001841F020000-0x000001841F0FC000-memory.dmp

                                          Filesize

                                          880KB

                                          Download

                                        • memory/2796-389-0x000001841F240000-0x000001841F27A000-memory.dmp

                                          Filesize

                                          232KB

                                          Download

                                        • memory/2796-386-0x00000184066C0000-0x00000184066C8000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2796-384-0x00000184066A0000-0x00000184066A8000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2796-379-0x000001841EDF0000-0x000001841EE38000-memory.dmp

                                          Filesize

                                          288KB

                                          Download

                                        • memory/2796-380-0x0000018406000000-0x0000018406008000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2796-381-0x00000184060F0000-0x00000184060FA000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/2796-388-0x000001841EF70000-0x000001841EF9A000-memory.dmp

                                          Filesize

                                          168KB

                                          Download

                                        • memory/2796-377-0x0000018405FD0000-0x0000018405FEC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/2796-376-0x0000018406140000-0x000001840618A000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/2796-383-0x000001841F100000-0x000001841F1B2000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/2796-375-0x0000018405BC0000-0x0000018405C28000-memory.dmp

                                          Filesize

                                          416KB

                                          Download

                                        • memory/2796-385-0x00000184066B0000-0x00000184066B8000-memory.dmp

                                          Filesize

                                          32KB

                                          Download

                                        • memory/2796-390-0x000001841EF40000-0x000001841EF66000-memory.dmp

                                          Filesize

                                          152KB

                                          Download

                                        • memory/2896-423-0x00000208E9960000-0x00000208E9990000-memory.dmp

                                          Filesize

                                          192KB

                                          Download

                                        • memory/3332-2014-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/3332-1192-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/3332-1883-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/3332-2013-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/3332-1193-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/3332-1864-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/3332-1975-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/3332-1974-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/3384-81-0x0000000004D60000-0x00000000050B4000-memory.dmp

                                          Filesize

                                          3.3MB

                                          Download

                                        • memory/3384-80-0x0000000004C30000-0x0000000004C52000-memory.dmp

                                          Filesize

                                          136KB

                                          Download

                                        • memory/3384-77-0x0000000004CA0000-0x0000000004D52000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/3476-197-0x000001854B6C0000-0x000001854B6E2000-memory.dmp

                                          Filesize

                                          136KB

                                          Download

                                        • memory/3476-244-0x000001854BCC0000-0x000001854BCF8000-memory.dmp

                                          Filesize

                                          224KB

                                          Download

                                        • memory/3476-293-0x000001854B430000-0x000001854B460000-memory.dmp

                                          Filesize

                                          192KB

                                          Download

                                        • memory/3476-193-0x000001854B780000-0x000001854B832000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/4220-1748-0x000001A16B020000-0x000001A16B548000-memory.dmp

                                          Filesize

                                          5.2MB

                                          Download

                                        • memory/4220-1608-0x000001A151B70000-0x000001A151B8A000-memory.dmp

                                          Filesize

                                          104KB

                                          Download

                                        • memory/4220-1579-0x000001A1517B0000-0x000001A1517BA000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/4220-1638-0x000001A152130000-0x000001A1521E2000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/4436-349-0x0000017DA0150000-0x0000017DA029E000-memory.dmp

                                          Filesize

                                          1.3MB

                                          Download

                                        • memory/5088-1892-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5088-1858-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5088-1894-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5088-1863-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-1965-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-2115-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-2114-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5308-2051-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-1760-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-1750-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5308-1173-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5308-1172-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5308-2050-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5308-1964-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5516-1838-0x00000213E6A60000-0x00000213E6A70000-memory.dmp

                                          Filesize

                                          64KB

                                          Download

                                        • memory/5516-1741-0x00000213E6A70000-0x00000213E6AB8000-memory.dmp

                                          Filesize

                                          288KB

                                          Download

                                        • memory/5516-1522-0x00000213E5FD0000-0x00000213E600A000-memory.dmp

                                          Filesize

                                          232KB

                                          Download

                                        • memory/5516-1842-0x00000213FF200000-0x00000213FF228000-memory.dmp

                                          Filesize

                                          160KB

                                          Download

                                        • memory/5516-1735-0x00000213FF260000-0x00000213FF312000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/5516-1736-0x00000213E68C0000-0x00000213E68DC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/5576-937-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5576-1082-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5576-1006-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5576-516-0x0000000002F10000-0x00000000030D7000-memory.dmp

                                          Filesize

                                          1.8MB

                                          Download

                                        • memory/5576-940-0x0000000002F50000-0x0000000003117000-memory.dmp

                                          Filesize

                                          1.8MB

                                          Download

                                        • memory/5576-513-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5576-1119-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5576-547-0x0000000010000000-0x0000000010114000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5608-1740-0x000001B39A590000-0x000001B39A5DA000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/5608-1743-0x000001B3B2DE0000-0x000001B3B2DF8000-memory.dmp

                                          Filesize

                                          96KB

                                          Download

                                        • memory/5608-1763-0x000001B3B3110000-0x000001B3B31EC000-memory.dmp

                                          Filesize

                                          880KB

                                          Download

                                        • memory/5608-1762-0x000001B3B2F70000-0x000001B3B3022000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/5608-1739-0x000001B399BE0000-0x000001B399C14000-memory.dmp

                                          Filesize

                                          208KB

                                          Download

                                        • memory/5608-1749-0x000001B3B2E60000-0x000001B3B2EAA000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/5608-1765-0x000001B3B3030000-0x000001B3B3092000-memory.dmp

                                          Filesize

                                          392KB

                                          Download

                                        • memory/5608-1744-0x000001B39A580000-0x000001B39A58A000-memory.dmp

                                          Filesize

                                          40KB

                                          Download

                                        • memory/5608-1742-0x000001B39A560000-0x000001B39A57C000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/5608-1766-0x000001B3B2EF0000-0x000001B3B2F0C000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/5620-1951-0x000001BDDE1B0000-0x000001BDDE1C2000-memory.dmp

                                          Filesize

                                          72KB

                                          Download

                                        • memory/5700-1359-0x0000022DA9F60000-0x0000022DA9F78000-memory.dmp

                                          Filesize

                                          96KB

                                          Download

                                        • memory/5700-1358-0x0000022DA9AB0000-0x0000022DA9ABC000-memory.dmp

                                          Filesize

                                          48KB

                                          Download

                                        • memory/5700-1482-0x0000022DAA460000-0x0000022DAA480000-memory.dmp

                                          Filesize

                                          128KB

                                          Download

                                        • memory/5700-1360-0x0000022DAA520000-0x0000022DAA5D2000-memory.dmp

                                          Filesize

                                          712KB

                                          Download

                                        • memory/5740-2118-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5740-2117-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5740-1234-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5740-1231-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5740-2264-0x0000000071E90000-0x0000000071FAC000-memory.dmp

                                          Filesize

                                          1.1MB

                                          Download

                                        • memory/5740-2265-0x0000000071AC0000-0x0000000071E8D000-memory.dmp

                                          Filesize

                                          3.8MB

                                          Download

                                        • memory/5744-1672-0x0000027912CD0000-0x0000027912D1A000-memory.dmp

                                          Filesize

                                          296KB

                                          Download

                                        • memory/5744-1640-0x0000027912360000-0x000002791236C000-memory.dmp

                                          Filesize

                                          48KB

                                          Download

                                        • memory/5744-1734-0x0000027912CA0000-0x0000027912CBC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/5744-1747-0x000002792B610000-0x000002792B6C0000-memory.dmp

                                          Filesize

                                          704KB

                                          Download

                                        • memory/5744-1761-0x000002792B7A0000-0x000002792B87C000-memory.dmp

                                          Filesize

                                          880KB

                                          Download

                                        • memory/5744-1764-0x000002792B5A0000-0x000002792B5BC000-memory.dmp

                                          Filesize

                                          112KB

                                          Download

                                        • memory/6116-1954-0x00000254D7DF0000-0x00000254D7F3E000-memory.dmp

                                          Filesize

                                          1.3MB

                                          Download